By Troy Gill, AppRiver
In the past month, reports surfaced concerning a successful data breach that affected at least three health diagnostics companies: Quest Diagnostics, LabCorp and BioReference Laboratories Inc. It is estimated that more than 20 million patient names, dates of birth, addresses, phone numbers, credit cards and banking information were potentially exposed.
The extensive breach was believed to have taken place when a billing collection provider – an outside contractor the blood testing companies routinely sent customers’ billing information and personal data – was hacked. Not only was the breach serious enough in scale to warrant news headlines, it also raises new questions regarding data access and management in the healthcare industry.
This breach-through-billing contractor scenario is particularly intriguing in that while the healthcare industry is one of the most highly regulated in terms of consumer privacy and data protection, contractors who have access to the same confidential data may not be held to the same standards. It also shines a light on the growing pains of the healthcare industry, which has been rapidly adopting new technology and data advancement but are showing a lapse in security knowledge and systems in place to handle the new technology they now possess.
What is also fascinating is that the industry appears not entirely in the dark about its own lack of cyber preparedness. According to the AppRiver Cyberthreat Index for Business, which surveyed over 2,000 small-to-midsize business (SMBs) leaders and IT decision makers in the first half of 2019, including the healthcare industry, more than half of the sector reported feeling overmatched by cybercriminals and unprepared for potential attacks.
Here are some key (and alarming) findings:
Cybercriminals target the healthcare sector because they know it is a goldmine for personal data and payment (read: banking and credit card) information. However, some could be looking to do more harm. The healthcare industry also has access to health data; it dispenses medicine and prescribes medical treatments, for instance. This is potentially beyond a privacy issue, but rather a health-related security time bomb.
A significant number of data breaches occurring these days can be directly attributed back to a third-party vendor or contractor, as this type of relationships inadvertently creates an entry point for cybercriminals. No sector, including healthcare, has been immune. And while all organizations have a responsibility to protect all Personally Identifiable Information, the healthcare industry will always be subjected to higher expectations because of the sensitivity of data healthcare professionals are tasked with protecting. Knowing this, more stringent policies and reliable systems are urgently needed when evaluating relationships with and granting access to third-party vendors and contractors.
Consider this as the start of a third-party security due diligence “laundry list”:
With the right guardrails in place, healthcare organizations can go a long way toward protecting their patients and the reputation of their business. At the rate that today’s cyberthreat landscape is evolving, they simply can’t afford to wait any longer.