As healthcare entities integrate, merge and digitally transform; organizations should consider the potential impact of third-party cyber risk on billing, healthcare operations, and patient care. Third-party risk can originate from business associates and increasingly clinical/ambulatory entities that can provide a pathway for hackers to impermissibly access critical EHR and other systems provided by the health system or payer at large. The data, applications, cloud services, medical devices, clinical capabilities, and BI systems provided by third parties that are critical to the organization must be understood to develop comprehensive risk management, incident response, contingency, and continuity plans. It is important to protect the privacy, confidentially and integrity of these critical processes.
An examination of trends from 2021 indicates that:
Business associate breaches have risen in frequency and involved far more records per breach than other healthcare entity types.
Business associate-related breaches accounted for nearly 13% of total breaches, but almost one-quarter of the total individual records.
Hacking Breaches reported in by clinics/outpatient facilities (131) exceeded the number reported by hospitals (80).
Breaches impacting healthcare included third parties that provide payroll and billing-related services.
There are a number of takeaways from this data. Healthcare entities should perform a comprehensive risk analysis of third parties that present the highest likelihood of impact to the organization and they should maintain an accurate inventory of all third party systems, applications cloud services, integrations, network and data flows to determine the sufficiency of security and privacy controls. Healthcare organizations must understand the potential impact of third-party breaches and security incidents as part of a comprehensive business impact assessment and they should define clear incident response and business/clinical contingency plans to ensure the continuity of billing, clinical, payor, and healthcare operations. Cybersecurity best practices should be embedded in all phases of the third-party relationship lifecycle: pre-procurement through termination of the relationship. They should understand the software bill of materials provided by medical device and software vendors to mitigate threats presented by third-party use of open source technologies (i.e. Log4j). Third parties should also be included in disaster recovery tabletop exercises. The organization's workforce must be educated to ensure that third-party cyber security is part of the culture and decision-making process.
Additionally, a periodic review should be performed for sources of threat intelligence and a plan should be developed to monitor your vendor’s ability to manage the security of your data and processes. Outside services that can provide cybersecurity monitoring of third parties and periodic review of independent audits of third-party service providers should be considered.
These issues shouldn't be taken lightly as the threats are very real. Here are a few recent examples:
A recent cyberattack on Planned Parenthood’s Los Angeles branch exposed the personal information of about 400,000 patients. Between Oct. 9 and Oct. 17, a hacker infiltrated the reproductive health care center’s network and stole files including patient information like names and insurance details along with clinical information including diagnoses and procedures undergone by the patients.
On January 1, 2022, Broward Health, which operates dozens of health care facilities in Broward County, Florida, notified over 1.3 million individuals that a threat actor gained access to and removed data from its system on October 15, 2021. The data exfiltrated and compromised included individuals’ names, addresses, dates of birth, driver’s license numbers, Social Security numbers, financial, insurance, and medical information. According to the notification letter, “the intrusion occurred through the office of a third-party medical provider who is permitted access to the system to provide healthcare services.”
The health information management services provider CIOX Health has suffered a data breach that has affected at least 32 healthcare providers. In July 2021
UKG Hack Disrupts Scheduling and Payroll for Thousands of Employers. The attack, discovered on Dec. 11, has affected 2,000 organizations that use the software, including enterprise companies, hospitals, government agencies, universities, and emergency services like fire and police departments.
Cybersecurity should be taken seriously and resources should be dedicated to ensuring your organization is protected against third-party threats. Our Cybersecurity team specializes in healthcare security and can assess the risk for your organization and assist you in developing a go-forward plan. Contact our team today to learn how we can help you protect your organization from third-party threats.
