Most healthcare providers know that phishing, ransomware, social engineering, and malware are risks to patient data, but what they don’t know is that a majority of these threats begin with third-party vendor vulnerabilities. Your staff might be trained in recognizing cyber-attacks, but your third-party vendors likely don’t have the same level of training and cybersecurity infrastructure.
Recent research in 2022 showed that 90% of data breaches targeting healthcare organizations were caused by third-party vendors¹. The numbers are much the same as 2021, which means that healthcare providers should be much more vigilant with onboarding, continuously monitoring, and offboarding third-party vendors.
Data Breaches in 2022 Affected Millions of Patients
Healthcare organizations often store incredible amounts of patient data that could bank cyber-criminals millions of dollars after a sophisticated breach. For each Patient Health Information (PHI) record, cyber-criminals can bank $1,000². A few thousand patient records could wind up being a seven-figure payout for attackers. The price per record is up 400% from 2017 when a report indicated that each PHI record was worth $250³.
Millions of records were either stolen or damaged in 2022, and the trend continues as cyber-criminals discover that third-party vendors are much more vulnerable than targeted healthcare systems. Several insurance companies were targeted last year with phishing and ransomware being the most prominent threats.
The hardest hit was a data breach targeting OneTouchPoint and affecting over 4 million patients⁴. OneTouchPoint is a third-party vendor and provider of mailing and printing services. Over 30 different large healthcare organizations use OneTouchPoint. In April 2022, OneTouchPoint found encrypted files on its servers, which signaled that they had been the victim of ransomware. The data breach had a domino effect and affected OneTouchPoint’s subcontractors as well.
Although the type of ransomware wasn’t specified in the OneTouchPoint data breach, many sophisticated ransomware attacks include blackmail attempts to pressure healthcare companies to pay the ransom⁵. In a sophisticated attack, the ransomware author takes a snapshot of PHI records and threatens to disclose them on the internet if the victim does not pay the ransom. The goal being that disclosure of patient records could ruin the brand’s reputation and cause damage to revenue if the ransom is not paid.
The second largest data breach technically happened in 2021, but it made headlines due to HIPAA violations and a class action lawsuit from failure to properly report the data breach⁶. Eye Care Leaders (ECL) is a third-party vendor offering practice management solutions. ECL suffered from a ransomware attack and failed to notify its healthcare customers, mainly ophthalmology providers. The ransomware affected over 3 million patients and has led to several lawsuits due to HIPAA violations requiring providers to notify affected parties within a reasonable time.
These are just a few examples of the widespread data breaches from 2022 that affected healthcare organizations⁷. Several others were victims of cyber-criminal attacks and left patient data open to theft and sale on darknet markets.
Vendor Onboarding and Monitoring is Essential for Your Patient Security
Onboarding a new vendor is a collaborative effort between your IT team and the people responsible for corporate data. HIPAA requires that you follow the “least privilege” principle, which says that vendors (and employees for that matter) should only have access to data necessary to perform their job functions. Any vendor leaving the organization should then have their access revoked during the offboarding process.
Tangential to this process is a phenomenon called permission aggregation. Permission aggregation happens when vendors or employees change job functions within the same organization and additional permissions are granted, but old ones unnecessary for their new job function are maintained. This phenomenon gives a specific user extensive privileges and makes them ripe for a targeted spear-phishing attack.
Monitoring data requests is also essential in HIPAA compliance. Any access requests both granted and denied should be logged. These logs can be imperative during incident response after a breach and speed up recovery efforts. They help researchers identify the extent of a breach so that the proper people can be notified within a timely manner.
Access requests and changes to data should also be monitored and logged in audit reports. Audit reports provide information during incident response and monitor for any insider threats resulting from PHI misuse. Not every vendor-based data breach is from insider threats, but audits determine if PHI is being mishandled and a specific vendor should be further trained in HIPAA-appropriate data access.
How Threat Intelligence Can Help
Every day, new threats are introduced into the wild. Zero-day threats are built to evade current cybersecurity infrastructure, and it often works. New phishing strategies can bypass your latest training efforts and trick employees, even ones with a background in security. Threat intelligence researchers hunt for these new discoveries and provide insights, analysis, and help to organizations so that they stay ahead of attackers.
Most healthcare organizations have security people on staff, but threat intelligence is often overlooked as an effective mitigation strategy. Threat intelligence is sophisticated monitoring that scans and analyzes the darker areas of the web for any signals to indicate changes in the way cyber-criminals target organizations. Researchers analyze darknet markets, hacking forums, social media, cybersecurity feeds, and common threat-producing areas of the internet where machine learning algorithms can detect content and alert for potential activity.
Not only does threat intelligence help with changes in the cybersecurity landscape, but it can also be a critical component in vendor checking and onboarding. Threat intelligence can identify if a vendor has past cyber-incidents, scan IP addresses for any vulnerabilities, and ensure that vendors adhere to HIPAA-compliant best practices. It’s a beneficial component for any healthcare organization responsible for protecting PHI and concerned with the integrity of their data protection measures.
If you’re looking for better vendor management practices, Access Point can help manage your third-party risks and incorporate threat intelligence into your strategies. Based in foundational industry standards and security frameworks, our third-party risk management strategies are proven to decrease cyber-risk and keep healthcare providers better informed on their vendor choices. Our weekly CyberWatch briefings can keep you ahead of vendor cybersecurity issues and reduce the cost of a potential breach by an average of $237,355⁸.
To find out more about how we can help reduce risks in your supply chain, meet with a subject matter expert today.
Sources
- https://www.scmagazine.com/feature/breach/most-of-the-10-largest-healthcare-data-breaches-in-2022-are-tied-to-vendors
- https://www.fiercehealthcare.com/hospitals/industry-voices-forget-credit-card-numbers-medical-records-are-hottest-items-dark-web
- https://trustwave.azureedge.net/media/15350/2018-trustwave-global-security-report-prt.pdf?rnd=131992184400000000
- https://1touchpoint.com/
- https://www.nbcnews.com/tech/security/hackers-post-detailed-patient-medical-records-two-hospitals-dark-web-n1256887
- https://www.classaction.org/news/ecl-group-hit-with-breach-of-contract-class-action-in-wake-of-2021-ransomware-attacks
- https://www.scmagazine.com/feature/breach/most-of-the-10-largest-healthcare-data-breaches-in-2022-are-tied-to-vendors
- https://www.ibm.com/reports/data-breach
.jpg)
.png)
