Cybercriminals seeking to seize sensitive health information are increasingly targeting vulnerable vendors to get around the safeguards healthcare providers, insurers and other entities have erected to protect patient data.
As healthcare organizations more commonly tap third-party vendors to handle business functions, cybersecurity experts warn they’re creating opportunities for hackers. Data breaches of vendors, which fall under the business associate category on the Health and Human Services Department’s Office for Civil Rights breach portal, have grown in number and scale over the past five years.
Through November, there have been 116 reported breaches on business associates that affected 17.7 million patients. These accounted for 17.5% of healthcare breaches but 36.1% of patients whose data were exposed so far this year. Only 40 breaches hit business associates, involving 5.9 million patient’s data, during the same period in 2018.
Hackers view the data vendors possess as a “treasure trove,” said Jeff Krull, a partner who leads the cybersecurity practice at the consulting firm Baker Tilly.
Instead of breaching one organization’s data, criminals can obtain data from multiple providers and health plans that includes patient names, addresses, Social Security numbers, and treatment and prescription information. The cyberattack on printing and mailing service OneTouchPoint, detected in April, involved more than three dozen providers and insurers, including Humana, Kaiser Permanente and several Blue Cross and Blue Shield companies, and affected more than 4 million patients—making it the biggest healthcare attack reported this year.
“If a threat actor can identify that a vendor’s working with 10 or 12 hospital systems and healthcare plans, that’s going to make them a very high-value target,” said Alexander Urbelis, a senior counsel at the law firm Crowell & Moring who specializes in identifying cybersecurity threats.
Why now?
Health systems are increasingly using vendors to achieve financial, operational and clinical efficiencies, especially amid the workforce shortage, said John Riggi, the national advisor for cybersecurity and risk at the American Hospital Association.
“They just may not have the human resources or the human capital internally to affect certain business processes,” Riggi said. Large health systems may rely on thousands of vendors for administrative services, including payroll and electronic health records, and for software that runs medical devices such as X-ray machines and radiology equipment.
Stressed supply chains and financial issues at hospitals, exacerbated by the COVID-19 pandemic, are driving them to sign contracts with vendors. “You might be looking to outsource something you did in-house before to save some money,” Krull said.
These broader circumstances make it more difficult for healthcare organizations to invest in stronger security measures, Krull added. “It really creates this perfect storm,” he said.
While healthcare companies are strategically looking to contractors to improve business operations and clinical services, other vendor relationships are falling into their laps as health systems expand. “If there is a merger or acquisition, you’re taking on not only that entity, but also all their relationships,” Riggi said.
Yet health systems may opt to hire vendors to carry out tasks such as patient testing even when they are aware the contractor lacks strong cybersecurity measures if they conclude patient outcomes outweigh the risks, Krull said.
Attacks involving insurers happen less frequently than those on providers. Because they don’t have patients walking in and out doors, insurers can operate more as self-contained businesses and tightly control who has access to information, Krull said.
Bolstering cybersecurity
Cyber risks are now top of mind for many health systems’ executives, Riggi said. Experts stress there’s more to be done as threat actors become more sophisticated.
“Vendor oversight has become a really big thing in the past five years, in that before, health systems and health plans weren’t conducting appropriate due diligence on these [vendors], or maybe no due diligence at all,” said Doriann Cain, a partner at law firm Faegre Drinker who works with healthcare clients on cybersecurity practices.
In addition to avoiding the hefty financial cost of data breaches, improving cybersecurity is important for patient care and brand reputation.
Last December, payroll provider Ultimate Kronos Group revealed it fell victim to a ransomware attack, which caused a stir among the many health systems that relied on it for employee scheduling. The disruption caused a cascading effect that delayed care at numerous hospitals during the COVID-19 omicron surge, Riggi said.
Tightening cybersecurity and properly vetting vendors helps providers improve patient health outcomes, Riggi said. “This is about protecting patients. If you divert an ambulance or you delay cancer treatment, those effects potentially cause physical harm,” he said.
Reputational damage following a cyberattack typically tends to hurt the healthcare organization, not the vendor. But it’s not always easy to change contractors.
“Some of those vendors almost have a monopoly in terms of the services they’re providing, so you see healthcare providers not stuck with them, but maybe not always able to utilize another vendor who may be performing these services that they expect and want to see,” Cain said.
Health system and health insurance company leaders must assess a vendor’s cybersecurity controls before trusting it with patient data. Cataloging third-party relationships across a health system is the first step they should take, Riggi said.
Healthcare companies considering vendors should investigate several key factors to determine if their would-be partners can protect patient data, such as requesting information about their cybersecurity measures, ensuring the vendors’ security controls are certified by third parties, and insisting contractors undergo security audits such as Systems and Organization Controls 2 (SOC 2), the experts Modern Healthcare interviewed said.
Tim Broderick contributed to this story.
