Reducing Healthcare Third-Party Risk
WHY THIS MATTERS
Cyberattack vectors are ever-changing (e.g. Maze ransomware double-extortion attacks during COVID-19), requiring us to reassess our privacy and security practices and the vetting process we use for third-party vendors, suppliers, and partners.
One third-party vendor can be the gateway into the networks of multiple companies allowing the data to be stolen from each of those entities.
Healthcare providers of all sizes are well-advised to conduct vendor risk management assessments and work with legal counsel on vendor agreements with current or substitute suppliers used during COVID-19.
Also, healthcare providers need to implement cybersecurity best practices. Any residual cyber risk may be transferred to a stand-alone cyber insurance policy that could make the difference in your financial survival.
The COVID-19 pandemic is having a profound impact on businesses of all types and sizes.
Cyberattacks on healthcare facilities are compounding the challenges they are facing during the virus outbreak.
OCR Guidance on Telehealth
“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” said Roger Severino, OCR Director. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities,” Severino added.
On the other hand, US regulators will not likely forgive data collection violations.
Due diligence in assessing your current third-party providers, or in acquiring new vendors, will help diminish your potential legal liability, fines, and penalties over the longer term.
Maze Ransomware Double-Extortion Attacks
This relatively new attack vector has been coined “double-extortion” because what appears to be a classic ransomware attack becomes a data breach along with a threat to disclose stolen data if the ransom is not paid. First, your data is locked. Second, your data is stolen and published.
This year, the FBI issued a warning that hackers behind Maze ransomware have increased attacks on the private sector. Cybercriminals pose as legitimate security vendors or government agencies to encrypt and steal data.
Maze is one of several hacking groups that have begun extorting and publishing data, or holding on to sensitive data to publish later if organizations do not pay the ransom. If the attackers have protected health information (PHI), they could seek a substantial ransom payment from the health provider or their third-party vendor.
Reports indicate that these incidents not only cause service disruptions and increase the risk of PHI being exposed, but they also result in extortion attempts on the people connected to the stolen data – the patients.
When it comes to the value of the data, notably, PHI has a higher value on the dark web. A healthcare record may be valued at up to $250 per account on the dark web, compared to $5.40 for the next highest value record (a payment card). The high value of this data makes the healthcare industry a desirable target for hackers.
COVID-19 ShutDown of the Supply Chain
According to IndustryWeek, the world’s supply chains are facing a root-to-branch shutdown, unlike any seen in modern peacetime.
Those businesses that remain open are shifting to remote work with decreased hours, including healthcare providers and their third-party vendors and suppliers.
Healthcare providers may find themselves with fewer suppliers and alternative third-party vendors while hackers are searching for weak links in the chain.
On the one hand, your suppliers are crucial to your business operations. On the other hand, they can expose your business to cyber risks.
The results of the Ponemon Institute’s third annual (2018) study Data Risk in the Third-Party Ecosystem indicate that 61% of US companies surveyed had experienced a data breach caused by their vendors or third parties (up 5% from 2017 and 12% from 2016). Dr. Larry Ponemon reported that companies need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.
Another recent Ponemon Institute report indicates that third-party data breaches cost more than in-house breaches, as much as $13 more per compromised record.
Third-Party Billing Collection Company Data Breach
In June 2019, Retrieval-Masters Creditors Bureau (RMCB), the parent company of the American Medical Collections Agency (AMCA), filed for Chapter 11 protection after an eight-month system hack breached the PHI of up to 20 million patients of medical testing giants LabCorp, Quest Diagnostic and BioReference according to Bloomberg.
These three companies fell victim to a data breach at AMCA, a third-party billing collections firm based in New York that collected debts for medical labs and hospitals as well as other businesses. AMCA detected the breach after being notified that credit card numbers tied to its web portal revealed a high volume of fraudulent charges. The treasure trove of stolen data included PHI, laboratory test information, healthcare provider information, credit and debit card information, bank account information, and social security numbers.
Despite the fact that AMCA was not directly impacted by the data breach, all of the follow-on consequences doomed the company, experiencing a severe drop-off of their business with class-action litigation against the company, and high incident response costs. AMCA ultimately filed for Chapter 11 protection aimed at liquidating the business.
Notably, the three large companies, LabCorb, Quest Diagnostic, and BioReference are all currently involved in data breach litigation as a result of AMCA (third-party risk) being the gateway into their respective networks.
This is not a scenario that any healthcare provider or testing facility wants to endure. Minimally, cyber insurance, and the first-party and third-party coverages provided, would play an essential role in addressing a complex third-party vendor scenario such as this one.
Tracking third-party relationships through vendor risk management is essential. Staying ahead of the risk requires planning for third-party detection and mitigation.
Best practices include maintaining a current third-party inventory or log, for example:
Vendor Access (Who, What, When, Where, How):
Does a third party handle or manage your:
- Billing and payment process?
- Client portal?
- Patient records and films?
- Medical devices?
- Physical security systems?
- HVAC systems?
- Internet access?
- Cloud storage services?
Sharing Patient Data (Who, What, When, Where, How):
Does your company share patient data with:
- Telemedicine providers?
- Marketing companies?
- Billing and payment processing companies?
- Law firms?
- Other medical professionals?
- Marketing companies?
Your third-party vendor may become a gateway into your system via a phishing email, a ransomware attack, or a data breach. Are you prepared to respond? You will be in a better position to respond with an Incident Response Plan (IRP), which is a critical aspect of your stand-alone cyber insurance coverage.
Here are some of the fundamental IRP steps.
Once you detect a potential breach:
- Put your Incident Response Plan into action (which will be pre-approved by your cyber insurance carrier), including notifying your:
- Incident Response Team Manager
- Cyber Insurance Carrier
- Outside Legal Counsel
- Verify known facts, document them, and make a timeline in a log.
- Contain and Neutralize the Attack:
- The goal is to stop the breach (at both ends) as quickly as possible with the help of the IRP.
- The faster your response, the smaller the data breach loss.
According to the Ponemon Institute, it takes an average of 197 days for a company to identify a data breach—and another 69 days to contain it. Also, the average breach cost in 2019 was $3.14 million (with more than half of that amount assessed for business interruption).
Stand-alone Cyber Insurance
Your business can survive a cyberattack (directed at you or a third-party vendor) with the help of cyber insurance to protect your bottom line:
- If you suffer a data breach, your business will need to stop the breach, investigate, notify all those impacted, recover, or restore your data, and possibly face claims or lawsuits by injured parties.
- Surviving is difficult to do without an incident response plan/team to:
- Stop a data breach or fend off a ransomware attack.
- Investigate a data breach or ransomware attack to stop future cyberattacks.
- Notify your clients, consumers, and employees (in compliance with various laws) after a cyberattack.
- Assist you with recovering or restoring lost or stolen data.
- Assist you with meeting your business continuity plan.
- If you suffer a ransomware attack, you can be compensated for the ransom payment (made with the prior written consent of the insurer) and for lost profits during the time business operations were disrupted or halted.
- If you are fined by regulators or credit card companies after a data breach, those fines are covered by cyber insurance (so long as allowed in the relevant jurisdiction under the particular facts of the matter).
Regularly updating your cybersecurity is step one. Requiring the same from your third-party service providers is step two. Obtaining robust stand-alone cyber insurance to transfer your residual cyber risk is step three.
- Ideally, third parties that access your network, touch your company, or touch your patient data should have their own robust stand-alone cyber insurance to respond first to a cyber incident.
- You are advised to confirm this when you conduct your cyber risk assessment of the supplier, and when you negotiate relevant contract provisions (working with your legal counsel on vendor agreements).
- In the wake of COVID-19 supply chain disruption, use your best efforts to ensure that alternative third-party vendors are cyber secure.
- Quick, unvetted substitutions of suppliers may jeopardize your data security. The cost is simply too high.
- If third-party vendors are not cyber secure, their healthcare clients are not cyber secure.
Contact Cyber Armada today to discuss your potential cyber exposures and financial losses. Contact us at 888.727.6232.
Watch for our next article on the important role that stand-alone cyber insurance plays in data privacy.