Third Parties a Major Culprit in Healthcare Breaches
Healthcare Breaches Cannot Be Ignored
There have been two notable healthcare breaches in the last month: Upstate New York healthcare provider, Excellus Blue Cross Blue Shield, recently reported over 10 million patients’ records were breached. Systema Software, a Larskpur, California-based third party claims software provider, had data of 1.5 million customer claims data exposed on Amazon Web Services.
In both breaches, Social Security Numbers and other personally identifiable information were leaked. Exposure of patient and claims data may be in violation of HIPAA and HITECH regulations, and open these companies up to facing legal action.
Excellus is already facing a class-action lawsuit.
Data Left In the Open
The Systema Software data exposure is troubling because the data was found on Amazon Web Services by accident, according to Gizmodo. Technology enthusiast, Chris Vickery, reported the company’s data that he discovered on AWS to Systema, and to the Texas state attorney general’s office (where he resides).
Systema Software has said publicly that the data dump had accidentally been left on AWS by a contractor.
In fairness to Amazon, the Systema data exposure may have more to do with how this contractor configured the authentication to the claims data. Often, companies will use Amazon’s S3 service to do backups of data, but the level of security and authentication used is entirely up to the customer. There are no further AWS specifics of the Systema Software event (as to whether this data was left wide open by this contractor), but it appears that this data was not difficult for Vickery to find.
Systema Software may be lucky that a well-intending person found this data and responsibly reported it. Other companies are not as lucky. The healthcare industry is spending $6 billion a year on data breaches at an average cost of $2.1 million, according to the Ponemon Institute. The legal and financial impact for all parties involved is real.
Did Anyone Else Access or Grab the Exposed Data?
There is, however, another problem, for Systema Software: There are no logs of the data exposure, according to Vickery. The HIPAA Journal stated the following:
Vickery confirmed to HIPAA Journal that “another affected entity was informed, by Systema, that absolutely no logs existed for that Amazon bucket.” If no logs existed, then there is no way of telling how many individuals managed to download the data bucket before it was secured.
Customers of Systema Software that have been reportedly affected by the data dump so far include: Millers Mutual Group, Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority, and the Salt Lake County Database. Millers Mutual Group, a regional property and commercial insurer, put out a statement about the data leak which admitted it had no idea that its customers’ claims data was stored offsite (in the cloud):
On September 23, 2015, we learned that some of your claim information, which had been stored on servers used by our claims software vendor (“vendor”), was accessed by an unauthorized individual. The vendor maintained this claims information off-site, without Millers’ knowledge or permission.
Without evidence of who accessed the data, and no documented knowledge by the customer of its partner’s storage practices, all parties face the potential for legal action for not protecting electronic health information. Our attention on Systema Software is not to shame, but rather to show an example of how third party vendors are affecting the patients and customers of its partners, and is a sign of a growing risk.
The Solution: Improve Vendor Due Diligence With A Risk-Based Approach
It does not appear that there was enough vendor due diligence, by way of risk assessment, by security questionnaire, or by a security audit process (either one time or periodic) to understand how Systema was storing some of its claims data. It also appears the customer was not properly communicated about using cloud backups or cloud services for its data.
To help limit the impact, organizations need to first have a strategy for evaluating the strength of a vendor risk management program. Companies can also face vendor compliance requirements head on to level the playing field using standards-based vendor management templates and questionnaires. However, being safe on paper with audits, using a check-box compliance mindset will not be enough.
All of these methods will eventually fail at one thing: Seeing risk as it changes. Paper-based methods are required by regulations, so they have to be accomplished, but they do not help organizations keep pace with security risk of today’s attacks, especially via third parties. There are solutions that allow companies to have independently-validated security visibility into the risk posture of any company, continuously and instantly.
Understanding security risk requires in-depth knowledge of hacker behavior and tendencies, such as the targeting of individuals with corporate credentials via social engineering or targeting loopholes in software patching. As in the case of Systema, it also requires understanding how easy it is for anyone to search cloud-based repositories (like AWS, Google, or GitHub) for data that can be easily found and used to damage a company’s reputation or customer trust.
Tip for SecurityScorecard Customers: Type in a website address into the platform to perform an instant security audit and retrieve detailed security-risk information, without intruding on a vendor’s system.
Healthcare Industry Performing Poorly in Security Risk Management
While it is difficult to know if there was any criminal activity of Systema Software’s data exposure, the company is an unfortunate example of the kind of risk they may be on the hook for legally. The same can be said for the affected companies: They may have some liability.
A Ponemon Institute study released in May of this year found some very striking security risk data points on healthcare breaches. Healthcare organizations remain unsure if they have sufficient technologies and resources to prevent or detect unauthorized patient data access, loss or theft. In addition, the majority of them fail to perform a risk assessment for security incidents, despite the federal mandate to do so. Other key Ponemon findings:
- Criminal attacks in healthcare are up 125% in the last five years
- Almost 45% of data breaches in healthcare are from criminal activity
- 78% of healthcare organizations had malware attacks
- 40% percent of healthcare organizations are concerned about cyber attacks
Another study from earlier this year by Shared Assessments found the industry to lag in: using key risk and performance indicators (for board reporting), employing IT and security standards in contract language, and having a formal processes for incident tracking and response.
Law360 recently summed up the situation in a post that warns companies to brace themselves for HIPAA audits in 2016.
Health care companies are facing very real risks as they strive to comply with the HIPAA security, privacy and breach notification requirements. Today’s regulatory climate swelters with million-dollar settlements, disruption to the business, regulatory and class action litigation exposure and, most of all, loss of consumer confidence.
Given the regulations around privacy of personal data as it relates to HIPAA and HITECH laws, the healthcare industry is struggling to keep pace with the very real security risks they face. There are clear vendor risk management issues in play.