Blogs Home
Monday, March 25, 2019 12:00 PM

Three Impacts of a Third-Party Security Breach

Written by Guy McAllister, Director, Privacy & Security - iatricSystems

SecureRamp Blog Post Header March 2019

All hospitals know that they need to have some form of security plan in place to protect patients and their information. The problem is that the changing requirements and increase in breaches means that this plan has to always be evolving. Hospitals likely have goals for what they would like to change in the future to make sure they are adapting to the ever-changing threat landscape.

One area that could often be overlooked is around managing third party access. If you don't have a solid plan for securing all remote access to your network (this also includes employees) to make sure that it is secure and monitored, read on for some suggestions. 

There is growing frustration among consumers over many organizations lacking effective security measures. This applies not just to the healthcare industry, but any other industry that deals with consumer data.

Major breaches in the past from Target (2013), Yahoo (2014), Anthem (2015), Equifax (2017) and Facebook (2018) have left consumers (and patients) exposed and angry.

It's time for a wake-up call!

Greg Garcia, Executive Director for cybersecurity at the Healthcare and Public Health Sector Coordinating Council, says thought leaders in the healthcare sector need to issue a cybersecurity call to action that says:

"Wake up, we have work to do!"

What are the potential threats facing you and what do these threats really mean for your organization? One area where your organization could be particularly vulnerable is with third party vendors and your need to provide remote access to your network.

Your organization needs to be aware of these three important facts about third-party breaches.

1. Third Party Breaches Are Increasing

Healthcare IT News reported 43 major breaches and attacks in 2018. The causes were:

  • Ransomware attacks
  • Phishing attacks
  • Misconfigured servers
  • Remote access management failures

It's clear to see that the problem is not going away, in fact, it's getting worse because Healthcare continues to be a lucrative target.

Many of these attacks focus on two key areas: Phishing attacks and remote access attacks.

If your Security Strategy doesn't have a plan to address each of these, you could be leaving your organization open to a breach.

2. Third party breaches are costly

The American Journal of Managed Care reported in December 2018 that hospitals spend 64% more annually on advertising the two years after a breach is reported.

In addition, if a breach occurs, penalties can start in the thousands and rise to millions, depending on the severity of the breach.

And, when you are dealing with third parties, if they are accessing your PHI, according to the HIPAA Omnibus rule, your organization will be held liable, even if the breach occurred with your vendor.

3. Third party breaches are dangerous

ECRI Institute recently announced their annual "Top 10 Health Technology Hazards for 2019." The number one risk: hackers can exploit remote access to systems, disrupting healthcare operations.

The ECRI report said what we all know; once hackers gain access through these systems, they can move around the network, install ransomware, steal or encrypt data, or hijack computer resources for cryptocurrency mining.

The 2019 ECRI report points out the legitimacy and value of remote access. It also recognized the problem that "remote access systems can be exploited for illegitimate purposes."

We are all aware of bad outcomes from such exploitation, ransomware and other malware threats, stealing data or rendering data unusable.

How do we manage what we are mandated to provide? There is one answer that can help answer this question.

Half of senior healthcare executives surveyed by Marsh & McLennan Companies earlier this year said they had instituted multifactor authentication (MFA) to control remote access to private networks. Adding multifactor authentication to remote access management is a win for every organization.

While MFA won't stop all breach attempts, it's a start. You are definitely better off with it than without it. So, what else can you do? Where should you start if you don't have a plan in place to automate, manage, and secure remote access?

Here are some recommendations for how to address these concerns:

1. Training and Awareness - make the importance of privacy and security part of your culture at your organization

2. Investigate and implement technology solutions to detect anomalies

3. Enforce your culture

4. Remote access management must be part of your Security Strategic Plan

For an easy way to quickly assess your remote access gaps, you can take this Vulnerability Assessment.

If this information has your head spinning, please schedule a meeting with me to discuss how you can make securing remote access to your network a priority.