Between August 2018 and March 2019, the American Medical Collections Agency (AMCA) experienced an advanced persistent threat. The data breach impacted electronic health records (EHR) for approximately 12 million Quest Diagnostics’ patient and approximately 7.7 million LabCorp patients, leading to AMCA’s Chapter 11 bankruptcy filing in June 2019. The AMCA data breach highlights the potential business risks that healthcare organizations, including practitioners and labs, face arising from business associate cybersecurity risk.
Advanced persistent threats (APTs) are prolonged and targeted attacks where malicious actors gain access to a network for an extended period of time. Most APT attackers seek to obtain as much personally identifiable information as possible before being noticed so that they can collect and sell the information on the Dark Web.
Although APT attacks occur in a variety of ways, they tend to focus on social engineering methods such as phishing, spear phishing, and whaling.
APT attacks increase the cost of the data breach because the extended time they spend stealing information increases the number of records stolen. The 2018 Ponemon Cost of a Data Breach noted that the mean time to identify a breach was 197 days, the mean time to contain was 69 days, and companies that contained a breach in less than 30 days saved over $1 million dollars compared to those who took longer than 30 days.
The information makes sense when looking at the AMCA data breach. The longer the malicious actors have access to the information, the more information they can obtain, meaning they have more information to sell.
Additionally, these data breaches take longer to uncover since they often run quietly in the background.
Protected health information (PHI) is defined as any information about a person’s healthcare that can be linked to the individual. Often, PHI incorporates information such aspatient social security number, name, birth date, and address.
The Health Insurance Portability and Accessibility Act (HIPAA) defines a business associate as a person or entity performing functions or activities that involve the use or disclosure of protected health information (PHI) or electronic PHI (ePHI). Some typical business associate functions include:
In this case, healthcare providers contracted with AMCA to collect outstanding patient payments. Another example of a business associate would be the CPA who does the provider’s taxes and may have access to patient payment information while reviewing revenue.
In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act expanded HIPAA’s application to business associates which created a dual risk. Not only are they responsible to healthcare providers, they must also prove their own HIPAA compliance.
As healthcare organizations, even sole practitioners, increasingly incorporate more Software-as-a-Service (SaaS) applications, they increase the number of business associates interacting with their systems, networks, and data which increase the potential risk.
For example, HITECH specifically included health information organizations, e-prescribing gateways, and subcontractors working on behalf of business associates as additional business associate category.
By expanding the definition of business associate, HITECH created upstream and downstream risks. In short, covered entities may be assessed penalties for business associates or sued by patients for breaches arising from business associates.
To mitigate business associate risk, you should start with the contract language. The contract between you and your business associate is what defines your responsibilities to one another. As such, you should clearly define the security controls you expect your business associate to set. These controls should match your own risk tolerance and be aligned with your security stance.
Through HITECH, you are liable for ensuring that your business associates comply with the contractual cybersecurity obligations. Unfortunately, monitoring third-party security using annual questionnaires no longer provides assurance over your business associate’s cybersecurity posture. You need to continuously monitor and document your activities to prove governance.
Healthcare organizations of all sizes struggle to appropriately monitor their business associates. While you can control your own security, you often lack visibility into your vendors’ day-to-day operations. As such, you should incorporate cyber liability to help limit the impact a business associate’s data breach has on your own business. An appropriate cyber liability policy should, at minimum, cover costs associated with data breach notification, ongoing credit rating and identity monitoring for your patients, lawsuits arising from the business associate’s data breach, and business interruption.
At Zeguro, we understand that protecting your practice from business associate data breaches can be overwhelming and expensive. This is why we created a holistic approach to help you strengthen your cybersecurity program. Starting with a security-first approach to cybersecurity, we help you identify risks, create policies, and monitor control effectiveness. We also provide the documentation necessary to meet increasingly strict industry standard and regulatory compliance requirements. As part of our Cybersecurity-as-a-Service (CSaaS), we also direct you towards a cyber insurance policy that fits your needs. To get early access to our end-to-end cyber safety platform and find out first-hand what CSaaS is all about, sign up for early access here.