The Health Insurance Portability and Accountability Act (HIPAA) aims to protect health-related and personal information of individuals, including medical records, health insurance data, SSNs of patients, etc. These information is very valuable and profitable in the blackmarket of dark web. Every year the data theft or extortion through ransomwares become a very big problem for healthcare providers. Only last year, there were more than 40 major breach incident happened in healthcare industry.
Do 3rd party vendors pose a cyber risk?
When we examine 40+ breach incidents of 2017, we see that third party vendors are second most frequent reason behind a breach followed by phishing attacks. Health Insurance companies, medical-equipment suppliers, imaging centers, marketing companies, data-management companies, website and e-mail providers are all potential third parties that attackers can find a way through healthcare providers’ systems. Here are some breaches caused by third parties.
- A medical-equipment supplier, Airway Oxygen, was hacked and the attackers installed a ransomware by holding 500,000 clients’ information hostage.
- New Jersey Diamond Institute for Fertility and Menopause took the advantage of using a third-party server to store electronic health records. But this advantage turned into a nightmare when more than 14,000 patients’ sensitive information including names, addresses, birth dates, Social Security numbers, lab tests and sonograms were exposed after a cyber-attack to this server.
- iHealth Innovations, a third-party managing the record backups for healthcare providers, caused a breach of tens of thousands (possibly up to millions) of patient records at Bronx-Lebanon Hospital Center in New York City.
- An attack from a third-party vendor system used by Brand New Day (a Medicare-approved health plan) caused potential breach of 14,000 patients’ information including names, addresses, phone numbers, dates of birth and Medicare ID numbers of members.
- CoPilot, a commercialization support service, an unauthorized access to one of its databases used by both healthcare providers and patients caused a breach of 220,000 patient records.
- Mid-Michigan Physicians Imaging Center hack was potentially exposed more than 100,000 patient records.
- A misconfigured MongoDB database that contained data from over 200,000 patients and other sensitive information linked to Emory Brain Health Center was hijacked by hackers looking for ransom money.
- HealthNow Networks, a telemarketing company deliver medical supplies to home patients, kept holding patient records in 2017 even though it it’s no longer a registered business as of 2015. While the software developer, who was contracted to build a database for HealthNow, uploaded a backup database to the internet, nearly 1 million patient records became exposed.
What is HIPAA take on 3rd Party Vendors
Many healthcare providers and health plans (covered entities) know the consequences of not following guidelines set by HIPAA rules and they try to comply it as much as possible. However, some don’t know that their third parties (business associates, partners, subcontractors) should also meet HIPAA regulations. As an example, patients’ data is given to a research company (business associate) and the research company uses data-management firm for data storage (subcontractor). Both research company as business associate and data-management firm as subcontractor have to abide HIPAA rules.
HIPAA Omnibus Rule of January 2013 set some ground rules for such business associations as follows.
- Business associates of covered entities must comply with the applicable requirements of the rule (effective date was September 23, 2013)
- Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
- Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
- Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.
- A covered entity can disclose protected health information (PHI) to a business associate under a written contract with certain assurances to comply certain parts of the rule. Similar goes for subcontractor that business associate work with and have access to PHI data.
How a healthcare provider make sure that 3rd parties comply HIPAA rules?
Black Kite Cyber Risk Scorecard is a security rating tool that provides easy-to-understand risk scores for a company and its ecosystem formed by third parties. It also provides compliance report for many national and international standards including HIPAA rules. The only thing that a healthcare provider needs to do is to give domain names of third parties. Black Kite’s Cyber Risk Scorecard finds digital footprint of the companies all over the web and assess cyber risk and compliance in a non-intrusive method. Even prior to work with a third party, its HIPAA-compliance can easily be checked with Black Kite Cyber Risk Scorecard. Act now and learn your company and related third parties here.
Wouldn’t it be great to learn your cyber risk score in 60 seconds? It is possible with Black Kite Rapid Cyber Risk Scorecard. For more information, please visit the Black Kite Rapid Cyber Risk Scorecard page.