Third parties are critical to the function of any business sector and supply chain, but their role in the healthcare sector is becoming more prominent as breaches increase. According to HIPAA, there has been a steady increase in healthcare-related breaches since the end of 2019. Before delving into what HIPAA means for third parties, let’s review some recent attacks on Healthcare.  

Recent Attacks towards the Healthcare Supply Chain

Targeted attacks in the health sector have dramatically increased since the outbreak of COVID-19, as the increased workload for healthcare employees has left many more overwhelmed and vulnerable. Threat actors began preying on healthcare workers by crafting phishing campaigns as initial vectors in their attacks. In several cases, they even attempted to deploy ransomware through inherent cybersecurity vulnerabilities in the IT systems of the healthcare supply chain. One example security researchers observed was the campaign from the crime gang codenamed TA505, using coronavirus lure as part of a downloader campaign [1], [2] by a threat group referred to as APT29. Before targeting the supply chain of U.S. healthcare, manufacturing, and pharmaceuticals industries during the pandemic, the group previously targeted retail and finance.

APT29 has also targeted medical labs in Canada, U.S. and U.K. According to the National Cyber Security Centre, U.K advisory, the group targeted multiple labs carrying out COVID-19 vaccine studies. Their techniques were as simple as doing vulnerability scans on the IP addresses and leveraging stolen credentials from these organizations.

The advisory published IOCs and Yara rules associated with the campaigns, as well as the exploited vulnerabilities [3].

Although intellectual property stands as the top objective behind the aforementioned campaigns, these hacker groups also tend to steal bulk personal data, disrupting the continuity of the healthcare supply chain.

The Cost of a Healthcare Breach

According to IBM’s Cost of a Data Breach Report 2020 [4], healthcare continues to incur the highest average breach costs, at $7.13 million for the tenth year in a row. With a 10.5% increase over the 2019 study, healthcare also experienced the highest increase in the average total cost along with energy and retail. What really makes the healthcare supply chain attractive for hackers is the wealth of PHI (Protected Health Information) as well as the intellectual property at these organizations.

Healthcare breaches are also extremely costly due to the average time to identify and contain a breach, averaging at 329 days, making it an attractive target for hackers. The longer the hackers stay at an organization, the more data they can harvest and more damage they can cause.

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA aims to protect the health-related and personal information of individuals, including medical records, health insurance data, and SSNs of patients, etc. The information here is very valuable and profitable in the black market of the dark web.

HIPAA establishes standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by the healthcare entity a.k.a covered entity. The security rule of HIPAA requires administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. 

Record Year for HIPAA Breaches

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide a notification following every breach of unsecured protected health information. If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay, and no later than 60 days following a breach. 

With regards to the reported breaches, 2019 was not a good year for HIPAA. 37.47% more records were breached in 2019 than 2018. The Department of Health and Human Services’ Office for Civil Rights (OCR) experienced a 196% increase in breach notifications form 2018-2019 alone. Third-party vendors and phishing attacks were behind most of these healthcare breach incidents.

Largest 2019 Breach Caused by a Third Party

When we take a closer look at 2019 health data breaches, we see that third-party vendors working with healthcare providers account for about 23 percent of breaches.

When a third party, a.k.a business associate, experiences a data breach it does not always report the breach. Sometimes a breach is encountered by a third-party vendor and the healthcare entities working separately reveal the breaches, as was the case with the American Medical Collection Agency (AMCA), a collection agency used by several HIPAA-covered entities. Hackers gained access to AMCA systems in 2019 and stole sensitive customer/patient data.

The breach was the second-largest data breach ever documented in the healthcare sector, only slightly behind the 2015 data breach of Anthem Inc. At least 24 organizations are known to have stolen data due to the hack. The breaches are ongoing as of April 2020, and 145 breaches have been reported to the OCR to date.


Third-Party Obligations Put into Practice

Under HIPAA, “covered entities” are individuals or entities transmitting protected health information for transactions in which the Health and Human Services Department has adopted standards. HIPAA’s Security Rule requires covered entities to be responsible for assessing the security readiness of their business associates. This includes the vendors and other third parties contracted to receive, process, store or transmit PHI on behalf of the covered entity.

Image by fauxels from Pexels
  • Business associates must enter into a HIPAA-compliant agreement with the covered entity before they are granted PHI, or access to systems containing PHI
  • A covered entity can disclose protected health information (PHI) to a business associate under a written contract with certain assurances to comply with certain parts of the rule. This rule also applies to the subcontractor that business associates work with and has access to PHI data
  • Business associates of covered entities must comply with the applicable requirements
  • Business associates who fail to obey HIPAA rules may be
    directly liable for HIPAA penalties ranging from $114 to $57,0511 per infringement


Comprehensive Cyber Risk Rating

Black Kite’s cyber rating can be directly leveraged before and during a covered entity entering into an agreement with a business associate under HIPAA.

Compliance Module

Knowing the cybersecurity maturity level by assessing compliance levels is a key component in reducing the risks of a business associate. Black Kite’s standards-based approach makes it easy to estimate and assess compliance levels of third parties as well as any business associate under HIPAA. Black Kite correlates cyber risk findings to industry standards and best practices. The classification allows organizations to measure the compliance level of any company for HIPAA and other standards including NIST 800-53, ISO27001, PCI-DSS, NIST 800-171, NIST CSF, GDPR, and Shared Assessments.


[4] Cost of a Data Breach Report 2020, IBM Security , Ponemon Institute

Featured image by National Cancer Institute on Unsplash