Healthcare billing and IT solutions vendor PracticeMax announced that it was the victim of a ransomware attack that occurred between April 17 and May 5. PracticeMax is a business associate of healthcare organizations Humana and Anthem. During the breach, an unauthorized actor accessed and stole more than 4,000 Humana patient files containing protected health information (PHI).
This ransomware attack is far from the first to target the healthcare industry. In fact, just last year we witnessed Ryuk
actively spreading through hospital systems. And cases of healthcare-related ransomware attacks continue to be on the rise. The PracticeMax breach is just the latest example of why healthcare organizations need better prevention to secure the weakest links in their supply chains: third-party vendors and business associates. In this post we’ll offer some tips on how.
To gain visibility into business associate risks at every stage of the vendor lifecycle and be better prepared for a supply chain attack, consider the following tips:
As a first step toward shrinking your third-party attack surface, perform an inherent risk assessment on all business associates (BAs) before or during onboarding. A ransomware-specific inherent risk assessment will provide insights into factors such as:
You can then use the results, in context of the type of data being handled, to tier your business associates and right-size subsequent due diligence activities.
Pro tip: To accelerate the onboarding and initial risk assessment process, consider leveraging a library of completed vendor risk assessments. Risk assessments in these repositories should be based on a healthcare industry standard, such as H-ISAC, and include dynamic updates with the latest insights into cyber, business, reputational, and financial risks.
Your current business associate profiles likely cover annual revenue, industry code, ownership, reputation, and other attributes. However, they likely don’t provide visibility into 4th party products and services used by your BAs. Understanding what products and tools they have in place will help you determine concentration risk when a 4th party technology has been a victim of a data breach (e.g., Kaseya). Look for third-party risk management solutions that automatically map relationships to 4th party technology providers to simplify the process.
The HIPAA Third-Party Compliance Checklist
Download this helpful checklist for prescriptive guidance on assessing business associate security controls per HIPAA requirements.
Assessing your vendors during onboarding is a great start. However, if you limit subsequent reassessments to fixed periods, such as contract renewals, then you will miss any risks that arise in the interim. There are a couple approaches to addressing these gaps:
Each approach offers benefits and provides more regular insights to help you stay on top of BA risks. Proactive approaches combine a vendor-completed, controls-based assessment with an external analysis of threats from the Internet and dark web, as well as public and private sources of reputational, sanctions and financial information. Key to this approach is normalizing and correlating the data from all sources into a single risk register for central context, quantification, management, and remediation.
A reactive approach automates the triggering, issuing, and analysis of event-specific assessments (e.g., in response to the SolarWinds attack) based on the fourth-party relationships covered in Tip 2 above. Either way, you walk away with more regular insights for more informed, risk-based decision making regarding your supply chain.
Although the PracticeMax attack involved a current vendor, it’s important to ensure that you apply the same amount of rigor to the offboarding process as you do to the onboarding process. As you wind down your BA relationships, you should assess whether BAs are taking steps such as disposing of your patients’ PHI and assets according to regulatory requirements and industry best practices. Otherwise, you could end up with hefty fines to deal with (just ask Morgan Stanley). We’ve found that few companies address risk during the offboarding stage of their BA relationships. Look for solutions that enable you to schedule tasks to review contracts to ensure all obligations have been met, and issue customizable contract assessments to evaluate offboarding status.
The HIPAA Security Rule requires covered entities to enter into a business associate agreement (BAA) with any third-party vendor that performs services on the entity’s behalf. The agreement holds BAs to the same HIPAA standards as the covered entity, ensuring that patient PHI is safe. If you’re dealing with dozens, hundreds, or even thousands of third parties, then the task to manually collect and analyze this information in a spreadsheet can quickly become overwhelming. Look for solutions that not only automate the collection and analysis of BA risk data, but also produce HIPAA-specific reporting showing compliance status and any weaknesses prior to engaging with your external auditors. It will greatly accelerate the risk mitigation process.
Taking a holistic approach to business associate security and protecting data at every step of the third-party lifecycle can help you mitigate risks and avoid becoming the next ransomware data breach victim. For more specific guidance on how Prevalent can help you meet HIPAA Security Rule business associate risk requirements, download The HIPAA Third-Party Compliance Checklist or contact us today for a strategy session.
Bonus: If you think a business associate has been the victim of a ransomware attack, use this free questionnaire to determine your exposure.