Cybercriminals seeking to seize sensitive health information are increasingly targeting vulnerable vendors to get around the safeguards healthcare providers, insurers and other entities have erected to protect patient data.
As healthcare organizations more commonly tap third-party vendors to handle business functions, cybersecurity experts warn they’re creating opportunities for hackers. Data breaches of vendors, which fall under the business associate category on the Health and Human Services Department’s Office for Civil Rights breach portal, have grown in number and scale over the past five years.
Through November, there have been 116 reported breaches on business associates that affected 17.7 million patients. These accounted for 17.5% of healthcare breaches but 36.1% of patients whose data were exposed so far this year. Only 40 breaches hit business associates, involving 5.9 million patient’s data, during the same period in 2018.
Hackers view the data vendors possess as a “treasure trove,” said Jeff Krull, a partner who leads the cybersecurity practice at the consulting firm Baker Tilly.
Instead of breaching one organization’s data, criminals can obtain data from multiple providers and health plans that includes patient names, addresses, Social Security numbers, and treatment and prescription information. The cyberattack on printing and mailing service OneTouchPoint, detected in April, involved more than three dozen providers and insurers, including Humana, Kaiser Permanente and several Blue Cross and Blue Shield companies, and affected more than 4 million patients—making it the biggest healthcare attack reported this year.
“If a threat actor can identify that a vendor’s working with 10 or 12 hospital systems and healthcare plans, that’s going to make them a very high-value target,” said Alexander Urbelis, a senior counsel at the law firm Crowell & Moring who specializes in identifying cybersecurity threats.
Health systems are increasingly using vendors to achieve financial, operational and clinical efficiencies, especially amid the workforce shortage, said John Riggi, the national advisor for cybersecurity and risk at the American Hospital Association.
“They just may not have the human resources or the human capital internally to affect certain business processes,” Riggi said. Large health systems may rely on thousands of vendors for administrative services, including payroll and electronic health records, and for software that runs medical devices such as X-ray machines and radiology equipment.
Stressed supply chains and financial issues at hospitals, exacerbated by the COVID-19 pandemic, are driving them to sign contracts with vendors. “You might be looking to outsource something you did in-house before to save some money,” Krull said.
These broader circumstances make it more difficult for healthcare organizations to invest in stronger security measures, Krull added. “It really creates this perfect storm,” he said.
While healthcare companies are strategically looking to contractors to improve business operations and clinical services, other vendor relationships are falling into their laps as health systems expand. “If there is a merger or acquisition, you’re taking on not only that entity, but also all their relationships,” Riggi said.
Yet health systems may opt to hire vendors to carry out tasks such as patient testing even when they are aware the contractor lacks strong cybersecurity measures if they conclude patient outcomes outweigh the risks, Krull said.
Attacks involving insurers happen less frequently than those on providers. Because they don’t have patients walking in and out doors, insurers can operate more as self-contained businesses and tightly control who has access to information, Krull said.