Anatomy of a Healthcare Data Breach
Recent settlements in class action lawsuits filed in the aftermath of data breaches at BJC Healthcare and Methodist Hospital, and newly filed suit against Tenet Healthcare serve as the latest reminders of threats and risks outside of your organization, whether in the form of vendors, affiliates or subsidiaries. They also underline the threat of litigation in the wake of such incidents.
A range of digital health technologies, telemedicine, and the use of various third parties that handle patient data both by health care entities and consumers has created a minefield of risk surrounding data privacy and security. While there are several guidelines in place for the healthcare sector, including HIPAA, NIST frameworks, and most recently the Digital Health Assessment Framework developed by the American College of Physicians, the American Telemedicine Association and ORCHA (Organization for the Review of Care and Health Applications), there is no universal remedy when it comes to risk mitigation.
The good news? There are plenty of silver linings in the form of best practices, lessons learned, and technology. Guidelines and regulations for protecting electronic health records can provide the table stakes with regard to what your organization’s security framework should look like. However, when combined with process and technology designed to assess and provide ongoing monitoring of your third parties as well as best practices, healthcare organizations can build a robust defense that can help minimize risks and impact in the event of a breach to your third parties.
Get the best third-party security content sent right to your inbox
Thanks for subscribing!
Lessons Learned: Tenet’s Response
According to Norton around 2,200 cyber-security attacks happen each day. So it is not a matter of if, but when something will happen. When a healthcare data breach occurs, the most critical thing to do is to limit the impact on your organization by activating your response playbook, which Tenet did immediately and effectively. Steps they took included:
- Limit: Once the third-party breach was determined, they quickly limited the offending party’s access to their systems, network, and applications.
- Analyze: They conducted a forensic analysis to understand the extent of the incident and its impact.
- Monitor & Improve: Tenet immediately stepped up monitoring and systems security.
- Communicate: Notification of the breach was issued in accordance with requirements outlined in HIPAA.
Recovering from a Healthcare Data Breach
We don’t have all of the details on Tenet’s after-action planning, but we can assume that based on best practices we’ve seen here at Panorays their next steps most likely included analyzing cyber resilience to ensure they are protected against future breaches. While there will never be a 100% guarantee, taking what you learned from the breach and bolstering your defenses is a logical next step. Beyond analyzing internal infrastructure, you’ll also want to ensure your third parties’ security practices and policies are keeping you safe. Continuous monitoring for changes in your security framework is also crucial to protect against ongoing threats.
The Best Offense
While playbooks may vary from team to team, the best offense is always a good defense. There are 5 key steps that your organization can take to ensure you have the upper hand in the ongoing battle against malicious actors and cybercriminals.
Before deciding to work with a third party, it’s important to perform a comprehensive assessment of its cyber risk. The process should be thorough and scalable so that as your vendor list grows, you can manage and onboard new ones easily. External attack surface assessments combined with automated security questionnaires can help evaluate a supplier’s potential risk. It is also important to remember the context of your business relationship when conducting these assessments.
Some of the most notorious third-party data breaches have occurred due to a mistake or accidental disclosure by a human being. Phishing attacks and stolen credentials, for example, focus on employees as the initial entry point into a company. Since so many companies have switched to remote workplaces, these types of threats have only increased. Insisting that your third party implements employee training is a necessary step.
Third-party security management typically involves numerous teams across your business. Because there are so many moving parts, it’s essential to have a process in place that allows all stakeholders to communicate quickly and effectively with each other. This is particularly important if any cyber gaps need to be addressed with vendors or third parties. For these reasons, having a centralized platform is essential.
Keeping records of any third-party management is important for several reasons. First, it can help you monitor your suppliers cyber posture over time. Second, documentation can help you stay on top of your suppliers’ necessary cyber hygiene. Lastly, it will serve as an audit trail that demonstrates your organization has a strong third-party security risk management process in place.
Cyber threats evolve as technology does, and threats are increasingly multi-faceted. In addition, companies are always introducing new software and technologies that could be vulnerable to cyberattacks. This ever-changing landscape is why it’s essential to continuously monitor your suppliers and receive live alerts about any changes in cyber posture.
Vendor Cyber Risk Assessment for the Healthcare Industry
Personal Health Information (PHI) has become a popular target for cybercriminals and targeting healthcare organizations’ third parties is another way to access that coveted data. Want to learn more about how Panorays helps you assess and monitor your vendors’ cyber risk? Schedule a demo today.