Two recent data breach incidents in the healthcare industry prove what readers of this blog have heard all too often: KNOW THY VENDORS.
Last week, Phoenix-based Banner Health reported one of the year's largest data breaches. Banner reported that it had suffered a massive cyberattack potentially affecting the information of 3.7 million patients, health plan members and beneficiaries, providers. This attack is notable for all companies and not just healthcare providers covered by HIPAA. Reportedly, the attack occurred through the computer systems that process food and beverage purchases in the Banner system. In the incident, according to reports, the hackers gained access to the larger systems through the point-of-sale computer system that processes food and beverage purchases. The attack was discovered on July 13, and Banner believes hackers originally gained access on June 17.
Many companies -- particularly hospitals -- have only a perimeter firewall to provide protection for access into and out of the core network. It is less common for companies to have multiple layers of security protecting individual systems operating "inside the firewall". Readers will recall the main route for the Target hackers into the system was through a small vendor. The "kill chain" analysis in the Target matter is still highly recommended reading to learn about this topic. At Banner, once the hacker was into the food and beverage system (maintained by a separate vendor), the gate was opened to the entire system's network. This is yet another example of the importance of data mapping and systems mapping to locate, identify and protect the core systems where protected health information (or other critical information) is stored. This exercise will add visibility into those devices not necessarily controlled by the institution and applying further controls to them. Flat networks and broad access can easily allow the bad guys to roam freely once in the door.
Example #2 is an attack reported on a NewKirk Products, a vendor providing identification cards for insurance plans. On July 6, NewKirk reportedly discovered that a server containing broad categories of PII of 3.3 million members of insurance plans was accessed without authorization.
Affected insurers include Blue Cross and Blue Shield of Kansas City, Blue Cross Blue Shield of North Carolina, HealthNow New York, BlueCross BlueShield of Western New York, BlueShield of Northeastern New York, Capital District Physicians’ Health Plan, Gateway Health Plan, Highmark Health Options, West Virginia Family Health, Johns Hopkins Employer Health Programs, Priority Partners Managed Care Organization and Uniformed Services Family Health Plan. According to NewKirk, no payer systems were affected.
If your business has not undertaken a comprehensive review of the third-party vendors that have access to your network, a starting place is a review of our webinar on third-party risk and risk assessments. Listen here, and let the Mintz Levin Privacy Team know if we can be of assistance.