Are Your Business Associates Secure?
The more convenient IT has made work for you in the healthcare sector, the more of a target you’ve become for cybercriminals.
In other words, the easier it is for you to access Protected Health Information (PHI), the easier it is for cybercriminals to do so as well.
FireEye researchers have noticed a rise in targeted attacks against healthcare organizations that house large amounts of valuable patient data. This is opposed to the conventional “wide-net” approach to cybercrime attacks, which are more opportunistic, targeting as many organizations as possible and hoping for the best.
These hackers are using credential theft malware, ransomware, extortion campaigns, and cryptomining to execute these attacks. Over the past two years, many databases associated with healthcare have been put up for sale on the dark web, as well as the sale of access to healthcare systems in these markets.
But that’s just from direct attacks – what about cybercriminals that go after your business associates?
4 Examples Of Business Associate Vulnerabilities
- Ransomware Hits Hundreds Of Dental Practices
Near the end of last month, hundreds of dental practices across the US were infected with malware. Over the course of the weekend, hackers penetrated the target systems, and by the time dental staffs came in for work Monday morning, their patient data was inaccessible.Instead of targeting the dental practices directly, hackers went after a digital “bottleneck” of sorts – the developers of software that so many practices use, DDS Safe. This medical record retention and backup solution is meant to help practices manage their patient data, but the hackers turned it against them.
The developers (The Digital Dental Records and PerCSoft) were the ones forced to pay the ransom, with their many dental clients putting pressure on them to restore their access to data. As is always the case, paying the ransom didn’t immediately solve the problem – the recovery process has been long and tedious.
- Northwood Email Compromised
This medical equipment benefits administrator had their employee email breached this past summer, affecting more than 15,000 patient records. The cybercriminal in question had access to the data for at least three days, calling into question how much of it may have been compromised.
- Cancer Treatment Centers of American Email Hack
A cybercriminal gained access to this organization’s data for 11 days – and this is the third time CTCA has been breached. In this instance, at least 4,000 patient records were compromised.
- American Medical Collection Agency Hacked For 8 Months
More than 25 million patients’ information was exposed over the course of an eight-month hack.
The Importance Of Business Associate Agreements
All of these examples go to show how necessary it is to confirm your supply chain’s cybersecurity, in addition to your own. No matter how much you may have invested in your security and compliance, it won’t amount to anything if your business associates aren’t doing the same.
That’s why you need Business Associate Agreements (BAAs).
Your BAA should require a Business Associate to:
- Have appropriate safeguards in place and take any necessary steps to comply with the provisions of the Security Rule where applicable to your circumstances
- Have a process in place to notify you of any unauthorized use or disclosure of PHI that the Business Associate becomes aware of, including breaches of unsecured PHI and security incidents
- Take steps to ensure that any subcontractors employed by the Business Associate to receive, maintain, create, or transmit PHI on the Business Associate’s behalf are in agreement with and will be held to the same restrictions and conditions as the Business Associate
- Provide ready availability of PHI to individuals with certain rights (access, amendment, accounting, etc.)
- Have their internal practices and records relating to the use and disclosure of any and all PHI made available to the Secretary of the Department of Health and Human Services (HHS) for the purpose of determining your practice’s HIPAA compliance
- Agree to clear terms regarding the return or destruction of all PHI if the BAA is terminated. If PHI cannot be returned or destroyed for any reason, the Business Associate must agree to extend the protections offered by the BAA and limit any further uses and disclosures of the PHI in question
Don’t make the mistake of assuming your healthcare organization is low-profile enough to avoid a cybercriminal’s crosshairs. Even if you are (and again, you aren’t), your business associates probably aren’t.
Like this article? Check out the following blogs to learn more: