Data breach reports prove the evolving trend of supply chain attacks in healthcare. Determine who is more responsible for third-party data incidents
As in any other industry, healthcare organizations increasingly rely on supply chains to manage operations. Hence, management of Protected Health Information (PHI) – the most sacral value of every healthcare business – is placed on vendors’ shoulders. Relying on the supply chain streamlines processes in healthcare while simultaneously expanding the threat landscape. Thus, it is an open secret that hackers hunting for healthcare data often attack third parties that manage the PHI on behalf of healthcare providers or health plans.
Look at the recent healthcare data incidents reported to the Office of Civil Rights (OCR) this June. Attacks on Shields Health Care, Eye Care Leaders, and MCG Health prove the evolving trend of supply chain attacks in healthcare. Having affected around 4.3 million individuals so far, they seem to remind us of the constant threat of a rear cyber strike. And this strike is equally painful whether you are a large healthcare provider or a small data management start-up.
Let’s look at the latest cases of supply chain attacks in healthcare and figure out who is more responsible for data incidents – healthcare providers or their vendors.
At least 2 million individuals have been affected in the cyberattack on Shields Health Care Group in March 2022. The Shields provides ambulatory surgical center management and medical imaging services to 56 companies throughout New England. And this statement implies two important considerations. First, the number of victims may rise dramatically as the investigation is still ongoing, and some more of these 56 companies may report a data breach from their side. Second, the Shields data incident is a classic example of a supply chain attack where the Shields serves as a springboard to accessing data held by 56 other organizations. Due to the scale of the data incident and the number of individuals affected, the Shields data breach is considered the 2022 largest healthcare data incident.
What was the reaction inside of the company? The Shields experts detected suspicious activity within the company’s network on March 28, 2022, and took immediate action to secure its network and prevent further unauthorized access. They cooperated with the forensic team to determine the nature and scope of the security breach. It was determined that the Shields systems had been compromised between March 7 and March 21 of 2022. The affected data is still being reviewed, and there is a high possibility that the number of individuals affected will increase.
Let’s look at the supply chain attack through the eyes of the covered entity. This June, Texas Tech University Health Science Center (TTUHSC) confirmed a data breach that affected more than 1.3 million patients. The data breach resulted from a security incident at Eye Care Leaders, a third-party vendor providing Electronic Health Record (EHR) management services to TTUHSC.
The TTUHSC is not the only organization that experienced leaked patient information due to the Eye Care Leaders breach. The vendor provides services to more than 20 covered entities, so there are others that the attackers compromised. We will not analyze all cases coming from the Eye Care incident but it is safe to assume that the number of victims will increase.
Eye Care Leaders first detected the breach on December 4, 2021. Then the company secured its systems and launched an investigation. Although the Eye Care Leaders claim to have contained the incident within 24 hours, a further investigation confirmed that sensitive patient information was contained in the compromised files. Therefore, there was a chain of detected incidents coming from Eye Care. There are many questions to Eye Care as there is a nagging suspicion that the vendor didn’t do enough to minimize the attack’s harm.
Over 1.1 million people fell victim to a data breach of MCG Health – a software company that provides patient care guidelines to providers and health plans using Artificial Intelligence (AI) and technology solutions. Although the incident occurred in March 2022, MCG disclosed it only on June 10. From that time, at least eight organizations have come forward and said that the breach impacted them. It is important to note that MCG Health mentioned only 790,000 patients in a breach notice, while some of MCG Health’s partners are reporting the incident separately.
The MCG breach caused a significant resonance among the individuals whose data were compromised. Thus, a proposed class action was filed to hold MCG accountable for failing to mitigate the incident properly. The 37-page complaint stated that the MCG waited roughly three months to notify of the data breach and inform that individuals’ sensitive data was compromised. During this time, people were unaware that their PHI had been compromised and that they were at significant risk of identity theft and other forms of personal, social, and financial harm.
The cases above are examples of a supply chain attack – a cyber attack that aims to access information held by multiple organizations (or a targeted business) by attacking less-secure elements in the chain. Attacking either Shields Group, Eye Care Leaders, or MCG, hackers gained access to data and systems of multiple other organizations that stored an enormous amount of personal data.
The outrage of those who fell victim to the supply chain attack is quite understandable given the risks that these supply-chain attacks entail. In the case of MCG, the victims complained that the unauthorized access lasted for roughly two weeks. During that period, sensitive data were unencrypted and were easily accessed by attackers. MCG should have been better prepared to detect and mitigate cyberattacks, given the frequency of supply-chain data incidents. The MCG case demonstrates the vendor’s failure to ensure the safety of sensitive data entrusted to it. However, it is sometimes unclear with whose easy hand that incident occurred.
In supply chain data incidents, it may be unclear who is liable for a third-party data breach – a vendor whose systems were compromised first or the organization that entrusted sensitive data to the vendor? When translating the question to HIPAA language, it would sound as: “who is liable for the data incident, the covered entity that obtains and makes transactions with customers’ sensitive data, or its business associate who has access to the data and performs functions or activities on behalf of a covered entity?” Let’s try to figure out together.
According to the HIPAA Security Rule, all companies that work with healthcare data must have physical, technical, and administrative measures to protect the PHI. Established in 2013, the HIPAA Omnibus Rule equalized the responsibility of covered entities and business associates for a data incident. Practically, it required covered entities to obtain satisfactory assurances from their business associate to safeguard the PHI appropriately.
When you want to outsource some services that touch PHI – either data storage or electronic health records – you must sign a Business Associate Agreement (BAA) with their third-party vendors. With this document, vendors recognize their responsibility to safeguard the PHI entrusted to them appropriately. Not signing the BAA has catastrophic consequences for covered entities and may shift the blame for any data incident onto their shoulders.
At the same time, before entering into business relationships with a vendor, covered entities must vet potential partners and ensure they can be trusted with PHI. Additionally, organizations should have all potential vendors undergo a compliance review to ensure their security controls and processes are up to the organization’s standards.
In the cases outlined above, there is no indication that TTUHSC or any other covered entity neglected their responsibility to sign the BAA with vendors. However, depending on the situation, there is a possibility that covered entities might negligently entrust consumer data to their business associates. For instance, it is possible that TTUHSC had reason to believe that Eye Care Leaders’ servers were not secure, given the fact that the company had a history of data security issues.
Thus, supply chain attacks are equally painful for large healthcare providers and their third-party vendors. Thus, it is critically important for covered entities and business associates to meet HIPAA requirements and protect sensitive data. Signing a BAA with your business associate is a necessary thing but is still half of the battle. Organizations should conduct periodic compliance evaluations of their service providers. Unfortunately, the attacks on Shields Health Care, Eye Care Leaders, and MCG Health demonstrate the opposite. Companies often neglect their obligations and become easy targets for hackers.
Monitor the data security situation within the healthcare with us and don’t hesitate to contact Planet 9 team if you have any questions. We’ll be happy to assist!