Third-Party Security: Guarding Against ComplacencyProvidence Health Plan's Patients Affected by Dominion National Breach
Oregon-based Providence Health Plan says some of its members were among the nearly 3 million individuals affected by a nine-year data breach revealed by Virginia-based health plan administrator Dominion National in June.
See Also: The 5 Foundational DevOps Practices
What lessons are emerging from the Dominion National security incident and others involving third parties? The most important one is simply this: Organizations must guard against becoming complacent about the security practices of the vendors they use.
Providence Health Plan Notification
In a statement posted on its website, Providence Health Plan says it was notified on June 21 by Dominion National, one of its business associates, of a privacy incident involving health plan member information.
"On April 24, 2019, Dominion National was investigating an internal alert and determined that an unauthorized party may have accessed some of their computer servers," Providence notes.
"The unauthorized access may have occurred as early as August 25, 2010. Upon learning of this information, Dominion National notified law enforcement, moved quickly to clean the affected servers, implemented enhanced monitoring software and launched an investigation with the assistance of a leading cybersecurity firm."
The data potentially accessible from Dominion National's computer servers may have included enrollment and demographic information for current and former members of Providence Health Plan's dental program, Providence notes.
The affected information may include names, addresses, email addresses, dates of birth, Social Security numbers, member identification numbers, group numbers and subscriber numbers.
"Dominion National and Providence Health Plan have no evidence that any information was actually viewed, accessed or has been misused," Providence says.
According to a posting on the Department of Health and Human Services' HIPAA Breach Reporting Tool website, which lists health data breaches that impact 500 or more individuals, Dominion National reported the hacking/IT incident to HHS on June 21 as affecting 2.9 million individuals. As of Tuesday, the Dominion incident was the third largest health data breach added to the HHS website so far in 2019.
Breach reports from Providence Health or other companies impacted by the Dominion National incident do not yet appear on the HHS website.
The news site Oregon Live reports that 122,000 Providence Health Plan members were among the individuals impacted in the Dominion National incident.
Providence Health Plan did not immediately respond to an Information Security Media Group request for comment on the breach. Dominion National declined to comment on the identities of other health plans affected by its breach.
Dominion National notes on its website that besides Providence Health Plan, it administers health and dental plans for a number of large organizations, including Kaiser Permanente of the Mid-Atlantic States, UPMC Health Plan, Capital BlueCross and Premera Blue Cross.
Increasingly, hackers are targeting vendors that serve major clients as a way of having a broader impact.
"The Dominion National attack represents a clear escalation of aggressiveness by the hackers. It is just another example where attackers are adapting their tactics to move up the supply chain toward higher priority, and often softer targets," says Clyde Hewitt, executive adviser at the security consultancy CynergisTek. "By focusing near the top of the supply chain, hackers can infect tens or hundreds of organizations simultaneously and harvest many more records."
This escalation represents a new risk model for organizations and requires security officers to work outside of their "comfort zones," Hewitt adds. "Addressing security risks in the supply chain is complex, requiring a closely orchestrated response that involves procurement, legal, compliance - all led by the security official."
Other Big Business Associate Incidents
In recent months, several other business associates - including American Medical Collection Agency - have reported health data breaches that have affected scores of their well-known clients and unfortunately, in some cases, millions of those companies' patients.
For instance, while AMCA isn't exactly a household name, its clients affected by its breach included some of the largest medical testing laboratories in the U.S., including Quest Diagnostics and LabCorp.
But just because a vendor has high-profile clients doesn't necessarily mean its security practices are high caliber.
"A business associate's client list does not necessarily equate to that same vendor having a minimally acceptable or preferably advanced level of cybersecurity," says Tom Zimmerman, senior security consultant at tw-Security.
"Healthcare customers should insist that their business associates frequently provide confirmation that the BA's level of cybersecurity is in line with current industry capabilities and patches and meeting the customer's expectations for protecting sensitive data," he says.
"Both parties named in the business asssociate agreement have accountability to ensure that the agreement is reviewed frequently ... and modified to meet the current cyber environment. Too often, a BAA is reviewed and signed, then allowed to become inadequate."
To help with monitoring their BAs' security efforts, Zimmerman recommends tapping the expertise of cybersecurity assessors, vulnerability experts, and/or penetration testers. These experts can help to investigate and identify weaknesses, and then provide reasonable security recommendations, he notes.
"Promptly implementing those recommendations is critical."
Supply Chain Risk
Among the most compelling lessons emerging from recent massive vendor breaches, Hewitt says, is the lack of preparedness to deal with supply chain risks.
"A root cause of this thinking flows from the HIPAA Security Rule, which limits a covered entity's authority following a breach with their business associates, while preserving a covered entity's responsibility to notify any impacted patients," he says.
"Vendors who represent the top of a supply chain have been operating under the radar of the covered entities, such as healthcare providers, for years," he notes. "Contracts often last years, or even decades. Covered entities generally have not performed periodic risk assessments on these vendors or updated the contracts to require more stringent assessments and audits. Without this external look, breaches will happen through complacency."