Skip to main content
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Digital Health
    • Transformation
    • ESG
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Blogs
    • AI
    • Deals
    • Layoff Tracker
    • HIMSS 2023
  • Opinion
    • Breaking Bias
    • Commentaries
    • Letters
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - AI and Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Sponsored Video Series - One on One
    • Sponsored Video Series - Checking In with Dan Peres
  • Data & Insights
    • Data & Insights Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • Newsletters
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Cybersecurity
January 03, 2023 05:00 AM

Healthcare vendors are the new front of the cybersecurity war

Lauren Berryman
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Data breaches third party vendor
    MH Illustration/iStock

    Cybercriminals seeking to seize sensitive health information are increasingly targeting vulnerable vendors to get around the safeguards healthcare providers, insurers and other entities have erected to protect patient data.

    As healthcare organizations more commonly tap third-party vendors to handle business functions, cybersecurity experts warn they’re creating opportunities for hackers. Data breaches of vendors, which fall under the business associate category on the Health and Human Services Department’s Office for Civil Rights breach portal, have grown in number and scale over the past five years.

    Through November, there have been 116 reported breaches on business associates that affected 17.7 million patients. These accounted for 17.5% of healthcare breaches but 36.1% of patients whose data were exposed so far this year. Only 40 breaches hit business associates, involving 5.9 million patient’s data, during the same period in 2018.

    Hackers view the data vendors possess as a “treasure trove,” said Jeff Krull, a partner who leads the cybersecurity practice at the consulting firm Baker Tilly.

    Instead of breaching one organization’s data, criminals can obtain data from multiple providers and health plans that includes patient names, addresses, Social Security numbers, and treatment and prescription information. The cyberattack on printing and mailing service OneTouchPoint, detected in April, involved more than three dozen providers and insurers, including Humana, Kaiser Permanente and several Blue Cross and Blue Shield companies, and affected more than 4 million patients—making it the biggest healthcare attack reported this year.

    “If a threat actor can identify that a vendor’s working with 10 or 12 hospital systems and healthcare plans, that’s going to make them a very high-value target,” said Alexander Urbelis, a senior counsel at the law firm Crowell & Moring who specializes in identifying cybersecurity threats.

    Why now?

    Health systems are increasingly using vendors to achieve financial, operational and clinical efficiencies, especially amid the workforce shortage, said John Riggi, the national advisor for cybersecurity and risk at the American Hospital Association.

    “They just may not have the human resources or the human capital internally to affect certain business processes,” Riggi said. Large health systems may rely on thousands of vendors for administrative services, including payroll and electronic health records, and for software that runs medical devices such as X-ray machines and radiology equipment.

    Stressed supply chains and financial issues at hospitals, exacerbated by the COVID-19 pandemic, are driving them to sign contracts with vendors. “You might be looking to outsource something you did in-house before to save some money,” Krull said.

    These broader circumstances make it more difficult for healthcare organizations to invest in stronger security measures, Krull added. “It really creates this perfect storm,” he said.

    While healthcare companies are strategically looking to contractors to improve business operations and clinical services, other vendor relationships are falling into their laps as health systems expand. “If there is a merger or acquisition, you're taking on not only that entity, but also all their relationships,” Riggi said.

    Yet health systems may opt to hire vendors to carry out tasks such as patient testing even when they are aware the contractor lacks strong cybersecurity measures if they conclude patient outcomes outweigh the risks, Krull said.

    Attacks involving insurers happen less frequently than those on providers. Because they don’t have patients walking in and out doors, insurers can operate more as self-contained businesses and tightly control who has access to information, Krull said.

    Bolstering cybersecurity

    Cyber risks are now top of mind for many health systems' executives, Riggi said. Experts stress there's more to be done as threat actors become more sophisticated.

    “Vendor oversight has become a really big thing in the past five years, in that before, health systems and health plans weren't conducting appropriate due diligence on these [vendors], or maybe no due diligence at all,” said Doriann Cain, a partner at law firm Faegre Drinker who works with healthcare clients on cybersecurity practices.

    In addition to avoiding the hefty financial cost of data breaches, improving cybersecurity is important for patient care and brand reputation.

    Last December, payroll provider Ultimate Kronos Group revealed it fell victim to a ransomware attack, which caused a stir among the many health systems that relied on it for employee scheduling. The disruption caused a cascading effect that delayed care at numerous hospitals during the COVID-19 omicron surge, Riggi said.

    Tightening cybersecurity and properly vetting vendors helps providers improve patient health outcomes, Riggi said. "This is about protecting patients. If you divert an ambulance or you delay cancer treatment, those effects potentially cause physical harm,” he said.

    Reputational damage following a cyberattack typically tends to hurt the healthcare organization, not the vendor. But it’s not always easy to change contractors.

    “Some of those vendors almost have a monopoly in terms of the services they're providing, so you see healthcare providers not stuck with them, but maybe not always able to utilize another vendor who may be performing these services that they expect and want to see,” Cain said.

    Health system and health insurance company leaders must assess a vendor’s cybersecurity controls before trusting it with patient data. Cataloging third-party relationships across a health system is the first step they should take, Riggi said.

    Healthcare companies considering vendors should investigate several key factors to determine if their would-be partners can protect patient data, such as requesting information about their cybersecurity measures, ensuring the vendors' security controls are certified by third parties, and insisting contractors undergo security audits such as Systems and Organization Controls 2 (SOC 2), the experts Modern Healthcare interviewed said. 

    Tim Broderick contributed to this story.

    Related Articles
    The Check Up: Christopher Plummer, Dartmouth Health
    Mid-year 2022: 20M patients' data exposed in healthcare breaches
    Ransomware attack at payment vendor affects 600 providers
    Ransomware spurs weeks, months of IT downtime
    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    cybersecurity
    Health insurance data breach exposes Congressional members' personal info
    cybersecurity-data-hacking_2_i.png
    Following alleged cyberattack, Tallahassee Memorial resumes some services
    Most Popular
    1
    CMS tries luring providers to revamped Medicare ACOs
    2
    Oregon joins other states in setting ratios for nurse staffing
    3
    Blue Shield CA taps Amazon, Mark Cuban, CVS for new PBM model
    4
    A health innovation hub grows in Lake Nona Medical City
    5
    Hospital-at-home providers push for Medicaid coverage
    Sponsored Content
    Digital Health Intelligence Newsletter: Sign up to receive a twice-weekly (T, F) morning newsletter featuring the latest reporting on technologies, trends, players and money fueling the rapid changes in how healthcare is developed, paid for and delivered.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Help Center
    • Advertise with Us
    • Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Digital Health
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • ESG
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Blogs
      • AI
      • Deals
      • Layoff Tracker
      • HIMSS 2023
    • Opinion
      • Breaking Bias
      • Commentaries
      • Letters
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - AI and Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Sponsored Video Series - One on One
      • Sponsored Video Series - Checking In with Dan Peres
    • Data & Insights
      • Data & Insights Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • Newsletters
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Jobs
      • People on the Move
      • Reprints & Licensing