Cybercrime in Healthcare – Part 3

Are vendors the unlocked back door?


This week we saw yet another cybercrime attack on a large hospital system. This is the latest in a series of apparent ransomware attacks starting in California, then Kentucky and now Washington DC. In these attacks, hackers can essentially halt a large patient care system for several days. This has pushed the issue of cybersecurity weaknesses in our healthcare infrastructure to the fore. In my recent blogs on cybercrime in healthcare (Part 1 and Part 2) I discussed the impact on the health system itself. It also has serious consequences for digital health companies (aka Business Associates or BAs) supporting large health systems.

Expect stronger vendor scrutiny

We all benefit from the explosion in cutting edge, innovative digital health vendors that we are seeing. However these vendors, often small and medium sized startups, may also be the weak security link that cybercriminals exploit. We expect health providers to exercise greater due diligence with tech vendors, both pre and post contract.

OCR’s increased focus on business associates

HIPAA Regulator, OCR, is widening its focus to include BAs. Consider the $1.5 million mega-fine on the NMHCS case. The breach actually occurred with a BA. However the hospital was held responsible for the seriously large “Oops” of not having a Business Associate Agreement in place. Only the fact that the self-reported breach happened in 2011, prior to the 2013 Omnibus changes around BA responsibilities, saved the BA from the fine.

Expect More Audits

The fines OCR collects as a result of audits can go directly to paying for more auditors, which they’ve already done with a third party vendor called FCi Federal. More auditors means more audits. And since OCR is currently collecting a list of BAs from targeted Covered Entities, you could find yourself on that list.

So if you’re a tech vendor, where to start?

Reduce and mitigate the risk

Begin by taking cybersecurity and risk management very seriously, today. Start with these 4 to-dos:

  1. Conduct a risk assessment.
  2. Develop a risk mitigation plan to “fill the gaps” found.
  3. Get help from a professional to do so.
  4. Go beyond simply meeting the HIPAA standards, aim to develop a comprehensive culture of security throughout your entire organization.

The last recommendation may make you scratch your head, but in some cases, HIPAA doesn’t go far enough. Security and compliance starts with the people, and so building a culture of compliance is the best foundation. As we saw recently in the case of Zenefits, sacrificing compliance in the pursuit of revenue has consequences.

If data security is any part of your business, now is a good time to review just how wide open your back door really is. Because the price tag for not doing so just went way, way up.

Contact us to discuss how Ostendio can help you develop, manage and track your Risk Mitigation, Information Security and Compliance.