Imagine you run a busy casino. Your floors are packed and your machines are bringing in the big bucks. You’ve got security everywhere. Cameras in the ceilings, guards on the floor, a secure cash room. You’re in your office, and you’re admiring your new, exotic fish swimming around in their big, expensive tank. Life is good.
Little do you know those fish just let the bad guys in.
There’s not much in common between healthcare providers (HCPs) and casinos, but one thing they do have in common is the need for Business Associates. Every business, from healthcare to casinos has a long list of Business Associates — these are 3rd party vendors that handle everything from vending machines to HVAC, payroll and even — tropical fish. More on that in a minute.
Unfortunately, Business Associates are often a wide-open door of security risk into many organizations. It doesn’t matter how well your systems are upgraded or how often your employees are trained in security compliance if your BAs don’t put in the same effort. These vulnerable BAs can then become wide-open backdoors for hackers to sneak through into your seemingly impenetrable castle.
Let’s take a look at a few examples of how out-of-your-hands these breaches can be, and then we can look at a few questions that can help you gauge just how secure your own BAs are on their end.
Breaching the Casino Through the Aquarium
Remember that fish tank in the casino? It was the thermometer that was the real breach point. Thanks to the interconnectedness of devices these days, aka the “Internet of Things (or IoT), that thermometer became a tiny hole into the casino’s network. The hackers just threw their hook into it and fished around until they hooked a huge chunk of personal information.
Despite the wild level of security casinos create to protect themselves in-house, they don’t know anything about aquariums. That thermometer was built, installed, and maintained by some other company, and unfortunately, hackers can use these smaller Business Associates to get to the bigger fish (the casino in this case).
Target Breached Through HVAC Supplier
You might have missed the hacking fish tank in the news, but you probably remember the Target breach back in 2013.
Now, there was a MASSIVE amount of work that went into the Black Friday hack of Target, but these hackers also went through a smaller, third-party Business Associate.
The Business Associate, Fazio Mechanical, happened to be in the refrigeration business, and their systems were infected with a virus that was then passed on to Target’s systems, the hackers’ actual target. When the dust settled, the attack led to over seventy-million instances of breached credit card data and left a stain on Target’s public image.
There were many facets to the Target breach besides this Business Associates aspect, but the entire attack would have failed if Fazio Mechanical had been aware of, and hadn’t fallen for, the phishing attack. It’s important to note that more than 70% of breaches come back to behavioral breaches
Once Again, it’s Phishing –– but not Through an Aquarium.
At one point, American Anesthesiology was owned by MEDNAX. MEDNAX eventually sold this portion of their business to the North American Partners of Anesthesiology (NAPA). After the purchase was complete, however, NAPA still had dealings with MEDNAX to provide support for American Anesthesiology.
Why not? MEDNAX understood the systems, records, and data of American Anesthesiology better than its new owner, NAPA. It only made sense to let them continue to work on that side of the business.
A cybercriminal managed to trick a handful of MEDNAX employees with some phishing emails and gained access to a number of employee accounts and patient records related to American Anesthesiology, which was part of NAPA by this time.
The hacker had access to these emails and patient records for FIVE DAYS. Five days of access to the most private information of patients.
The hacker was probably attempting payroll fraud, so the patient records were likely not the actual target. But the hacker’s intended target does not change the fact that these patients of NAPA were exposed to a hostile, outside entity because of an oversight by MEDNAX.
But NAPA was the company that the patients probably saw as the one responsible, even though NAPA wasn’t technically responsible. American Anesthesiology was part of NAPA at the time, after all. Perception matters with your patients.
So What About YOUR Business Associates?
Have you ever surveyed your Business Associates? Do you know how careful they are when it comes to cybersecurity? Do you realize YOU are responsible for their actions?
We’re here to help. Here are four key questions you can ask current and new vendors to make sure you have a Business Associate Agreement in order.
- Can you please describe your security team or the party responsible for directing and overseeing your security and HIPAA compliance?
- How frequently do you have a third-party perform a formal, documented Security Risk Assessment (SRA)?
- Can you describe the cybercrime and HIPAA awareness training and frequency you provide to your employees.
- Can you describe or list what documentation you have on hand to show evidence of security efforts?
Asking these questions, along with drafting a Business Associate Agreement, can help make sure your Business Associates are doing all they can to defend against cyberattacks. Aspen HSC is here to help. We founded the Rural Health Leadership Forum to offer resources and tools to make sure you are doing all you can to fight cybercrime. Activate your membership here: Rural Health Leadership Forum, (membership is free) then download your BA Survey Letter. And remember, you can always reach out to us at Aspen HSC if you need help.