Vendor Management Needed in Light of NRC Health Ransomware Attack
CynergisTek’s David Holtzman dives into vendor management priorities for providers in light of recent third-party vendor breaches with potentially serious consequences, like the NRC Health ransomware attack.
By - Last week, NRC Health became the latest vendor to report it fell victim to a ransomware attack, which locked the company out of its computer systems as it worked to recover. Given its massive list of healthcare clients, the cyberattack could become a massive data breach.
NRC Health sells software to about 9,000 healthcare organizations, or about 75 percent of the 200 largest hospital chains in the US. Its clients include Cedars Sinai, Adventist Health, Providence Health, and a host of others, according to its website.
In total, the vendor collects data from over 25 million US and Canadian consumers each year.
While the vendor continues to recover and investigate the incident, security leaders have stressed what the incident could mean for patient privacy.
But the NRC Health cyberattack sheds light on a greater concern to healthcare organizations: How can covered entities and other providers rein in their control over the vast number of vendors with which they interact, some of which are unknown?
Vendor incidents were behind some of the largest healthcare data breaches of 2019. The American Medical Collection Agency breach was the biggest, impacting more than 25 million patients from Quest Diagnostics, LabCorp, and dozens of others.
But three other ransomware attacks on separate IT vendors share similarities with the NRC Health incident. Two IT vendors that support dental offices were hit in late 2019, impacting hundreds of dentists across the country, while a similar attack on an IT vendor for nursing facilities locked out hundreds of those providers.
Currently, the extent of those cyber incidents is unknown, given the scope and complexity of the breach.
Beyond HIPAA Regulations
To David Holtzman, executive advisor for CynergisTek, it may be time to stop using the traditional terms of covered entity and business associate, as much of the information organizations have on businesses falls outside of HIPAA.
“Each of the 50 states has their own breach notification requirements, and many states protect or require notification for breaches of data maintained by organizations not covered by HIPAA, when the data itself is not HIPAA-covered information,” Holtzman said.
“An example would be, if an organizations creates an app that is a wellness tracker that captures information about the individuals’ exercise, and the individual sends that data to healthcare provider,” he continued. “If that app developer is hacked or has security incident, they themselves are not covered by HIPAA, but the data itself may be subject to any number of state law requirements.”
NRC provides a solid example of this issue, as the data created and maintained by the vendor may not all be subject to HIPAA. For one, the data subject to HIPAA is that which is created for the covered entity and the designated record set, may not be subject to the regulation.
"Hold the vendor’s feet to the fire because it’s the healthcare organization who is ultimately responsible to fulfil breach notifications.”
Right now, it’s unclear what data was precisely impacted or what the company is actually maintaining or creating in terms of data. But Holtzman stressed that NRC shouldn’t be singled out, as it’s just part of the overall data issues in the sector.
“Vendors to healthcare organizations should work to be transparent to the public and to the organizations contracted with those providers to make clear statements as to what happened, what data may have been compromised, and what steps they are taking to notify the organizations they serve of the data that was put at risk,” he explained.
The challenge is that in the US there are two ways to address these notification rules. There should be government regulation that mandates certain levels of disclosure, but Holtzman stressed that we don’t currently have those in action.
Instead, we leave the onus on vendors to report security incidents to the organizations to which they’re contracted. Further, some states do require vendors to report security events to vendors within a short amount of time.
“But generally, it’s ultimately the responsibility of the vendor that controls the data, the data controller if you will, to assess whether the data has been compromised and to make notifications as required under state and federal laws,” Holtzman said.
“It’s left to each organization to deal with this issue through their contact with their vendor,” he continued. “Not through the business associate agreement (BAA) because it’s generally not the place to get priorities or specific provisions as to how a vendor is to perform.”
Review Vendor Contracts
BAAs only cover activities subject to HIPAA, by its own terms, Holtzman explained. But we’re seeing more and more that participants in the healthcare marketplace aren’t always subject to the business associate rules of HIPAA.
As a result, these massive incidents should be motivating healthcare organizations to take prompt action to protect themselves from the fallout, beginning with shoring up their vendor relationships. Because in the end, it’s the provider who is ultimately responsible for protecting patient health information.
“The types of incidents that involve vendors, providing insularly services to a broad swath of leading healthcare organizations, really are the scariest of incidents,” Holtzman said. “Because of the breadth and sheer volume of the data they could be handling.”
“When I saw this incident and the earlier incident with AMCA, I came away with two thoughts: first is that we should take this as an opportunity to prepare,” he added. “Prepare for the eventuality that one of our vendors is going to suffer a cybersecurity incident. And there are a number of steps we should take to be able to both respond and recover from an incident that impacts the data that they create or maintain on our behalf.”
To start, organizations responsible for personally identifiable information should review their vendor contracts to ensure there are terms that specify the obligation of the vendor to provide timely notification and detail reports of their investigations into security incidents that could pose a risk of compromise to the data they are tasked with creating or maintaining.
“It’s not quite accurate to say the privacy of the information is not at risk.”
The reports should detail the precise incident that occurred, the steps the vendor took during their investigation, a forensic analysis of the systems impacted by the security event, an inventory of the data that belongs to the provider, and the exact data at risk of compromise, Holtzman explained.
“As you’re considering a vendor during the pre-contract stage, in which healthcare data will be created or maintained, have as a part the contract process, a vendor assessment, a pre-contact vendor assessment,” he said.
“Review of the risk assessment and risk management plans for each vendor so that you can know going into your vendor selection process which vendors have the information security strategy that best fits your needs and expectations,” Holtzman added.
For the vendors to which the healthcare organizations are already contracted, he stressed that it’s a good time to perform a risk assessment and risk management strategies of those vendors.
“If we were buying organic peanut butter off-the-shelf in store, we’d review the nutrition label to make sure what they’re claiming on the front of the label actually matches the disclosure on back of label,” Holtzman said. “Healthcare organizations should be doing the exact same thing: Don’t take the organizations’ word that they’re HIPAA compliant.”
“Don’t be fooled by some certification that they claim to have regarding their infosec status: make your business associates be a wise consumer and require your vendor to provide you with information about their risk assessment and risk management strategy,” he continued.
Further, it’s imperative to develop and test your organization’s incident response plan and make sure it’s specifically designed to respond to a vendor’s security incident, Holtzman explained.
No Evidence of Privacy Impact?
Often, as the case with NRC Health, healthcare organizations that face data breaches will stress that there is currently no evidence that patient privacy has been impacted by a security event. But given cybercriminals new efforts to publish data stolen during ransomware and other infections, can providers continue to rely on this claim?
To Holtzman, the answer is a clear, “No.”
"Make your business associates be a wise consumer and require your vendor to provide you with information about their risk assessment and risk management strategy.”
“The fact is the HIPAA breach notification rule and many state laws classify unauthorized access to health information or other sensitive, consumer personally identifiable information, as a breach,” he said.
“So, I question whether it’s accurate or appropriate to tell the public that on the one hand, we’ve had an incident in which our data is not available to us, or we know a third-party gained access to our information system,” Holtzman added. “It’s not quite accurate to say the privacy of the information is not at risk.”
In reality, the only way to clearly make the determination of whether data has been compromised is through a forensic analysis, he explained. And with the current threat landscape, organizations can no longer evaluate whether data was compromised “merely by the risk of harm or whether or not data has been exfiltrated.”
“The bottom line is, if an unauthorized third party has gained access to an information system that handles PII or patient health information, and has sent the files or encrypted the data, according to guidance issued by the Office for Civil Rights, there’s a reportable breach,” he added.
There are also a number of states that have adopted the same interpretation or similar state laws that require the same obligation, Holtzman concluded.
For now, healthcare organizations under HIPAA obligations should take this as an opportunity to identify and take an inventory of their vendors and assets. Holtzman also stressed they may also need to carefully review whether or not they are actually NRC customers.
If so, they’ll need to initiate their incident response plan, which will include an inventory of the patients whose PHI was maintained by the vendor on their behalf. Those steps should begin now, Holtzman said.
“It may not be readily apparent because many business units contract or maintain relationships with service providers that may not be entirely known throughout the organization,” Holtzman said. “The left hand not knowing what the right hand does.”
“And hold the vendor’s feet to the fire because it’s the healthcare organization who is ultimately responsible to fulfil breach notifications,” he concluded. “Because their patients, the people who’ve entrusted them with their healthcare information are going to be holding the healthcare organization ultimately responsible to provide them with some assurance as to how they could be impacted by this incident that could potentially impact a large number of people.”
