May 5, 2014 Thu T.

Lax Healthcare Vendor Security Leads to Data Breaches & Tax Fraud

Vendor security is becoming a major concern in many different industries, and is even regulated in the healthcare industry by HIPAA compliance standards that puts healthcare vendors directly in scope of the rule. Considering the fact that medical-related identity theft accounts for 43 percent of all identity thefts reported in 2013 (according to an Identity Theft Resource Center’s survey), it’s no surprise that healthcare vendor security is gaining attention from regulators of the industry.

While the HIPAA rule’s aim is to keep electronic protected health information (ePHI) secure, healthcare vendors often aren’t aware of information security best practices that they should be implementing within their own companies.

For example, posting the ePHI of 15k patients on your company’s website, with no password in place, might just be the most blatant disregard for even the most basic security standards. That’s what happened in the case of MDF Transcription, a medical transcription company that published the medical information of patients including their prescriptions publicly on their website used by physicians (a Google search of the company’s name turns up nothing, which is both somewhat understandable in this situation as well as a bit worrisome).

After learning of the breach, Boston Medical Center fired the transcription service that they’d contracted with for 10 years, as HealthcareITNews.com reported. But had they conducted a simple security audit of all of their subcontractors, they might have avoided a data breach.

Another recent healthcare vendor exploit includes the breach of a third-party payroll and HR management provider, Ultimate Software (UltiPro Services). According to KrebsonSecurity.com, attackers used stolen credentials to steal data from a string of health systems and other healthcare organizations in order to submit fraudulent tax refund requests. How did they do that? By stealing employee W-2’s from the HR and payroll departments that used UltiPro.

Krebs links the ALC (Assisted Living Concepts) breach in March to the same attackers, as he discovered the organization also used UltiPro, and similarly, they reported the cause of their breach to be attributed to stolen payroll vendor credentials. Over 43k former and current employee records were stolen and used for tax fraud. Read more about the ALC breach and two other financial breaches in 3 Breaches, 1 Solution: 2 Factor Authentication.

With so many healthcare vendor breaches attributed to the theft of usernames and passwords, it seems that vendor security health should be more of a priority to healthcare organizations as they seek third-parties to fulfill jobs like HR, payroll and medical transcription services. Not only for compliance reasons, but obviously, to avoid losing patient trust and loyalty after their personal health information is stolen.

Securing points of vendor access to healthcare organizations, as well as any accessible logins within their own organization is key to strengthening authentication security. In order to do so, following the HIPAA Security Rule’s recommendations for securing remote access is a good place to start.

These are just a few risk scenarios and suggested ways to mitigate them, from HHS.gov:

While clearly not exhaustive, these are only a few blind spots that healthcare organizations may overlook, and they also relate to healthcare vendor access.

Find out more about healthcare security in:
Healthcare Data Breaches Increase in 2013; Errors Traced to Admin Passwords
Two-Factor Authentication for Electronic Health Record (EHR) Apps
Streamlining Two-Factor Authentication for Health IT