[BreachExchange] Ransomware Attack on EHR Vendor Impacts Home Health Chain

Destry Winant destry at riskbasedsecurity.com
Mon Feb 24 10:06:47 EST 2020


https://www.databreachtoday.com/ransomware-attack-on-ehr-vendor-impacts-home-health-chain-a-13751

A home healthcare company has filed 17 breach reports after a
ransomware attack on its cloud-based electronic health records vendor
last December, illustrating once again how a vendor breach can have a
wide impact.

Personal Touch Home Care, a Lake Success, New York-based provider that
has 17 offices in six states, recently submitted the breach reports on
behalf of its various locations to the U.S. Department of Health and
Human Services, according to the HHS Office for Civil Rights' HIPAA
Breach Reporting Tool website, which lists health data breaches
affecting 500 or more individuals.

Each of the Personal Touch reports filed to HHS describes the breach
in the same way: a hacking/IT incident involving a "network server and
other." In total, the breach reports indicate that nearly 157,000
individuals were affected.

The company filed 17 reports because each of its affected offices is a
"different legal entity," Laura Dechen, a vice president at Personal
Touch, tells Information Security Media Group.

The attack on Crossroads Technologies is one of many recent cyber
incidents involving vendors that provide crucial services to
healthcare organizations.

For instance, an apparent ransomware attack on Albany, N.Y.-based
accounting firm BST & Co. CPAs LLC recently exposed the patient data
of Community Care Physicians, a large upstate New York medical group,
as well as other clients of the firm (see Hacking of Accounting Firm
Affects Medical Group).

Breach Notification Details

A sample breach notification letter that Personal Touch Home Care
filed with the Vermont attorney general office says the incident
involved a ransomware attack on Wyomissing, Pa.-based Crossroads
Technologies, which hosts the home healthcare provider's cloud-based
electronic health records.

Crossroads notified Personal Touch on Dec. 1, 2019, about a breach
involving a ransomware attack on Crossroads' Pennsylvania data center
where the home health agency's records are hosted, the notification
states.

"If anything can be gleaned from this, it's to quadruple-check
everything .... and understand all the risks vendors pose."
—Laura Dechen, Personal Touch Home Care

Potentially compromised information includes names, addresses,
telephone numbers, dates of birth, Social Security numbers, medical
treatment information and insurance information.

Investigation Continues

Dechen of Personal Touch tells ISMG that the investigation into the
incident is ongoing and the company does not know the extent to which
personal information was compromised.

Information on patients as well as caregivers contained in records
were potentially exposed, she says. Affected individuals are being
offered free credit and ID monitoring.

As a result of the attack on its EMR vendor, Personal Touch was unable
to access electronic patient records for "only a few days." During
that time, Personal Touch used its emergency business continuity
protocols, including resorting to paper records, she notes. "We have
continuity plans in which we're not reliant on electronic records,"
she says.

Dechen says she's unaware of any data being exfiltrated from Crossroad
Technology's systems in the attack. Crossroads reported the incident
to the FBI and is working with a forensics firm to determine the
origins and scope of the attack, Personal Touch's notification
statement notes.

"If anything can be gleaned from this, it's to quadruple-check
everything .... and understand all the risks vendors pose," Dechen
says.

Crossroads Technologies did not immediately respond to an ISMG request
for additional details about the incident, including whether other
clients beside Personal Touch were affected and whether a ransom was
paid.

Managing Third-Party Risk

The rash of attacks on vendors should be a wake-up call for healthcare
organizations, some security experts say.

"The healthcare sector continues to be a target for cyberattacks and
must be more vigilant than ever," says Cathie Brown, vice president of
professional services at privacy and security consultancy Clearwater.
"Vendor risk management must be a priority for 2020 and beyond. Cloud
options offer great opportunities and efficiencies, but security must
be managed over the life of the contract."

Healthcare entities must include assessments of vendors in their risk
management programs, she says.

"Review of those vendors should be commensurate with risk: For
example, a cloud provider hosting an EMR would be considered high for
the level of review for those services. Healthcare entities should ask
for evidence the vendor has completed a risk analysis and vet the
thoroughness by asking what controls were included and what company
performed the analysis."

Healthcare organizations also should ask for the recovery time
objective and recovery point objective the vendor can meet after a
security incident, she says. "It's important to vet the vendor on an
ongoing or periodic basis and not just at contract initiation time, as
the threat environment and technology changes rapidly."

Get It in Writing

Another crucial vendor management step that entities need to take "is
having the right contract and contractual language in place," she
says.

"Many organizations use a standard business associate agreement with
third-party vendors, but that standard language may not include
specific controls that must be in place," she notes. Contracts can
specify, for example, the obligations the vendor must meet in the
event of a breach as well as requirements for having cyber insurance,
she says.

"Contracts frequently include service-level agreements for support of
problems, but lack specifics on capabilities for recovery times," she
adds.


More information about the BreachExchange mailing list