PracticeMax Ransomware Attack: How Healthcare Organizations Can Secure Their Supply Chains

Use these 5 tips to gain much-needed visibility into business associate risks.
By:
Scott Lang
,
VP, Product Marketing
October 29, 2021
Share:
Blog practicemax ransomware 1021

Healthcare billing and IT solutions vendor PracticeMax announced that it was the victim of a ransomware attack that occurred between April 17 and May 5. PracticeMax is a business associate of healthcare organizations Humana and Anthem. During the breach, an unauthorized actor accessed and stole more than 4,000 Humana patient files containing protected health information (PHI).

This ransomware attack is far from the first to target the healthcare industry. In fact, just last year we witnessed Ryuk actively spreading through hospital systems. And cases of healthcare-related ransomware attacks continue to be on the rise. The PracticeMax breach is just the latest example of why healthcare organizations need better prevention to secure the weakest links in their supply chains: third-party vendors and business associates. In this post we’ll offer some tips on how.

5 Tips to Improve Business Associate Risk Management

To gain visibility into business associate risks at every stage of the vendor lifecycle and be better prepared for a supply chain attack, consider the following tips:

1. Know your business associates – and the risks they pose

As a first step toward shrinking your third-party attack surface, perform an inherent risk assessment on all business associates (BAs) before or during onboarding. A ransomware-specific inherent risk assessment will provide insights into factors such as:

  • Internal security controls and tools
  • Incident response procedures
  • Employee security awareness training programs

You can then use the results, in context of the type of data being handled, to tier your business associates and right-size subsequent due diligence activities.

Pro tip: To accelerate the onboarding and initial risk assessment process, consider leveraging a library of completed vendor risk assessments. Risk assessments in these repositories should be based on a healthcare industry standard, such as H-ISAC, and include dynamic updates with the latest insights into cyber, business, reputational, and financial risks.

2. Build comprehensive vendor profiles that include fourth-party technologies

Your current business associate profiles likely cover annual revenue, industry code, ownership, reputation, and other attributes. However, they likely don’t provide visibility into 4th party products and services used by your BAs. Understanding what products and tools they have in place will help you determine concentration risk when a 4th party technology has been a victim of a data breach (e.g., Kaseya). Look for third-party risk management solutions that automatically map relationships to 4th party technology providers to simplify the process.

The HIPAA Third-Party Compliance Checklist

Download this helpful checklist for prescriptive guidance on assessing business associate security controls per HIPAA requirements.

Read Now
Feature hipaa compliance checklist 1021

3. Conduct business associate risk assessments continuously – not just during contract renewal

Assessing your vendors during onboarding is a great start. However, if you limit subsequent reassessments to fixed periods, such as contract renewals, then you will miss any risks that arise in the interim. There are a couple approaches to addressing these gaps:

  1. A proactive approach, where full assessments are conducted more frequently
  2. A reactive approach, where risk assessments are conducted in response to specific events

Each approach offers benefits and provides more regular insights to help you stay on top of BA risks. Proactive approaches combine a vendor-completed, controls-based assessment with an external analysis of threats from the Internet and dark web, as well as public and private sources of reputational, sanctions and financial information. Key to this approach is normalizing and correlating the data from all sources into a single risk register for central context, quantification, management, and remediation.

A reactive approach automates the triggering, issuing, and analysis of event-specific assessments (e.g., in response to the SolarWinds attack) based on the fourth-party relationships covered in Tip 2 above. Either way, you walk away with more regular insights for more informed, risk-based decision making regarding your supply chain.

4. Don’t ignore offboarding – risks can persist when vendor relationships end

Although the PracticeMax attack involved a current vendor, it’s important to ensure that you apply the same amount of rigor to the offboarding process as you do to the onboarding process. As you wind down your BA relationships, you should assess whether BAs are taking steps such as disposing of your patients’ PHI and assets according to regulatory requirements and industry best practices. Otherwise, you could end up with hefty fines to deal with (just ask Morgan Stanley). We’ve found that few companies address risk during the offboarding stage of their BA relationships. Look for solutions that enable you to schedule tasks to review contracts to ensure all obligations have been met, and issue customizable contract assessments to evaluate offboarding status.

5. Automate reporting for efficient mapping to HIPAA and other requirements

The HIPAA Security Rule requires covered entities to enter into a business associate agreement (BAA) with any third-party vendor that performs services on the entity’s behalf. The agreement holds BAs to the same HIPAA standards as the covered entity, ensuring that patient PHI is safe. If you’re dealing with dozens, hundreds, or even thousands of third parties, then the task to manually collect and analyze this information in a spreadsheet can quickly become overwhelming. Look for solutions that not only automate the collection and analysis of BA risk data, but also produce HIPAA-specific reporting showing compliance status and any weaknesses prior to engaging with your external auditors. It will greatly accelerate the risk mitigation process.

Next Steps for Healthcare Third-Party Risk Management

Taking a holistic approach to business associate security and protecting data at every step of the third-party lifecycle can help you mitigate risks and avoid becoming the next ransomware data breach victim. For more specific guidance on how Prevalent can help you meet HIPAA Security Rule business associate risk requirements, download The HIPAA Third-Party Compliance Checklist or contact us today for a strategy session.

Bonus: If you think a business associate has been the victim of a ransomware attack, use this free questionnaire to determine your exposure.

Tags:
Share:
Leadership scott lang
Scott Lang
VP, Product Marketing

Scott Lang has 25 years of experience in security, currently guiding the product marketing strategy for Prevalent’s third-party risk management solutions where he is responsible for product content, launches, messaging and enablement. Prior to joining Prevalent, Scott was senior director of product marketing at privileged access management leader BeyondTrust, and before that director of security solution marketing at Dell, formerly Quest Software.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo