Supply chain security: Case studies and best practices

The healthcare industry is an ideal target for cyberattackers, even more so than most other industries. There are several reasons for this, but the top two are:

1. the value of vulnerable, highly sensitive protected health information (PHI)
2. the excessively vulnerable attack surfaces and infrastructure

Malicious intent is especially visible in the healthcare supply chain as cyberattackers see vendors as easy victims. Under HIPAA (the Health Insurance Portability and Accountability Act of 1996), healthcare vendors that store, transmit, or have access to PHI (or business associates) are obligated to establish reasonable security safeguards. Accordingly, healthcare organizations are obligated to understand supply chain attacks and supply chain security.

Related: HIPAA compliant email: The definitive guide

Supply chain attacks in healthcare

Healthcare vendors, such as email providers and telehealth platforms, perform services for healthcare organizations. A healthcare supply chain attack refers to the exploitation of a vendor that has access to a provider’s data and/or systems. The trust between the target company and its suppliers makes it easier for attackers to penetrate covered entities’ defenses.

Instead of directly targeting an organization, cyberattackers indirectly infiltrate it through a third party’s vulnerabilities. Moreover, a supply chain attacker can target a single vendor to gain access to several organizations at once. According to the Health 3rd Part Trust (Health3PT) Initiative, 55% of healthcare organizations experienced a third-party breach since 2022.

Once an attacker gains access to a vendor, they can easily penetrate a target organization’s infrastructure. Supply chain attacks can occur through every known breach method involving hardware or software. The main difference is in the larger impact of supply chain attacks. Here are some recent cases to demonstrate the impact and concern.

Case study 1: Concentra Health Services

In November 2023, Concentra Health Services, a Texas-based provider of occupational medicine, urgent care, physical therapy, and other services, was notified that it had suffered a supply chain breach. The attack was traced to its third-party vendor, Perry Johnson & Associates, Inc., which offers medical transcription services. The vendor detected suspicious activity within its network between March 27 and May 2, 2023.

According to Concentra in January 2024, the breach affected 3,998,162 patients and compromised PHI including full names, dates of birth, addresses, medical record numbers, hospital account numbers, admission diagnoses, and dates and times of service. Concentra’s number affected brought the total impacted by the vendor breach to around 14 million. Perry Johnson & Associates have not released a list of covered entities involved though some have chosen to report on their own, like Concentra.

This appears to be the largest breach of 2023 and raises questions about business associate security and compliance measures. For example, given the amount of data involved, Perry Johnson & Associates should have been using network segmentation to limit access. The company and several hospitals, including Concentra, are being sued over the breach.

Case study 2: Geisinger Health System

Also in November 2023, Geisinger Health System discovered that a former employee of its IT service provider, Nuance Communications Inc., maliciously accessed patient data two days after he was terminated. Geisinger immediately informed Nuance, who revoked the employee's access and initiated an investigation.

The health system notified more than one million patients that their PHI was accessed. The breach involved names, demographic information, names of relatives, dates of service, medical facility information, practitioner’s names, health insurance numbers, medication information, diagnoses, and patient identifiers. The former employee has been arrested and faces federal charges.

If security protocols had been in place to revoke the former employee’s access, this breach and the circumstances that followed could have been avoided. Providers and vendors must withdraw employee access upon termination, ultimately preventing unauthorized access to PHI. A patient filed a lawsuit against Geisinger, with their attorney stating that the theft of PHI can have “grave and lasting consequences.”

Case study 3: WebTPA

In May 2024, WebTPA Employer Services, LLC, a Texas-based provider of administration services to health insurance and benefit plans, disclosed a data breach in late 2023. Hackers accessed the vendor’s network for 6 days in April 2023. WebTPA did not state the nature of the hacking incident. The company informed affected benefit plans and insurance companies, such as The Hartford, Transamerica, and Gerber Life Insurance.

WebTPA listed 2.4 million individuals affected and stated that PHI compromised possibly included names, contact details, dates of birth, dates of death, insurance information, and Social Security numbers. According to the company, no financial information was breached.

As of now, no information appears to have been misused though WebTPA states that it strengthened its security measures. Seven class-action lawsuits have been filed against WebTPA for negligence and delaying notification as indicated in the HIPAA Breach Notification Rule.

Case study 4: Aptihealth

Aptihealth, a behavioral health engagement company in Saratoga Springs, New York, reported a data breach involving one of its vendors. The breach occurred between March 13 and April 10, 2024, at Sisense, a business associate who provides data analytics services. Aptihealth was notified on April 17, 2024, of the breach.

In June 2024, Aptihealth listed 19,805 patients impacted. Breached PHI includes names, addresses, dates of birth, dates of service, doctor names, medical data, diagnosis data, and health insurance data. As of this time, it doesn’t appear as if any data was misused though not much is known about the breach.

Although it is unknown how the hacker gained access to Sisense’s systems, the breach indicates that its security measures may require assessment and updating. Like the other three case studies, Aptihealth is part of a lawsuit.

What was missing: strong supply chain security?

What seems to be missing from the case studies above is strong supply chain security. Supply chain security includes the normal (necessary) security measures as well as other protocols that focus on the risk management of everyone involved in a process. In healthcare, that means from providers through to their vendors and their vendors’ vendors.

There is no established one-size-fits-all security program as the end product depends on each company involved and what they need to protect. For vendors, that means using HIPAA compliant security features within their own organizations, blocking all attack surfaces from unauthorized access. For healthcare organizations, that means ensuring complete security top-down.

Health3PT recently created and released a Recommended Practices & Implementation Guide to create standards for third-party risk management. The guide recommends using:

1. Concise contract (i.e., business associate agreement (BAA)) language tying financial terms to security
2. Risk-tier strategies that focus on reviews, due diligence, and quick remediation
3. Appropriate, reliable, and consistent assurance of a vendor’s capabilities
4. Follow-up to identify gaps
5. Recurring updates of vendors’ security features
6. Metrics and reporting on vendor risks

It could mean something as simple as regularly checking vendors’ paperwork and security programs.

Supply chain security best practices

An organization must partner with vendors that utilize comparable cybersecurity measures. Is it worth it to go into business with the company? And if yes, what type of information should you share? Here are some best practices for ensuring strong supply chain security.

• Evaluate all vendors with a risk assessment before working with them
• Procure a BAA and verify that it is being followed
• Establish and maintain clear communication channels
• Regularly monitor and audit what vendors are doing and how they are doing it
• Continuously review vendor plans regarding security incidents and disaster recovery
• Swiftly resolve security incidents
• Detail a one-strike-and-you’re-out policy (or something similar)
• Remain up to date on legislation and regulations

Preventing supply chain attacks means addressing vulnerabilities at all levels of a supply chain. By implementing best practices, companies can enhance their security posture and reduce the risk of a supply chain attack.

Related information: How healthcare can avoid devastating supply chain cyber attacks

FAQs

Do business associates have the same responsibility as covered entities in protecting PHI?

Business associates have similar responsibilities as covered entities in protecting PHI under HIPAA. Both must ensure the confidentiality, integrity, and security of PHI. Business associates are required to implement appropriate safeguards, comply with the terms of business associate agreements, and report any breaches of PHI. While covered entities are directly responsible for PHI, business associates must also adhere to HIPAA regulations to protect patient information from unauthorized access or disclosure.

How must a business associate secure PHI?

Business associates must implement a multi-faceted approach with physical, administrative, and technical safeguards to secure PHI:

• physical safeguards involve controlling physical access to data storage,
• administrative safeguards include robust policies and procedures,
• technical safeguards employ encryption, access controls, and secure technologies to prevent unauthorized access or disclosure.

What happens if there is a PHI breach involving a business associate?

Business associates must act swiftly in the event of a PHI breach. They must report the breach to the covered entity and depending on the severity and scale of the breach, notifications to affected individuals and the HHS Office for Civil Rights are required.