Some of the most infamous hacking incidents have arisen from third-party access to a corporate network that does not have secure remote access. Perhaps most infamously, the 2013 Target hack which compromised 110 million credit/debit cards used remote access granted to a HVAC vendor. That incident likely was a targeted attack (no pun intended) directed at Target.
Ransomware Through Remote Access
In late August of 2019, two Wisconsin companies that provide an online service to dental offices, Digital Dental Record and their business partner PerCSoft, told 400 dental office customers of a ransomware attack. PerCSoft had remote access to the dental office networks, and to all of their critical files, for the purposes of performing daily backups. An unknown criminal hacked PerCSoft, and orchestrated a twofold, devastating attack:
- the online backups were located, and encrypted with ransomware,
- The remote monitoring and management system used by PerCSoft to access the dental offices was used to deliver ransomware to the dental office computer networks.
When the ransomware was detonated, the dental offices lost access not only to the files on their local networks, but the backup was also taken hostage.
Multiple sources have stated that that Digital Dental Record’s subcontractor (who provided the DDS Safe online backup service) paid the ransom. As of September 3, in a letter to their customers, Digital Dental Record reports that their subcontractor PerCSoft was successful in decrypting (unscrambling) the files for 80% of the 400 dental offices.
Managed Services Providers Targeted
This is one of multiple cases this year of hackers using Managed Services Provider companies to deliver ransomware to the trusting customers. ZDNet reported in February of 2019 of two attacks through Managed Services companies, and reported in June of 2019 that hackers breached 3 MSPs who used the Webroot RMM software. More recently, on August 16, 2019, 22 local governments in Texas were hit with ransomware. NPR reports, “They got into our software provider, the guys who run our IT systems,” according to Gary Heinrich, mayor of the town of Keene, TX. Heinrich said that the same MSP provided support to many of the affected municipalities. The state of Texas, who is coordinating the response effort, has not con
Organizations of all sizes can benefit greatly from capable MSPs. At the same time, those who use MSPs need to be aware of the risks of granting any third party remote access to their computer network. Organizations that operate on-premises systems, including EHR, revenue cycle, PACS, lab, pharmacy, software-enabled medical devices, and other software on-premises, are at greater risk than practices that rely on cloud applications.
Secure Your Remote Access, Protect Your Organization
These ransomware cases prove that even your most trusted computer vendors, including MSPs, must be scrutinized. Eagle Consulting Partners recommends these steps to protect your organization:
1. A thorough HIPAA Security Risk Assessment (also referred to as a Security Risk Analysis) should identify all third parties who have remote access. This typically includes multiple vendors supporting various software, consultants, and contractors.
2. The minimum protection required for HIPAA compliance is a valid Business Associate Agreement (BAA).
3. The third parties should be ranked based on risk. A medical coding expert granted access to only 50 patient accounts in the billing software, for coding audits, would be ranked a low risk. A MSP, with administrative access to servers, databases, firewalls, routers, workstations, and/or a phone system would be high risk.
4. Higher-risk vendors should be subject to additional evaluation and contracting safeguards:
a. A vendor evaluation should be conducted. Can the vendor show you their HIPAA Policies? Can the vendor show evidence that they have conducted their own HIPAA Security Risk Assessment? If a Remote Management and Monitoring System is used, have they enabled two-factor authentication? Has the vendor earned any third-party certifications, such as a SOC 2 or HITRUST?
b. The HIPAA BAA should include additional protections, such as an indemnification clause, and the requirement that the vendor carry liability insurance for errors and omissions, and for cyber-liability
Eagle Consulting Partners offers HIPAA Security Risk Assessments and can assist with Third-Party Risk Management.
For additional details, see the following: