Last December, a ransomware infection of Albany, New York-based accounting firm BST & Co. CPAs LLC exposed the confidential data of their customers, causing a data breach for one of their health care customers as well as other clients of the firm.
Some of the data has shown up on the publicly accessible website of ransomware gang Maze, which “names and shames” victims into paying ransoms, says Brett Callow, a threat analyst with the security firm Emsisoft.
“In the past, it was often said that backups were the best protection against ransomware. However, the risk of data exfiltration means that is no longer the case,” Callow says. “While backups remain critically important, it is also critically important that organizations focus on detection and prevention in order to prevent data leaks.”
Third-party Vendor Risk
Healthcare organizations need to be aware of the security risks posed by their service providers, including accountants, Callow says.
“Healthcare organizations cannot simply assume that service providers’ security is as it should be; they need to ask questions and perhaps even require that providers have periodic security audits,” he adds.
Vendors providing professional services have been implicated in other large health data breaches – including the largest incident in 2019 – a hack on American Medical Collection Agency, which affected more than two dozen of the firm’s clients and 20 million individuals.
“The FBI and others have been alerting covered entities that hackers are shifting their attention to third-party vendors,” CynergisTek’s Hewitt notes. “This avenue allows hackers to leverage the one-to-many relationships and gather data / then extort many different companies.”