The massive data breaches of blood-testing giants LabCorp and Quest Diagnostics were still fresh in the headlines when lawyers filed lawsuits on behalf of patients and at least two states launched investigations. By the time the dust settles, financial implications for the two medical testing companies could be huge.
What should make these data breaches an eye-opener for all organizations, however, is not the financial impact. It’s the fact that the breach originated from a third party’s online payment system.
Damage Stems from Contractor’s Weak Security
As the total number of victimized consumers has continued to climb past the 20 million mark, the vendor, American Medical Collection Agency (AMCA) has filed for bankruptcy. However, it is not the sole party held responsible for its security incident. LabCorp and Quest—whom patients had entrusted with their sensitive and personal health data—will see a ripple effect for years. Besides consumer and state lawsuits, they could face steep HIPAA fines if the compromised data falls into the category of protected health information (PHI).
And Quest Diagnostics (with 11.9 million patients affected) and LabCorp (7.7 million) were just the first two to make the news. AMCA doesn’t only serve healthcare organizations, we may see businesses from other industries affected as well.
How Third-Party Risk Impacts Your Business
In today’s interconnected world, any business can find itself in this type of situation. Third-party risk is a growing concern that is rarely addressed.
A 2018 survey showed that 61 percent of businesses in the US had experienced a data breach caused by a vendor, a 12 percent increase since 2016. Very few respondents said they effectively mitigated third-party risk.
To adequately address this concern, you need to include vendor risk management in your cybersecurity strategy. As the vendor landscape grows in complexity, this becomes even more critical.
Takeaways from the AMCA Breach
Contractors and business associates have access to your sensitive information whether they work on your premises or handle your data off-premises on your behalf. Even if you have a strong cybersecurity posture, you need to make sure your data is secure outside of your own walls.
According to Quest Diagnostics’ recent Securities and Exchange Commission filing, the breach of AMCA’s system spanned the eight months between August 2018 and March 2019. This large window of opportunity gave attackers ample time to carry out their objectives. The incident underscores how critical it is to vet your contractors and assess their cybersecurity practices.
Steps You Can Take to Mitigate Vendor Risk
- Service agreements: Include cybersecurity requirements in your business associate and contractor agreements, requiring contractors to maintain the same standards as your organization.
- Proof of best practices: Implement a process to verify and validate vendors’ cybersecurity postures. To accomplish this, use vendor-supplied validation, audits and metrics available from independent tools.
- Vendor policies: Establish IT policies that mandate the scanning and monitoring of contractors’ devices while on your premises to make sure they don’t introduce malware into your environment.
- Network segmentation: Limit vendors’ access privileges. Segmenting your network ensures your contractors can only access those systems that are integral to their role.
- Threat detection and response: Adopt a threat detection and response solution to help you monitor anomalies on your network and quickly identify threats. A security operations center (SOC) combines the technology, people, and processes that can help you stay ahead of threats.
A security operations center (SOC)-as-a-service is a cost-effective and scalable solution for organizations that don’t have the in-house resources and expertise to staff a 24/7 SOC. It can help you identify gaps in your cybersecurity practices and mitigate third-party risk.
Learn more about Arctic Wolf’s SOC-as-a-service and how it can help your IT team monitor and respond to threats around the clock.