Healthcare Management Solutions (HMS), a subcontractor of The Centers for Medicare & Medicaid Services (CMS), was subject to a ransomware attack on October 8. On December 14, CMS released a response to the breach, which affects up to 254,000 Medicare beneficiaries. The federal agency sent a letter informing those beneficiaries, and it is issuing them new Medicare cards.
CMS systems were not breached in this incident, but Medicare beneficiaries’ personally identifiable information (PII) and protected health information (PHI) were still compromised. Organizations must think about more than their own systems when evaluating the potential attack surface.
“As medical providers such as CMS have grown, they have outsourced more and more functionality to subcontractors, often sharing this sensitive information with them. These companies will have smaller budgets and typically fewer security controls, making them much easier targets for attackers looking for sensitive information,” Fred Kneip, CEO, third-party cyber risk management company CyberGRX, tells InformationWeek.
HMS has access to CMS data related to processing Medicare eligibility, entitlement records and premium payments. The subcontractor informed CMS of the cybersecurity incident on October 9. On October 18, the agency determined the PII and PHI of Medicare beneficiaries was likely compromised.
While the breach investigation has been ongoing, CMS noted that “initial information indicates that HMS acted in violation of its obligations to CMS,” in its press release. It did not disclose the exact nature of this violation
“Third parties are often required to disclose breach information to their critical customers and given how the underlying severity of the breach appears to have increased, CMS may believe they were not given appropriate notifications in the beginning,” Kneip speculates. “Another possible reason is the controls HMS used to safeguard the CMS information. They may have represented they had certain controls in place when in fact they were not, leading to an easier attack path.”
This type of third-party breach is a growing concern. The 2022 Data Risk in the Third-Party Ecosystem Study conducted by research organization Ponemon Institute and sponsored by RiskRecon, a Mastercard Company, found that 59% of respondents have experienced a data breach caused by a third party.
How to Mitigate Third-Party Risk
How can organizations better mitigate third-party risk? First, it is important to understand risk exposure. How many third parties is an organization working with, and how much sensitive information do they have access to?
“Many enterprises have focused their efforts on their own security but have not kept pace evaluating their growing network of subcontractors and suppliers who access the same information they are trying to protect,” says Kneip.
Just 36% of organizations evaluate the security and privacy practices of all vendors prior to entering a relationship that involves sharing sensitive information, according to the 2022 Data Risk in the Third-Party Ecosystem Study.
Erfan Shadabi, cybersecurity expert with data security platform comforte AG, urges companies to actively involve third parties in cybersecurity strategy. “Enterprises should include third parties in the inner ring of their security strategy to facilitate cooperation and ensure adequate security for all parties,” he says.
Companies can also evaluate how sensitive information is accessed internally and by third parties. “The best way organizations can prevent these scenarios is by enforcing a cap on how much data can be consumed on a per-user or per-service basis. Often, the culprit is a lack of controls on the server where the data is kept, and authorized users and applications that should be reading say 10 records, can read 10,000 records without tripping over any wires,” Manav Mital, CEO of database security company Cyral, recommends. “Once an organization acknowledges these types of controls, they must not only put them in place for themselves but require all their subcontractors to implement them as well.”
Managing third-party risk involves a significant amount of collaboration. Shadabi recommends companies verify the type of cybersecurity controls in place at third-party vendors, ensuring vendors follow cybersecurity best practices and working together to prepare for incident response.
If a breach does happen, expectations for the third-party should be clearly outlined. “Define responsibilities and agree on a set of actions, compensations and recovery plans in case of a breach,” Shadabi explains.