The International Committee of the Red Cross (ICRC) recently sent out a notice about a data breach. Unfortunately, the breach impacted the protected health information (PHI) of vulnerable populations. Cyberattacks continue to cause problems for healthcare covered entities and their vendors. And four of the top 10 biggest incidents in 2021 occurred through business associates, like this breach.
More must be done within the healthcare industry to ensure organizations do their due diligence and comply with HIPAA. More must be done to ensure organizations protect PHI by employing robust cybersecurity features like HIPAA compliant email.
On January 18, ICRC determined that a third-party's servers compromised the data of over 500,000 people. The attack occurred at an external Switzerland-based company where ICRC stores data.
The stored information relates to ICRC’s Restoring Family Links (RFL) services, which aims to connect separated people around the world. The data comes from numerous Red Cross and Red Crescent National Societies worldwide.
SEE ALSO: ICRC security breach
Given the nature of RFL, some PHI is from vulnerable populations including those in detention, missing persons and their families, and those separated from their families due to conflict, migration, or disaster.
Accessed PHI includes names, locations, contact information, and staff/volunteer login. There is no released information on who attacked, how, or why. Nor is there an indication of the information leaked or shared beyond reports of the data possibly being available on the dark web. And there is no word of a ransom request yet.
RELATED: To pay or to not pay for stolen data
Nevertheless, the company is worried that nation-state groups may use the data to cause harm. ICRC took the compromised servers offline and hired an independent audit firm. At this time, notification is only through the Internet.
HIPAA Privacy Rule allows covered entities to share PHI with business associates.
RELATED: Understanding and implementing HIPAA rules
A HIPAA business associate is a person or entity that performs certain functions or activities involving PHI. Healthcare organizations must utilize vendors for a variety of functions necessary for proper patient care.
And just like covered entities, business associates must be HIPAA compliant. Business associates that store, transmit, or have access to PHI have an obligation under HIPAA to establish reasonable safeguards. Especially because breaching a small third-party vendor is sometimes easier than a large covered entity.
SEE ALSO: Why hackers target small and midsize businesses
Moreover, the blame for a business associate breach may fall onto a covered entity if certain provisions aren’t in place. And that blame not only means stolen PHI but also recovery costs, further investigations, and possible HIPAA violations and fines.
Before a covered entity works with a business associate, it must evaluate the vendor and its cybersecurity processes. For example, the healthcare provider should:
Furthermore, it is vital to get a business associate to sign a business associate agreement (BAA). A signed BAA provides assurance that shared data is protected. And apparently, ICRC felt its vendor was protected: “We chose [the business associate] and have [had] them as a longstanding supplier because they have the same rigor and standards as we would for any servers hosted in-house.”
ICRC further states that it hosted and monitored the servers rather than the hosting company. In fact, the breach appears targeted against ICRC.
Ultimately, cyberattacks like this clearly show that healthcare organizations (and business associates) must strengthen security measures. If threat actors attacked ICRC servers on purpose, knowing the vulnerability of the information, then they will go after anyone.
A robust cybersecurity system should never be an afterthought; it’s important to consistently stay proactive against potential threats. First, covered entities need to implement third-party security risk processes to ensure business associate risks are minimal.
SEE ALSO: Vetting your vendors: Certifications & HIPAA compliance
Such processes may include automated security questionnaires, external attack surface assessments, continuous monitoring, and remediating. Furthermore, covered entities and business associates should consider Paubox’s recent five healthcare cybersecurity tips:
RELATED: Your cybersecurity strategy is probably lacking
And finally, healthcare organizations must use strong encryption measures for data at rest and in transit as well as for email (i.e., email security).
This is why it's important to partner with responsible business associates, preferably with HITRUST CSF certification, like Paubox. Paubox also offers to sign a BAA to provide customers with compliance and peace of mind.
Paubox Email Suite seamlessly encrypts all emails so that staff can work without worry. In fact, our solution can send HIPAA compliant emails from standard email platforms (e.g., Google Workspace or Microsoft 365). No separate logins, passwords, or portals to navigate. And Paubox Email Suite’s Plus and Premium plans include advanced inbound security tools for further protection.
Our patent-pending Zero Trust Email feature uses email AI to confirm an email’s legitimacy while patented ExecProtect quickly intercepts display name spoofing attempts. People put their trust in ICRC and while a breach may be considered inevitable, accessed, encrypted, and leaked data is not.
This is why covered entities and business associates need to layer their cyber protections. And why it is important to always be HIPAA compliant.