The SolarWinds cyberattack, revealed in December 2020 by multiple cybersecurity firms, was a major software supply chain breach. A Russian nation-state adversary infiltrated SolarWinds' systems and distributed compromised updates to its Orion software platform. These tainted updates facilitated the installation of stealthy malware on the networks of SolarWinds' clients, including entities within the healthcare sector.
The breach of the SolarWinds attack was so severe and far-reaching that Microsoft president Brad Smith described it as “the largest and most sophisticated attack the world has ever seen”. Fast forward to 2023, SolarWinds is still facing the repercussions of this record-breaking cyber attack.
The SolarWinds attack was a wake-up call for organizations across industries. It shows the necessity of evaluating and dealing with security concerns in the supply chain. This concern is not limited to the private sector, as it directly relates to the healthcare industry. Healthcare providers, insurers, and related entities rely on various technology vendors, software providers, and third-party service providers to manage patient data.
Within the healthcare sector, these third-party relationships are subject to HIPAA's scrutiny, making it mandatory for covered entities to guard protected health information (PHI). This includes evaluating and mitigating security risks within their supply chains. Failing to do so could lead to security breaches, compromised patient data, and legal consequences.
HIPAA dictates that healthcare organizations and their business associates must implement safeguards to protect the confidentiality, integrity, and availability of patient information. Therefore, lessons learned from SolarWinds prove the need for transparency and cooperation between healthcare organizations and their technology vendors to ensure the security of patient data throughout the data lifecycle.
Read also: How healthcare can avoid devastating supply chain cyber attacks
Just as SolarWinds demonstrated the necessity of third-party cybersecurity, the same principle applies to healthcare. Third-party vendors, including software providers, cloud services, and data storage facilities, are integral to the healthcare system. These vendors often have access to patient data, and their cybersecurity practices can directly impact the security of PHI.
HIPAA mandates that covered entities maintain strict oversight of their business associates, ensuring they adhere to the security standards laid out in the law. Healthcare organizations must prioritize cybersecurity in their vendor selection and management processes.
Access controls are a fundamental aspect of cybersecurity and the healthcare sector. HIPAA stipulates that covered entities must implement access controls that restrict digital access for employees only to data necessary for their job responsibilities.
SolarWinds taught us that password management is a fundamental component of security. HIPAA aligns with this principle by stressing the need for strong and unique passwords, coupled with multifactor authentication, to protect patient data.
The concept of "least privilege" has a principal part in the healthcare context, where access to patient data should be granted based on the specific roles and responsibilities of individuals.
HIPAA stresses prompt detection and response to security incidents. Effective security and threat detection software is needed to achieve this goal. In the wake of SolarWinds, organizations realized the necessity of early detection of suspicious activities. Healthcare organizations must employ security and threat detection tools, such as network monitoring systems, antivirus programs, and intrusion detection systems, to meet their HIPAA obligations.
See more: What is advanced threat detection?
While HIPAA does not explicitly require cyber insurance, it indicates the need for healthcare organizations to secure proper coverage for the financial and legal risks associated with data breaches and HIPAA violations. SolarWinds demonstrated that no industry is immune to cyber-related exposures.
Cyber insurance can provide financial protection in the event of a security breach, covering costs associated with recovery, legal expenses, and potential fines. However, when seeking insurance coverage, it is necessary to maintain transparency and avoid concealing risks. Accurate risk disclosure allows insurers to provide appropriate coverage and pricing, aligning with ethical and legal principles.
Go deeper: Understanding HIPAA violations and breaches
The Securities and Exchange Commission (SEC) filed a lawsuit against SolarWinds, the information technology firm hit by a notorious Russian-backed hacking incident in 2019, alleging fraud and a lack of adequate internal controls preceding the breach. The suit also names SolarWinds’ chief information security officer, Tim Brown, accusing the company of overstating its cybersecurity measures and downplaying known vulnerabilities.
SolarWinds shares experienced a 1.5% drop following the lawsuit's filing. The SEC alleges that despite internal awareness of cybersecurity weaknesses, SolarWinds provided only "generic" disclosures about risks, misleading investors. The complaint reveals internal communications acknowledging security flaws and the severity of vulnerabilities, including those exploited in the Russian hack. This lawsuit marks a major regulatory response to cybersecurity mismanagement, raising questions about corporate transparency and accountability in the face of escalating cyber threats.
The SolarWinds attack had an impact on healthcare organizations, as many of them use the SolarWinds Orion platform for network and infrastructure management. The attack exposed sensitive patient data and posed a serious threat to the integrity and security of healthcare systems.
Healthcare organizations can learn several lessons from the SolarWinds attack, including the importance of cybersecurity measures, continuous monitoring of network activity, supply chain security, and the need for a rapid and coordinated incident response plan.
Healthcare organizations should prioritize implementing multi-layered security measures, such as network segmentation, strong access controls, regular security assessments, employee training, and staying updated with the latest threat intelligence and security best practices.
In the aftermath of the SolarWinds attack, healthcare organizations should strengthen their vendor management processes, conduct thorough security evaluations of third-party vendors, and establish clear security requirements in their contracts to ensure supply chain security.
See also: HIPAA Compliant Email: The Definitive Guide