Another top US healthcare service provider hacked

The healthcare sector's third-party security remains vulnerable, as evidenced by HealthEquity's recent disclosure of a supply chain cyberattack that exposed sensitive patient data via a compromised device belonging to one of its partners.

What happened

HealthEquity, a major US healthcare service, reported a cyberattack resulting in the theft of sensitive patient data. This was a supply chain attack where a compromised personal device of a business partner allowed threat actors to access HealthEquity's systems. The accessed data included personally identifiable information and protected health information about some members. The attackers extracted the data from their servers.

HealthEquity has not disclosed the number of affected individuals, the identity of the attackers, any ransom demands, or the specific types of information stolen. However, the company confirmed that some SharePoint data was taken and has notified partners, clients, and affected members. It is offering credit monitoring and identity theft protection services. HealthEquity does not expect the breach to significantly impact its business, as it was not a ransomware attack and did not occur on its infrastructure.

What was said

According to TechRadarPro, HealthEquity filled out an 8-K form with the US Securities and Exchange Commission (SEC) reporting that they were routinely monitoring its systems earlier in the year and discovered “anomalous behavior by a personal use device belonging to a business partner.” It was confirmed that a company partner's personal device was compromised, allowing threat actors to access HealthEquity systems and sensitive patient data. “The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members,” the form reads.

In the know 

A supply chain attack is a cyberattack that exploits the weaker links within an organization's supply network. Instead of directly assaulting a heavily secured target, hackers gain entry by attacking third-party service providers or suppliers with access to their desired system. This approach capitalizes on the trust relationships established between targets and their business partners or vendors.

Here are key points about supply chain attacks:

• Indirect targeting: Attackers breach a supplier or partner's systems to gain access to the primary target's systems.
• Trust exploitation: The attack leverages the trust and permissions given to the third party by the primary target.
• Complexity: These attacks are often sophisticated, involving multiple stages and careful planning.
• Impact: They can lead to widespread damage, affecting multiple organizations within the supply chain.

Go deeper: What is a supply chain attack and how can it be prevented?

Why it matters 

In recent news, the healthcare sector received a B+ score in the Cyber Risk Landscape of the U.S. Healthcare Industry, 2024 report by SecurityScorecard. The report identified a “significant vulnerability” in the form of a supply chain cyber risk. A B+ score implies that the healthcare industry has commendable security protocols, but there is room for improvement.

According to the report, as summarized by Businesswire, the “healthcare industry leads in third-party breaches: 35% of third-party breaches in 2023 affected healthcare organizations, outpacing every other sector. The supplier ecosystem is a highly desirable target for ransomware groups. Attackers can infiltrate hundreds of organizations through a single vulnerability without being detected.”

With yet another supply chain cyber incident having affected the industry, it is clear that the healthcare sector must prioritize strengthening its supply chain security measures. Enhanced scrutiny of supplier relationships, comprehensive risk assessments, and more stringent security standards for partners are essential steps to mitigate these vulnerabilities. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is the Cyber Risk Landscape of the U.S. Healthcare Industry report?

The Cyber Risk Landscape of the U.S. Healthcare Industry report is an annual analysis published by SecurityScorecard that evaluates the cybersecurity posture of the healthcare sector in the United States. The report provides a comprehensive overview of the current state of cybersecurity within the industry, highlighting key trends, vulnerabilities, and risks.

What steps can healthcare organizations take to mitigate supply chain cyber risks?

Healthcare organizations can strengthen their supply chain security by:

• Conducting thorough risk assessments of suppliers and partners
• Implementing stricter security standards for third parties
• Enhancing monitoring and detection capabilities for third-party activities
• Regularly reviewing and updating security protocols in collaboration with partners