This week’s AMCA healthcare data breach has highlighted the importance of vendor selection and management for businesses of all sizes and across industries. In response to details that have emerged, the National Cyber Security Alliance has put together a statement with best practices for businesses.
National Cyber Security Alliance Responds to Quest Diagnostics and LabCorp Data Breaches
June 7, 2019 – This week, both Quest Diagnostics and Laboratory Corporation of America Holdings (LabCorp) announced related data breaches that may impact up to 20 million customers who used their services between August 1, 2018 and March 30, 2019.
While details are still being confirmed from third party medical vendor American Medical Collections Agency (AMCA), the compromised customer data is thought to have included personal, financial and medical patient data such as first and last name, date of birth, address, phone and credit card or bank account information.
“Healthcare companies have increasingly become a target for hackers and other bad actors given the vast amounts of information that is collected and stored across the medical ecosystem,” said Kelvin Coleman, executive director of the National Cyber Security Alliance. “Businesses and organizations that accumulate data must operate with a deep understanding of the value of that data to cyber criminals and employ a comprehensive approach to cybersecurity, including robust vendor management strategies.”
eSentire recently commissioned a survey of IT and security decision-makers, which found that nearly half (44 percent) of firms had experienced a significant, business-altering data breach caused by a vendor.
The National Cyber Security Alliance (NCSA) recommends that employers and IT teams take the following steps to secure their business and work with third-parties and vendors to secure their customers’ data:
- Identify your digital “crown jewels”: Crown jewels are the data without which your business would have difficulty operating and/or the information that could be a high-value target for cybercriminals. When assessing your vendor network, the IT team needs to map out not only who your vendors are, but who their vendors are who might have access to your data or systems. This includes working with your vendors to confirm the data they collect and whether or not they have formal and robust cybersecurity programs in place.
- Protect your assets: Ultimately, your goal is to build a culture of cybersecurity that includes employees knowing how to protect themselves and the business and understanding the cyber risks as your business grows or adds new technologies or functions. When creating third-party contracts, include non-negotiable document data ownership and management processes, including how company data is handled, who owns the data and has access to it, how long the data is retained and what happens to data once a contract is terminated. Only people who need access to your data should have it. You should also have a lawyer look over any vendor agreements to ensure they take proper measures to protect data assets and grant appropriate access controls.
- Be able to detect incidents: We have fire alarms in our businesses and homes that alert us to problems. In cybersecurity, the quicker you know about an incident, the quicker you can mitigate the impact and get back to normal operations. For vendor contracts, establish processes within your agreements that enable you to verify compliance with the negotiated terms. Third-party intelligence providers can also offer independent, unbiased inputs on the status of vendors. If a vendor is hit by a cyberattack, these third-party intelligence services will report back to you in a time-critical way.
- Have a plan for responding: Having a recovery plan created before an attack occurs is critical. Develop and practice an incident response plan to contain an attack or incident and maintain business operations in the short term.
- Quickly recover normal operations: The goal of recovery is to move from the immediate aftermath of a cyber incident to full restoration of normal systems and operations. Like the response step, recovery requires planning. Recovery is not just about fixing the causes and preventing the recurrence of a single incident. It’s about building out your cybersecurity posture across the whole organization (not just the IT person or group), including increasing the focus on planning for future events.
- Attend a CyberSecure My Business™ Event: NCSA’s CyberSecure My Business holds events across the country and monthly webinars that shed light on how small and medium-sized businesses can protect themselves, their employees and their customers against the most prevalent threats. For more information on these events and locations, visit https://staysafeonline.org/cybersecure-business/
Major breaches like these remind Americans that it is critical for internet users to remain diligent about practicing good cybersecurity habits. NCSA recommends that consumers potentially impacted by the AMCA breach protect their accounts by following these steps to stay safer and more secure online, including:
- Monitor activity on your financial and credit cards accounts. If appropriate, implement a fraud alert or credit freeze with one of the three credit bureaus (this is free and may be included if credit monitoring is provided post breach). For more information, visit the Federal Trade Commission website identitytheft.gov.
- When in doubt, throw it out. Scammers and others have been known to use data breaches and other incidents to send out emails and posts related to the incident to lure people into providing their information. Delete any suspicious emails or posts and get information only from legitimate sources.
For additional cybersecurity resources and tips, visit www.staysafeonline.org.
Learn more about best practices in vendor selection and management from this National Institute of Standards and Technology resource.