Quest Diagnostics data breach – the industry sounds off
The fallout continues. Quest Diagnostics, the medical testing behemoth, confirmed in a filing with the SEC that a third-party billing company was hit by a data breach that affects 11.9 million Quest patients.
The breach was a result of “malicious activity” on the payment pages of the American Medical Collection Agency and the unauthorized user was able to siphon off PII including, but not limited to, credit card numbers, medical information and Social Security numbers.
The data exposed dates back to August 1, 2018, until May 31, 2019. This is the second breach affecting Quest in three years after hackers gained access to the company’s “MyQuest” patient portal and accessed 34,000 patients’ names, dates of birth, lab results and phone numbers.
Experts from throughout the industry sounded off on the breach, offering their perspectives on what went wrong, what might result from the attack, and what needs to be done to prevent another one.
Connections with third parties
David Finn, executive vice president of strategic innovation at CynergisTek, said that with breaches like this one, the cause is rarely one thing.
“We have recognized for over a year now, in fact, starting with the Target breach in 2013, that third parties are one of the biggest threats to any organization,” Finn said. “In healthcare, that includes business associates, contractors and subcontractors. Healthcare, due to many drivers, is more hyper-connected, frequently to smaller organizations – physician practices, labs, home care agencies – that can’t always provide the same level of connection.”
Combine that with an existing security staffing shortage coupled with the fact that many providers are in remote locations, which makes it even more difficult to staff, he added.
So how was the Quest Diagnostics breach able to be pulled off? Rather easily, Finn contended.
“Once you connect to another organization, it is fairly simple to either intentionally or accidentally breach, attack or compromise each other,” he explained. “Your security can only be as good as who you share resources with. The problem is, we don’t think about how those connections can be used to do ‘bad’ things. We need to shift our focus on how we think about data, who has access to it, how they use it and why.”
The information exposed in the latest breach of Quest Diagnostics can lead to serious implications for the patients affected, said Ben Goodman, vice president of global strategy and innovation at ForgeRock, an identity management and digital security technology vendor.
“Malicious users can now open credit cards or take out loans, intercept tax refunds, cover medical treatment, open utility accounts and even take flights with victims’ airline miles,” Goodman said. “This is the second breach that Quest has suffered in three years, and as a publicly traded company, that can lead to serious repercussions with shareholder trust, stock price and brand reputation.”
"Most organizations are not doing a very good job of managing their vendors in terms of security."
David Finn, CynergisTek
The data exposed can also result in litigation, he added. In fact, it only took a few days for First American Financial Corporation to be hit with a class action lawsuit after its exposure of 885 million sensitive documents last week, he said.
“It is critical that healthcare providers understand the serious personal risk associated with a breach of patient information,” he said.
“They must leverage security strategies and tools that respect patient privacy and prescribe real-time, contextual and continuous security that detects unusual behavior and prompts further action, such as identity verification, to stop – or at least slow – malicious actors.”
Broaden one’s imagination
The Quest breach is yet another sign of complexity becoming the enemy of cybersecurity, said Josh Mayfield, director of security strategy at Absolute, an end-point security technology vendor.
“It’s not just that vendor risk needs to level-up, but we must also broaden our imaginations,” Mayfield said. “Most organizations have risk profiles and commitments with their vendors, especially those handling PHI as a third party. Yet when you multiply the number of connections, data flows, EDIs and other exchanges, there is bound to be something neglected in the Gordian knot.”
Add to that the convergence in healthcare where the lines of payer, provider, patient and plans become increasingly blurred, he said. Without knowing where to look, it’s impossible to identify the finer associations – data schemes – and as a result, relationships involving access control and authorization/authentication become anyone’s best guess, he stated.
“Visibility is the key,” Mayfield stated. “But then what? You’ll probably find – with your new unimpeded view – a graveyard of broken, disabled and failing agents and controls. How does one stay resilient when the technology cannot withstand the slightest perturbation on the device? By persisting the critical controls necessary to deliver a resilient environment.”
To edge toward resilience, healthcare organizations must ensure that someone is watching the watchers, Mayfield contended.
“We must elevate to an Olympian vantage point to survey each control’s effectiveness and its ability to stay alive,” he said. “Security is far from a snapshot of correct configurations, it is the maniacal pursuit of resilience, bouncing back from injury and being armed with controls and agents boasting of their immortality. That’s what persistence brings, an unmistakable path to resilience.”
Web application security
Hackers have, for years, used vulnerabilities in web sites and other connected applications as a point of breach.
“Once through, it’s only a hop, skip and jump into databases, web servers and other crucial infrastructure, where they can access information such as credit card numbers and medical information,” said Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, a digital security technology vendor. “It looks like that’s what has happened in this case – and it’s the customers who pay.”
The sad truth is that healthcare organizations still do not take web application security seriously enough, she added.
“In a recent research report, Positive Technologies found that, on average, each web application contained 33 vulnerabilities, of which six were of high severity, and the number of critical vulnerabilities per web application grew by 3 times in 2018 compared to 2017,” she said. “Any company or organization holding valuable payment information is a target.”
Reliance upon third parties
There is perhaps no industry where trust is more important than in healthcare. Patients trust their healthcare providers with incredibly personal and sensitive data, and a breach of data is also a breach of that trust.
“This is why it’s imperative that healthcare providers, like Quest Diagnostics, understand that while their reliance upon third parties is critical, it also creates significant cyber risk that needs to be identified and monitored,” said Fred Kneip, CEO of CyberGRX, a third-party cyber risk management company.
"In a recent research report, Positive Technologies found that, on average, each web application contained 33 vulnerabilities, of which 6 were of high severity, and the number of critical vulnerabilities per web application grew by 3 times in 2018 compared to 2017."
Leigh-Anne Galloway, Positive Technologies
“Therefore it is the healthcare provider’s responsibility to protect patient data that extends beyond their own network perimeter to their third parties; which includes maintaining visibility into their third-party ecosystem and evaluating and monitoring the security posture of their third parties.”
Finn of CynergisTek said Quest Diagnostics has its work cut out for it. There is plenty to do to firm up security and regain trust.
“Without knowing all the details of the breach, it can be hard to predict; however, we know that most organizations are not doing a very good job of managing their vendors in terms of security,” he stated. “When they actually connect and are granted access, it becomes even more complicated.”
Quest should begin a comprehensive review of vendors and then implement a vendor security management program, Finn advised.
“That assumes that their own internal security programs are up and running,” he said. “The one thing everyone should do is a regular comprehensive security risk assessment at least annually.”
This is not the first time the healthcare industry has seen a breach in client information, said Teow-Hin Ngair, CEO of SecureAge, a government and enterprise data security and encryption vendor.
“One of the fundamental issues is that medical agencies, providers and hospitals aren’t making cybersecurity enough of a priority in general,” Ngair said.
“This could stem from the fact that lost patient records lost do not really impact their business directly – and they don’t lose any money directly resulting from patient record breaches. Unless more regulations are put in place, this will continue to be a recurring issue.”