This week, the U.S. Department of Health and Human Services (HHS) announced it is opening a probe into the Feb. 21 cyberattack at UnitedHealth Group’s (NYSE: UNH) Change Healthcare.
The cyberattack was a cruel reminder to home health agencies, insurers and other stakeholders that they can never be too safe when it comes to protected patient information.
For home health agencies that are wary of a cyberattack of their own, it’s important to hold strong relationships with third-party vendors and to also be aware of a possible threat on the outskirts of those relationships, experts advise.
“It’s not just the vendors that you contract with or the vendors you have relationships with,” Bruce Radke, a member of the tech transactions and data privacy team at the health care law firm Polsinelli, said during a webinar Thursday. “It’s the vendor that you have to be concerned about. Even though you may not have a direct contractual relationship with those vendors, each time you add a new vendor into the mix, it creates a point of potential vulnerability.”
UnitedHealth Group, the largest U.S. health insurer, and its Change Healthcare unit was breached earlier this year by a hacking group called ALPHV. It’s already being described as one of the most disruptive hacks against America’s health care infrastructure – and home health providers have reason to be worried about future attacks.
Having a trusted security plan in place is an obvious first step to take, and it’s one that most agencies are aware of. However, being cognizant about who providers are giving their patient information to is also another important aspect to keep in mind.
“If you provide information to a vendor or allow access to your systems that contain sensitive information — and a compromise of that information has occurred — you very well may be obligated to notify the affected individuals,” Radke said. “Even though the incident may have happened on your vendor’s systems.”
Setting aside the mounting costs it takes to potentially get back compromised information, that doesn’t include notification costs, costs associated with ongoing investigations as well as a “public relations hit,” Radke said.
How to reduce risk
There have been plenty of real-world examples of home-based care cyberattacks.
In 2018, as many as 80,000 patients potentially had personal records stolen by a hacker group after it infiltrated the computer systems of home care services provider CarePartners.
In 2020, Preferred Care Home Health Services reportedly found unusual activity within its email services, with some sensitive information possibly compromised.
Of the many steps providers should take to reduce the risk of a cyberattack, conducting thorough vendor due diligence is at the top of the list.
“This is not a one-size-fits all proposition,” Radke said. “There are going to be certain vendors that have more access to your information. There will be ones that you rely more heavily on and for those vendors, the amount of due diligence should be commensurate in terms of the operational risks that you have with them.”
Providers should also be proactive and operate in a way where they almost expect a breach to happen. There are statutory laws that require vendors to notify an agency if a breach has occurred.
However, in the negotiation period between a provider and a vendor, those can be altered to make sure the notification window is shorter.
“Statutory requirements … may range between 30 and 60 days for the vendor to notify you,” Radke said. “You also want to ensure that you’re being provided timely notification from those vendors in a shorter period of time other than those 30 or 60 days. In the absence of those contractual periods, it could take a significant amount of time before those vendors notify you.”
Asking about cybersecurity insurance, developing contingency plans, establishing alternative measures to ensure business continuity during an attack and having a clear incident response plan are all vital steps agencies should make in the wake of the most recent data breach.
“It’s amazing that whenever we deal with third-party incidents, a lot of our clients unfortunately don’t have a good understanding of how much data they’re providing to vendors or what data is being provided,” Radke said. “Having an understanding about that data flow is also very, very important.”