The AMCA breach hammers home the need for supply chain security. Here’s how to vet your vendors so you can keep from becoming the next Quest or LabCorp.
The original version of this post was published in Forbes.
When you hear from a company that “the safety, security and privacy of our customers’ information is our highest priority,” you can be pretty sure that the safety, security and privacy of that data recently got compromised.
Even if the breach didn’t happen directly to that specific company. As cybersecurity experts have been preaching to organizations for years now, even if your own security is rigorous, that’s not enough. If a third party that has access to your data has weak security, you are just as insecure as it is. If it gets breached, you do too.
Which was on display yet again with the most recent mega-breach of the week.
Medical testing giants Quest Diagnostics and LabCorp announced, via filings with the Securities and Exchange Commission (SEC), that personal and medical information of about 19.4 million patients had been compromised due to a breach of American Medical Collection Agency (AMCA), their billing collections vendor. Quest said the breach affected an estimated 11.7 million people, and LabCorp set its estimate at 7.7 million.
A filing a few days later from Opko Health, that the data of 422,600 patients may have been exposed through the same breach, pushed the combined total to nearly 20 million.
All this even though, as a number of experts noted during the avalanche of stories about the first anniversary of the EU’s General Data Protection Regulation (GDPR), the U.S. has had a law similar to GDPR governing the security of medical data since 2003—the Health Insurance Portability and Accountability Act (HIPAA).
Which suggests that you can have data protection laws in place, but stuff still happens.
Security blogger Brian Krebs, in a blog post, said he thought it likely that other companies would be added to the list. As he put it, “AMCA is a New York company with a storied history of aggressively collecting debt for a broad range of businesses, including medical labs and hospitals, direct marketers, telecom companies, and state and local traffic/toll agencies.”
The attackers apparently had plenty of time to collect and peruse AMCA’s data (and thus that of its clients)—eight months.
In the SEC filings, the companies said AMCA had told them the breach lasted from Aug. 1, 2018, until March 30, 2019. It said the information exposed could include first and last name, date of birth, address, phone, date of service, provider, and balance information. Reportedly, while it included medical information, it did not include lab results.
Quest, which issued a press release June 3, three days after it was notified by AMCA of the breach, said the connection to AMCA actually runs through another vendor, Optum 360. “AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected. And Quest has not been able to verify the accuracy of the information received from AMCA,” the release said.
Krebs said while AMCA wouldn’t answer any of his questions, the company issued a statement via an outside PR firm that said in part that after being notified by a security compliance firm of a possible breach, “we conducted an internal review, and then took down our web payments page.
“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security. We have also advised law enforcement of this incident.”
Quest said it has stopped sending collection requests to AMCA—which conjures the image of closing a barn door after thieves made off with 11.7 million horses.
And the fallout, which is only beginning, is both ominous and familiar.
Could all this misery have been avoided? There is no way to tell for sure, since whatever vulnerability allowed attackers to exploit AMCA has not been disclosed—perhaps not yet discovered.
But any breach would have been less likely if the companies contracting with AMCA had been more aggressive about overseeing its security practices.
Ironically, supply chain leaders are aware of the risk. But that awareness apparently hasn’t led to the kinds of action that will move the security needle.
A report dated May 30 from research and advisory firm Gartner titled Get Ahead of the Expanding Risk Frontier: Supply Chain Security found that “supply chain leaders rank cyberattack risks at the top of their list of concerns. However, only 10% of them characterize the relationship between their function and IT as strategic.”
Another irony is that there is plenty of advice, along with services, available to help them do that.
The BSIMM (Building Security In Maturity Model), which helps organizations improve their software security initiatives (SSI) by showing what other organizations are doing and what works, also provides the BSIMMsc, for software supplied by third parties.
Sammy Migues, principal scientist at Synopsys and a co-author of the BSIMM, noted in the white paper Applying the BSIMM to Managing Risk in the Software Supply Chain that the BSIMMsc “leverages attestation and automation to function as a foundational security control for software supply chain risk management.”
Put a bit more simply, it is designed to help organizations avoid software vendors that are “clueless.”
Nicholas Marinos, director of IT and cybersecurity at the U.S. Government Accountability Office (GAO), said the reality is that most entities, including those in healthcare, have to rely on third parties for “security services, IT, or to help them perform their missions.”
That means organizations that handle protected health information (PHI) “must have a way to assure that third parties are protecting that data according to best practices,” he said, which includes following up to see if promised security tests were actually conducted.
“It means having expertise on hand to make sure tests were done, but that there was follow-up on the results,” he said.
The healthcare industry, he notes, is critical infrastructure. “Ultimately we’re talking about information,” he said. “Sometimes the focus on security ends up being on technology and systems, but any entity would benefit from knowing what data it has, how it’s used and where it’s going, as well as what kind of technology you have connected to your organization.”
And the Gartner report offers a playbook for organizations seeking to conduct effective oversight of the security of their third-party vendors.
Among the recommendations from analysts Katell Thielemann, Mark Atwood and Kamala Raman:
The report offers more detail on how to achieve those and other goals.
None of this will make you perfect. But it will get you a lot closer. Which is usually enough to get attackers to look for easier targets.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.