Kaiser Permanente Breach Shines Light on Role Vendors Play in Data Security

By: Steve Ryan

In today’s age, vendors are integral to the survival of many healthcare organizations to ensure they can continue providing the best care to their patients. But allowing third-party vendors access to sensitive data doesn’t come without risk.

The recent data breach impacting Kaiser Permanente’s systems shines a spotlight on vendor relationships and the risks they pose to organizations in the healthcare industry. In this case, Kaiser’s vendors were using pixel tracking—a tool for analytics and marketing—on software that Kaiser implemented on their systems. This inadvertently exposed sensitive patient information to unauthorized parties.

But vendors and their use of pixel tracking aren’t going anywhere, so how do we mitigate the risks associated with each?

1. Complete a thorough vendor risk assessment

First off, a proper vendor management process is imperative. All too often, vendor risk management becomes a check-the-box process for healthcare organizations. Simply asking if the vendor has a SOC report or ISO 27001 certification is not enough. Organizational leaders must spend time thoroughly vetting each vendor, including a thorough legal review of the contract to ensure any information gathered is not being transferred to third parties and a full risk assessment of the product and the exact controls the vendor has in place to protect sensitive data. 

2. Understand and document access management protocols

Following a thorough vendor risk assessment, organizational leaders should have an in-depth understanding—and be able to document—the exact information each vendor will have access to, how that information is being used, and where that information is going. This helps paint a picture of the impact of a breach so the organization can effectively respond. In the case of Kaiser Permanente, this breach seemed on the surface to be the result of a minor security flaw, but because of the positioning of the software, some 13.4 million current and former members were affected.

3. Take advantage of new technologies like automation

With the amount of data stored in organizations’ environments these days, it is imperative to implement robust cybersecurity technologies to detect, notify, and correct information security risks in the environment. This can no longer be done with a manual review of audit logs and admin activity, but instead must be done with automated technologies that can aggregate a vast amount of information, interpret that information, and alert on security issues in real-time.

In sum, while vendors are essential for healthcare organizations to thrive, they also serve as potential entry points for breaches. Mitigating these risks requires a strong vendor management process that includes legal reviews, risk assessments, and data flow inventories. Additionally, robust cybersecurity technologies are essential to detect and thwart security threats, such as pixel tracking attempts, in real-time. As healthcare continues to rely on vendors and digital technologies, proactive measures are crucial to effectively safeguard patient privacy.

Is your organization taking the right approach to vendor risk management? Contact us today to speak with a BARR expert.

About the Author

Steve Ryan
Attest Services Manager, Head of Healthcare Services

As a manager on BARR’s attest services team, Steve Ryan works closely with organizations in the healthcare industry to identify and mitigate cybersecurity threats by planning and executing risk assessments and audits against frameworks including HITRUST, HIPAA, SOC 1, and SOC 2. Steve is an ISO 27001 Lead Auditor, a Certified Information Systems Auditor (CISA), and a HITRUST Certified CSF Practitioner (CCSFP).