Lessons From the AMCA Data Breach
By many estimations, nearly half of all data breaches in 2018 occurred not as a direct result of an attack or negligence by the victim, but due to a breach at a third party vendor with which the firm has a data sharing relationship. Halfway through 2019 the results are shaping up to be similar. In early June of this year a breach was reported at the American Medical Collection Agency (AMCA). It is estimated that the health information and financial data of up to 20 million patients was compromised, making it the second largest healthcare data breach ever recorded. As the AMCA collapses in the light of the breach, what lessons can proactive enterprises learn?
THE AMCA breach and its impact on clients and patients
It is most likely you have not heard of AMCA. However, if you have had any form of medical test in the past few years, there is a very good chance you know some of their largest clients: LabCorp and Quest Diagnostics, two of the largest medical laboratories in the United States.
AMCA was a third party debt collector for LabCorp, Quest Diagnostics, and several other medical companies. As a result AMCA had a deep data sharing relationship with these firms, which included the exchange of patient health and financial information. At the time of this posting, the initial cause of the breach at AMCA is unknown. Early indicators point to an intrusion on their payments website, but it is unclear how that intrusion actually took place. We’re sure the investigation will turn up more details on the nature of the attack, but it’s already too late for AMCA. The company has filed for Chapter 11 bankruptcy protection due to the astronomical costs of notifying their clients’ patients of the breach, and the termination of client relationships with AMCA. This result doesn’t even begin to cover the costs that LabCorp and Quest could incur due to possible HIPAA violations.
Understanding the risk posed by third party vendors
No matter what industry you work in, it is likely that your company uses a third party vendor, even in a limited capacity, for day to day operations. Are you sharing critical, sensitive or proprietary information with your vendor? If so, do you know the nature of the data sharing relationship between your company and theirs? If the answer is along the lines of ‘probably not’ then you have some work to do.
Though the rules of every industry are different, on the whole, you are still responsible for your customer data no matter who you may turn it over to. If there is a breach, it doesn’t matter if it was caused by something that was out of your company’s control, your customers are going to come to you first for explanations and redress. As such, you need to work to mitigate as much outside risk as possible and short of cutting off all third party vendor contact and taking all operations internal, the best way to do this is with a standardized and transparent Third Party Risk Management Program (TPRMP).
The fundamentals of an effective third party risk management program
TPRMPs are going to look different for every company across every industry, but on the whole they should include these three parts:
An introspective review – Before signing on the dotted line with your potential vendor, you need to have discussions with your business owners and IT and cybersecurity experts to assess your company and determine what information and data needs protecting and why. It’s too easy to say ‘everything’ so your company really needs to dive down and understand what assets, intangible or otherwise, are most important.
Once you make that determination, when you share this data with your trusted vendors, you will be in a position to explain what is important and why. It is incumbent on you to inform your vendor about the criticality of the data you are sharing and ensure they have the proper level of protection. Once you complete the internal assessment and determine what information and data is critical to your company, you need to create and embrace a third party risk management program. One tool within this program is a questionnaire that you can share with your vendor so they can perform a self-assessment on their cyber and IT controls to ensure your data remains secure.
Risk Assessment – With the questionnaire in hand, your company needs to explain to the vendor that the information you are sharing is critical and why. You will ask them to complete the questionnaire so you can gain an understanding of their control environment. In some circumstances, you may go beyond the self-assessment questionnaire and perform an onsite assessment to validate that what they have in place is accurate. Once you have gathered the information on the vendor you will need to have a qualified professional, either internal to your company or a trusted partner, review the responses and determine if the control environment at the vendor is adequate to protect your data.
One major area to consider will be to evaluate how your own company will be exchanging information and resources with the vendor. Remember that not all data is shared via email or electronically and people sometimes forget that physical items such as prototypes are sensitive and critical. You also must remember that the kind of data you share may change over time, along with the mechanisms for sharing. Your relationship with the vendor is ongoing and the risk assessments that you perform on your vendor should evolve and align over time. Once you have a qualified person make a final determination of your risk by engaging with a vendor you are then able to make an informed business decision.
Continuous Updating – TPRMPs are not one and done once you sign on the dotted line. Threats evolve every day and your TPRMP needs to evolve with it. Before you engage with your vendor you should have asked them not only what their plans are to continuously improve their security, but how will they inform you about it. Beyond the initial questionnaire or assessment, a carefully written contract with your vendor regarding the responsibilities of each party in maintaining the confidentiality, integrity, and availability of the entrusted data is critical to a successful and secure relationship and partnership. Clear communication to the vendor and continuous attention to the control environment will help ensure that the data entrusted will remain secure and private and that the “B” word, bankrupt, does not happen to your company.
It is possible, and likely, that Quest and LabCorp had a TPRMP in place with AMCA when they engaged them as a vendor. However something went wrong, and now a large corporation is going under and millions of people are exposed to fraud. The cause of this major security and data breach will come out over time and lessons learned will hopefully strengthen other TPRMPs to help ensure similar breaches are not experienced. All good Cyber Security programs, including TPRMPs, must evolve and get stronger with time and the lessons learned from various breaches.