Week 2 Case study 6: Third-party vendor error (Supawat)

[Saranath]

Please read your friend’s report and provide comments on “Are there any other preventive measures to avoid the attack?”.

 

Case study 6 (Supawat): Third-party vendor error exposes data of 19K patients for 2 months

(https://www.healthcareitnews.com/news/third-party-vendor-error-exposes-data-19k-patients-2-months).

 

1.Provide a brief description of the story.

Patient medical records were breached by the third-party vendor software upgrading. This was the biggest healthcare data breaches of 2018.

 

2.What is/are the impact of this data breach? Consequences of the data breach.

This data include identifiable health information so the patient’s privacy will be jeopardized. Moreover, payment information data may be used for unauthorized banking activities.

 

3.How did the data breach occur?

There was the health information software upgrading by the vendor. Then the server was inattentively left open to the public.

 

4.What should be the main cause of the data breach? Provide a brief explanation of the cause of data breach, such as phishing, ransomware, HIPAA violation, database misconfiguration, human error, third-party vendor error)?

This cause of data breach occurred by the third-party vendor error. Therefore, the reputation of the third-party vendor is very important factor and emphasis on confidentiality is also our priority during development of contraction.

 

5.How could you prevent this data breach attack?

Selection of the third-party vendor is very important and during development of contraction, patient’s confidential and privacy are also included.

 

• This topic was modified 3 years, 11 months ago by admin.
• This topic was modified 3 years, 11 months ago by admin.
• This topic was modified 3 years, 11 months ago by admin.

[Ameen]

Apart from selecting a well-established vendor, an organization should do a regular compliance audit over the selected vendor. In the process of contract development, they should draw a section about the penalty on data breaches in addition to the HIPAA’s to make them be more aware of data protection. Moreover, there should have a section about involvement from the organization’s side when the vendor makes changes over interfaces, hardware or software or practices that can possibly affect the data.

• This reply was modified 3 years, 11 months ago by Ameen.

[tullaya.sita]

The supervision by the IT team of the hospital or other consultants during the upgrade program by third-party vendors should also be implemented and will help in reducing this error.
The third party vendors need to understand the data privacy rule by HIPAA.

[Author]

Posts