Your Health Information At Risk–Weak Vendor Security

As the Target Christmas case unfolded, the initial breach was eventually traced back to a refrigeration and AC vendor for a few of Target’s Ohio and Pennsylvania stores.  A clever spearphishing email caused some one at the contractor to reveal user credentials that allowed the attackers into one part of the network, and then they were able to traverse onto other more important parts of the network.

Well as bad at that was, the situation for your medical records is probably worse.  As reported by Cliff Baker in the GRC-Daily website, the results of a new Vendor Intelligence Report on the medical industry reported this conclusion:

The results of the first Vendor Intelligence Report that rates the security level of vendors in the healthcare industry has just been released. The report reveals that the majority of healthcare vendors lack minimum security, which is illuminated by the fact that more than 58% scoring in the “D” grade range for their culture of security. The report also highlights that healthcare organizations are failing to hold vendors accountable for meeting minimum acceptable standards or otherwise mitigate vendor-related security weaknesses.

Some of the main issues sound disturbingly familiar.

  • Over half of health care organizations lack established security practices to secure and protect medical records.
    • 58% of the health organizations scored in a “D”, and 8% and “F”, only 4% scored an “A”, 16% a “B”, and 14% a “C.”
    • Only 32% of medical vendors have a security certification.
  • Health care organizations are not keeping track of all the vendors who have access to their data.
  • Many of these vendors are small businesses with fewer than 1000 employees.  These kinds of companies have notoriously weak security standards, and are targets of spear-phishing exploits by attackers.
  • Existing security practices, when they exist, are inadequate to protect medical records and information.  Even though most of these organization are HIPAA compliant, these organizations have done little to improve security past the minimum standards of HIPAA.

What can you do about this?  Unfortunately, very little at this point.  Giving out your social security number should happen only when absolutely necessary.  Keeping track of insurance payments to providers to make sure the procedures were actually your won is one step.  Reporting any discrepancies to the provider, insurance company, and credit bureaus is important in these cases.  Again, awareness is the most important defense.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.