Hackers Are Targeting You Through Your Vendors



A recent report found that cyberattacks against health plans “increased by 35 percent from 2020 to 2021, and attacks against third-party business associates increased by 18 percent.”

Sensitive patient information remains a valuable target in the world of cybercrime. Hackers are increasingly trying to get their hands on this protected data through the business associates that work with providers like you. This shift in ransomware targeting makes sense, as healthcare provider executives are beginning to focus more time and resources on cybersecurity and keeping the malicious actors out. 

What Does That Mean for Your Organization?

The good news is that the healthcare industry seems to be moving in the right direction as far as implementing appropriate cybersecurity measures and reducing the most common risks to patient information. The concern is that hackers are adopting more advanced ways of deploying ransomware, compromising valuable patient data more efficiently than they were able to in previous years. If this trend continues, we may see cybercriminals turn even more of their focus on these business associates as the new low-hanging fruit for data theft. In 2022, healthcare providers need to be “on guard not only of their own cybersecurity posture but also of third-party vendors that have access to data and networks.”

According to the HHS, a “business associate” is an entity that performs functions involving the use or disclosure of protected health information (PHI) from a healthcare provider. These business associates may include managed service providers, attorneys, or other third parties with access to PHI. To comply with HIPAA, each business associate that your organization works with must sign a Business Associate Agreement (BAA) with your organization, containing specific information laid out by the OCR.

An effective BAA spells out exactly how the vendor/third-party is allowed to use and disclose PHI. It must also include a detailed description of the required appropriate safeguards a business associate will put in place to protect patient information. The BAA can serve as a way to protect your organization in case your business associate is targeted by ransomware, decreasing your liability for a data breach.

If you do not have an updated BAA in place with every vendor that handles PHI for your organization, we recommend getting one signed as soon as possible. Getting your business associates to commit to protecting your patient’s data is a crucial first step, and Medcurity provides BAA templates to our customers to make this process simple. If you’re already meeting the BAA requirements, consider reaching out and having your business associate send you documentation of their current security program. This will give you a more in-depth view of how well they are actually protecting you and your patients.


If you have any questions about Business Associate Agreements or other HIPAA requirements, feel free to reach out to our team here at Medcurity.