Data breaches recently reported by two major laboratory testing companies illustrate the vulnerability of protected health information provided to vendors.

Quest Diagnostics reported that 11.9 million customers’ medical and financial information may have been exposed due to a breach at one of its billing collections vendors, American Medical Collection Agency (AMCA). LabCorp reported the next day that 7.7 million of its patient accounts at AMCA also may have been compromised.

All sectors are seeing an increase in breaches due to third-party service providers, business associates/partners, and even commercial off-the-shelf products compromised during manufacture, says Jeff Roth, southeast regional director at NCC Group, a cybersecurity and risk mitigation company based in the United Kingdom. Some of the top reasons include the increased use of managed services without adequate qualification and validation of these third parties’ security posture, and not incorporating the organization’s cybersecurity requirements (along with referenced responsibility matrices) within the service provider, business partner, and subcontractor contracts, he says.

There also is a failure of organizations to fully integrate the supply chain (service providers, business partners, and subcontractors) within the organization’s continuous monitoring, vulnerability management, incident response programs, and processes, he says.

Roth says the following factors are critical to success in addressing these concerns:

• The board of directors’/trustees’ direction to senior management that supply chain security is a priority and a distinct part of the cybersecurity goals and objectives;

• Assurance that adequate resources are allocated as actual budget line items to develop, implement, and maintain an ongoing and relevant supply chain cybersecurity program;

• Integration of the supply chain cybersecurity processes through the acquisition life cycle across the organization;

• Regular, independent validation that the supply chain cybersecurity program and respective processes remain in place, operating effectively and adapting to changes in threat, geopolitical, and business environments.

“Without adequate contract requirements for supply chain cybersecurity, organizations will be primarily responsible for breach disclosure. There should be one entity in charge of disclosure to all stakeholders, customers, public, and regulatory agencies,” Roth says. “And service providers, subcontractors, and business partners need to be incorporated in the incident response processes so the organization maintains consistency in all disclosures. The primary reason for this is to prevent inaccurate or even misleading releases of information or release of information that could hamper criminal and civil investigations.”

The breaches are a further sign that supply-chain attacks are increasingly popular with criminals, says Stuart Reed, vice president at Nominet, a cybersecurity company based in the United Kingdom.

“This should be taken into account during contractual negotiations. Never assume a supplier is acting responsibly,” Reed says. “Seek proof and build key performance indicators, reinforced by regular audits and tests to ensure suppliers are upholding their obligations. Protection of data throughout the supply chain is a collective responsibility, and any weak point presents a target of opportunity for an attacker.”

“This is a collaborative process and one that relies on getting risk management and cybersecurity embedded into the partner relationship early on,” Reed adds. “As digital transformation grows and swells the attack surface ever wider, this should become something that is baked into all supplier contracts as matter of routine.”

Any organization that used AMCA’s website during the period when it was compromised also could become a victim of data leakage, notes Leigh-Anne Galloway, cybersecurity resilience lead at Positive Technologies, a cybersecurity company in Boston.

“There are several methods an attacker can use to steal data entered on websites, as was the case in these breaches. Recently, we’ve seen JS-sniffer attacks become popular among hackers. This malware infiltrates a website and intercepts information entered,” she explains. “Leaks also often occur as a result of attacks with SQL injection, which allow criminals to get all the information from the site’s databases. And there are frequent cases of leaks caused by administration errors, when access to a database is not at all limited and anyone who connects to them can access the data.”

In order to avoid such third-party breaches, organizations should clearly state their requirements on information security, she says. If the third-party company cannot guarantee the fulfillment of those requirements in relation to the transmitted data, it is worth contacting another, Galloways says.

“Organizations should also initiate an audit of third-party entities they plan to do business with in order to make sure data is processed and stored safely before signing agreements,” she says. “Based on the audit results, the company can decide whether to move forward with business.”


• Leigh-Anne Galloway, Cybersecurity Resilience Lead, Positive Technologies, Boston. Phone: (857) 208-7273.

• Stuart Reed, Vice President, Nominet, United Kingdom. Phone: (202) 821-4256.

• Jeff Roth, Southeast Regional Director, NCC Group, United Kingdom. Phone: (800) 813-3523.