In what W.S. Gilbert may have called a most unusual paradox, the Wall Street Journal (subsc. may be required) reported on April 20, 2017 that security services consultancy Tanium had been using live, sensitive data of one of its customers, El Camino Hospital, in sales demonstrations from 2012-2015, and had posted some of those demonstrations on YouTube. There is as yet no indication of regulatory action with regard the sufficiency of the hospital’s oversight of its information security vendor, but the disclosure of the incident is less than forty-eight hours old.
Tanium had been installed in 2010 at El Camino Hospital by Allscripts Healthcare Solutions, Inc., one of the nation’s largest providers of electronic medical records platforms. While the hospital has stated that no identifiable patient data was accessed and disclosed by Tanium when it logged into the hospital’s systems during sales demonstrations, the Wall Street Journal reported that “the Tanium demonstrations exposed El Camino Hospital’s private network information, including security vulnerabilities, server and computer names, versions of antivirus software that might be out of date and some personnel information.” One video, according the report, “identified users who were logged in to specific computers at El Camino Hospital.”
These details, according to a report in Ars Technica, were not anonymized and the Hospital did not detect how and when Tanium was accessing its systems. According to an article in Business Insider, videos of the sales demonstrations had been posted on YouTube.
Vendor management and oversight are core concepts of the privacy and security regulatory regime for hospitals, HIPAA, and also for the financial industry’s FINRA regulations, as we have reported previously. In the event of security breaches by a third-party service provider, the risk of substantial fines often falls upon the customer, whether a hospital, a broker-dealer, a bank or an investment advisor. These regulations should be analyzed and risk transfer provisions considered with regard to service level agreements with these service providers.
The Target and Home Depot breaches, among others, have focused the attention of regulatory agencies on vendors as potential attack vectors and security weak points. New York’s recently effective Department of Financial Services Cybersecurity Requirements for Financial Companies comprises several requirements for vendor due diligence and management. If you have questions with regard to agreements with vendors and the regulatory requirements for vendor management, please contact Kenneth N. Rashbaum.