Many companies are considering “moving to the cloud” and other forms of outsourcing because the costs are lower and they assume the outsourcing provider is going to properly handle all of the associated issues, including security. Some outsourcing providers take security seriously and for small and medium businesses who do not have the resources to handle security well themselves, outsourcing to those providers can help significantly reduce their overall risk.
But outsourcing also brings with it its own risks, and many small and medium businesses are rushing to adopt the cloud and other outsourcing without really understanding the risks. Just ask the 400 dental offices around the country who relied on The Digital Dental Record (TDDR), a provider of practice management and patient information storage solutions for dental offices. TDDR was the victim of a ransomware attack last week, and although there are reports that the company has access to a third-party decryption program, the restoration process has been very slow. In fact, only about 1/4 of the impacted dental practices have come back online over the course of the week. In the meantime, the impacted practices have had to cancel appointments and turn away patients because they do not have access to the patients’ records and other information. Some of the impacted practices may not survive if they are unable to treat patients soon.
According to TDDR’s public statements on the issue, it will likely take several more days, and possibly weeks, before their data recovery efforts will be complete. In some cases, the third-party decryption tools are not entirely successful, which means that some of the practices may permanently lose some or all of their patient data.
In addition, since some criminals masquerade their data exfiltration efforts as ransomware attacks, TDDR is not yet certain whether a HIPAA violation or other data breach has occurred. Many states have strict notification and response laws, especially when healthcare information is stolen or otherwise released without authorization. TDDR and its dental practice customers will need to carefully monitor the situation to ensure they meet both their state and federal obligations.
The data restoration and potential data breach response costs will be significant for TDDR. Depending on its contracts with its clients, TDDR may also be responsible for their lost revenue, any additional data breach response costs, potential penalties, and other costs. Many outsourcing contracts limit the contractor’s liability to a multiple of the fees paid, and it will be interesting to see if TDDR’s customers will come close to being made whole. Of course that also assumes that TDDR will continue to be in business long enough to pay any such claims, and that TDDR’s insurance will cover any shortfall given the number of customers and patients whose data is involved.
Outsourcing can be a lifesaver for small and medium businesses, giving them access to tools and resources that would otherwise be unreachable. However, it is important to carefully define and assess the risks that go along with outsourcing before an accurate cost/benefit analysis can be performed.
A proper risk analysis is a core part of a defensible IT and cybersecurity strategy because it allows the organization’s executives to agree how the risks should be addressed, i.e., through acceptance, avoidance, transfer/insurance, mitigation, or even enhancement. For those risks where risk transfer through insurance makes sense, a risk analysis allows the organization to ensure the insurance properly covers the risks. For those risks where mitigation is the chosen option, the risk analysis allows the organization to create well-structured mitigation policies and procedures, as well as corresponding incident response plans.
Organizations of all sizes benefit from a risk-based, defensible cybersecurity program. Unfortunately for TDDR’s customers, it may be too late. Has your organization conducted a thorough cybersecurity risk assessment and, if so, are you confident in the resulting policies, procedures, and plans? Are you confident that your insurance properly covers your risks? Have you tested your incident response plans?
At Fathom Cyber, our Defensible Cybersecurity Strategists know that cybersecurity and data privacy are more than just an IT issues: they are vital to our customers’ survival. That is why we don’t offer cookie-cutter approaches to cybersecurity and data privacy. Instead, we help organizations analyze their risks so they can make business-intelligent cybersecurity and data privacy decisions.
Contact Fathom Cyber to learn more about how we can help your organzation create a Defensible Cybersecurity Strategy.