At the center of the lawsuit between Epic and Tata Consultancy Services is the unauthorized access to confidential information by Tata employees. Court documents indicate an employee of Mumbai, India-based Tata shared login credentials with others, who then accessed the web portal of the Verona, Wis.-based vendor. This sharing of credentials is a growing worry for CIOs and security professionals, and the ease with which it happened elevate that concern.
According to court documents, Tata employees working on an Epic project at a Portland, Ore.-based Kaiser Permanente facility allegedly inappropriately downloaded nearly 6,500 documents from Epic's UserWeb, a portal maintained by the EHR vendor containing product materials, updates and other related information regarding Epic's software and its data model. Epic grants customers access to UserWeb, as well as third parties, including consultants, who can use the information to assist in implementation, integration and testing.
Court documents indicate third-party consultants only can access a portion of UserWeb, and consultants typically have to sign a UserWeb Access Agreement that limits their use of information on the web portal.
Tata employee Rajesh Gajaram had access to Epic's UserWeb portal, according to court documents, and he testified that he shared his login credentials with three other Tata employees. At least one of the three employees testified he downloaded documents form UserWeb and made them available to other team members.
"This is basically every CIO and CISO's nightmare — unauthorized access to sensitive data and information by offshore contractors that are a direct or indirect part of their supply chain," Avivah Litan, vice president and distinguished analyst at Gartner, a technology research company, told Wall Street Journal.
The risk of sharing credentials or having weak login information is high in healthcare, as are the stakes. The Anthem breach reported February 2015 that compromised the personal records of 78.8 million customers is believed to have stemmed from weak login security where hackers accessed an administrator's login credentials and were able to enter the computer. That breach is the largest healthcare-related breach reported to the HHS Office for Civil Rights' breach database.
Human error is often deemed a main risk in cybersecurity, as a system is only as strong as its weakest link, be it an employee who clicks on a phishing link or someone who writes login credentials on a sticky note and puts it on a computer monitor, for example. In a previous interview with Becker's Hospital Review, Mac McMillan, co-founder and CEO of healthcare security and privacy consulting firm CynergisTek, said the majority of a hospital's defenses are in the hands of the hospital staff, and training and education are critically important to safeguard as best as possible against threats.
On Friday, a federal judge awarded Epic $940 million in damages, $240 million in compensatory damages and $700 million in punitive damages in the suit against Tata. Tata plans to appeal the decision.
More articles on cybersecurity:
US government at the bottom of the barrel when it comes to cybersecurity: 7 insights
AHA launches cybersecurity webpage resource for hospitals
Sen. Barbara Boxer urges medical devices companies to detail cybersecurity plans