Third party web analytics software providers are causing a widespread trend in healthcare breaches, according to a bulletin from The Centers for Medicare & Medicaid Services (CMS) Cybersecurity Integration Center (CCIC) Cyber Threat Intelligence (CTI) team.
Many healthcare websites, including health-related mobile applications, use web analytics software from third party providers in order to monitor user website interaction, CTI stated. “Website owners use the data gathered by web analytics providers to learn how to best engage with their customers.” Common web analytics software include Adobe Analytics, Clicky, Google Analytics, Hotjar, Kissmetrics, and Mixpanel.
“When website data is analyzed by a third party web analytics software provider, it can expose Personally Identifiable Information (PII) and Protected Health Information (PHI) without user knowledge or consent,” CTI stated. “This bulletin notification is the result of a trend in which multiple healthcare entities, through the use of third party web analytics software providers, have improperly disclosed millions of records containing PII/PHI.”
Using web analytics software responsibly and preventing protected data from improper disclosure, “requires additional safeguarding measures to be taken by website administrators,” CTI stated. Recommended mitigating actions include, but are not limited, to the following:
- Each healthcare “Covered Entity” should have a “Business Associate Agreement” with their website metric provider(s) such that each website metric provider agrees to follow HIPAA protection standards.
- Tracking software should be configured to limit access only to data within the scope of agreement.
- All data used by third party web metrics providers should be anonymized and encrypted prior to analysis.