Do You Know What Your BAs Are Doing?Vendor Risk Management Critical, But Often Overlooked
You might think you're taking all the critical steps needed to protect your patients' data. You've encrypted your mobile devices, limited access to the electronic health record system, deployed multifactor authentication for remote users, provided privacy training to your entire staff and even recently upgraded your firewall.
See Also: Attack Surface Management: Improve Your Attack Surface Visibility
But oops! One of your vendor's employees just lost a personally owned laptop containing protected health information for your patients. Now you're stuck sending out breach notification letters and are bracing yourself for possible lawsuits.
"An overwhelmingly large number of BAs do not actually know what their obligations are that they've committed to within the BA agreements."
Unfortunately, breaches involving business associates are far too common, some resulting in exposure of information about hundreds of thousands, or even millions of individuals.
That's why some privacy and security experts are advising healthcare entities to step up their oversight of business associates.
John Buyce, audit director in the New York state comptroller's office, which performs security reviews of state agencies, including state-owned hospitals, tells me the biggest issue covered entities need to address more diligently is how ePHI is safeguarded by business associates. "These parties present additional risks," he says. "They can be the weakest link in the chain."
Healthcare entities need to pay particular attention to how they are providing these vendors with access to PHI.
Arkansas Blue Cross and Blue Shield is dealing with a recent business associate breach right now. Two unencrypted computers potentially containing PHI for about 560 individuals were stolen in late June from the North Little Rock office of Treat Insurance Agency, an independent agent that sells insurance coverage for the Blues plan and others.
The Arkansas health insurer is offering a year of identity protection to individuals who applied for coverage through Treat Insurance from Oct. 1, 2012, to June 6, 2015.
"Arkansas Blue Cross and Blue Shield is asking independent agents like Treat Insurance Agency to protect computer records by using encryption technology on all computers storing any applications," a spokeswoman for the insurer tells me. But clearly, just because a covered entity asks its business associates to take steps to safeguarding PHI - including spelling those terms out in business associate agreements - it's a challenge to verify whether vendors are actually adhering to those requests.
In another recent breach, Hagerstown, Md.-based Meritus Medical Center reported that an employee at one of its business associates was found to be snooping in more than 1,000 patients' electronic health records (see Preventing Insider Breaches At BAs).
The Department of Health and Human Services' "wall of shame" tally of health data breaches affecting 500 or more individuals since 2009 now shows that business associates have been involved in about 22 percent of those incidents.
Rebecca Herold, partner and co-founder of consulting firm SIMBUS Security and Privacy, tells me that covered entities need to do a much better job of monitoring their business associates.
"Most CEs do not do enough to ensure their BAs are doing enough to secure their PHI, and most BAs do not have nearly enough safeguards in place," she says. "I've found very few BAs that monitor or log access to the PHI they are processing for CEs. I've done over 300 contractor security/privacy audits/reviews, with over 200 of them being BAs. An overwhelmingly large number of BAs do not actually know what their obligations are that they've committed to within the BA agreements, and their CEs never talked to them about it."
Meanwhile, a recent study of more than 450 executives conducted by consulting firms Protiviti and the Santa Fe Group's Shared Assessments Program found that healthcare is way behind other sectors, especially financial services, when it comes to third-party vendor risk management (see Vendor Risk Management Shortfalls).
Participants in our recent 2015 Healthcare Information Security Today survey said they believe business associates taking inadequate security precautions for PHI is the single biggest current security threat facing healthcare organizations. When asked what the biggest "emerging" threat is, business associates came in at second, just behind hackers.
So, what are you doing to help improve security oversight of your business associates? Share your comments in the space below.