Business Associates as Breach SourcesDo You Have Faith in Your Vendor Partners?
This week, we learned that healthcare organizations in New Jersey and Illinois reported more than 82,000 of their patients were affected in a breach incident triggered by a business associate. An external hard drive was stolen from the parked car of an employee of a business associate serving both the organizations. Unfortunately, the drive was not encrypted nor password protected (see: Stolen Hard Drive Affects 82,000).
In another recently reported breach, Stanford Hospital & Clinics noted that a business associate's subcontractor caused a health information breach when information about 20,000 patients treated in the hospital's emergency department was posted on a website.
Unfortunately, when a business associate causes a breach, the name of the covered entity is listed first, even when it is not their fault.
Take a close look at the Department of Health and Human Services' Office for Civil Rights' "wall of shame," and you'll notice that more than 20 percent of the major breaches identified in the past two years have involved business associates, including the largest incident reported so far (see: 2 Years of Breaches: An Assessment). In the incident topping the tally, which affected 1.9 million individuals, insurer Health Net reported that hard drives were discovered missing from a data center managed by IBM.
Hospitals, clinics, insurers and other healthcare organizations that report breaches involving business associates carefully craft press releases stressing who was to blame. But patients look to their healthcare providers and payers to protect their data. And as security consultant Tom Walsh points out: "Unfortunately, when a business associate causes a breach, the name of the covered entity is listed first, even when it is not their fault."
Sizing up two year's worth of breach data, Adam Greene, a former OCR official concludes: "One of your biggest vulnerabilities is your business associates." Greene, now a partner at the Washington law firm David Wright Tremaine LLP, notes: "Nine of the top 20 breaches, based on the number of individuals affected, have included business associates." As a result, healthcare organizations need to make sure that their vendor partners take adequate security precautions, he stresses.
Preliminary results of our inaugural Healthcare Information Security Today survey show that about a third of healthcare organizations say they have relatively low confidence in the security controls maintained by their business associates and their subcontractors, ranking their confidence level as 1 or 2 on a scale of 1 to 5.
So when's the last time you asked your business associates about how they train their staff members on privacy and security issues, such as how to protect patient data stored on mobile devices and media? Do your business associate agreements adequately spell out your expectations for securing protected health information? Have you asked for a copy of your business associates' risk assessments and corrective action plans? Do you know if your business partners conduct background checks on their employees?
It's important to get answers to all these questions, and many more.