Security breaches caused by healthcare providers’ business associates (BAs) are surging. Several major incidents in 2018, some of which have just been reported in the last month, have compromised over 20 million patients’ privacy. So it’s not coincidental that a group of major hospitals and hospital systems have come together in a formal concerted effort to provide better vendor risk management standards to the industry. The crucial task of individually vetting and contracting with hundreds, even thousands of business associates (per institution), which is the norm — and then managing their service levels for security has become a near-impossibility for many hospital security staffs.

Maybe this challenge seemed logical to OCR’s Department of Health and Human Services in 2013 when it expanded HIPAA regulations to include greater business associate liability for breaches. But with the explosion of outsourcing to digitally-founded BAs since then, Chief Information Security Officers have found their jobs unmanageable — to the detriment of patients’ privacy and hospitals’ systems security. The Provider Third-Party Risk Management Initiative aims to change that.

Today, most hospitals count on external outsourcing services for a myriad of essential functions like revenue cycle management, health information management, IT support, data storage and security, housekeeping, and many other clinical and non-clinical functions. Many of these partners are business associates under HIPAA — and therein lies major potential security risks for hospitals.

Relationships with diligent, qualified business associates have proven to be a boon to hospitals’ service quality and cost efficiencies. But compare the positives of outsourcing to third parties to the risks demonstrated in these recent reports of patient data breaches:

• Quest, a nationwide healthcare laboratory chain suffered a huge breach when American Medical Collection Agency, a billing and collections business associate reported that an unauthorized user had gained access to AMCA’s system containing personal information from various providers, including Quest, Optum360, Opko Health and Labcorp. The system hack affected over 20 million patients and went undetected from August 2018 until March 2019.
• Two other billing vendors that serve numerous practices and hospitals have reported breaches of patient data in the last two months — Doctors Management Services and OS. Both have been notifying affected patients of several provider clients.
• A business associate of Missouri-based Burrell Behavioral Health misconfigured a server containing ePHI, exposing the records of 67,000 patients.
• In March, about 120,000 patients were notified by Health Alliance Plan that their personal and medical data was potentially breached after a ransomware attack on its third-party vendor Wolverine Solutions Group in September.
• Also in March, Rush University Medical Center patients announced that the personal information of about 45,000 patients was recently compromised after an employee of a claims processing vendor improperly disclosed a patient file to an unauthorized individual.

According to the Protenus 2019 Breach Barometer, third-party vendors/business associates accounted for at least 151 breaches or 30 percent of total incidents in 2018. We have to state “at least,” since reports of 2018 breaches are still flowing in from BAs and providers that have remained unaware of 2018 breaches that flowed over into this year.

Every provider should recognize that its data security is only as effective as its weakest business associate. 

Perhaps the must dangerous scenario from any provider’s security perspective is the complexity of managing the huge supply chain of PHI-touching vendors that many, if not most, providers contract with today. This is the challenge that propelled six major healthcare systems to found the Provider Third-Party Risk Management Initiative (TPRM Council) in August 2018.  Original Council members include Cleveland Clinic, Allegheny Health Network, University of Rochester Medical Center, Tufts Medical Center, University of Pennsylvania Medical Center, and Vanderbilt University Medical Center. Since last year participating providers have grown to 60, including Mayo Clinic, Indiana University Health, Multicare, Phoenix Childrens and Banner Health.

As one participating CISO has noted, his organization has contracts with over 1,000 business associates. The core of TPRM is the founders’ frustrated recognition that the hurdles that healthcare providers face in managing their business associate management processes “go well beyond their resources and capabilities, posing a huge challenge for organizations and third parties to create, administer, respond to and manage assessments. In addition, ineffective security, compliance and assurance methods drive cost and confusion within organizations and across third parties.”

The TPRM Council is offering a lifeboat to hospitals that contract with third party vendors that access and/or transmit protected health information (PHI), by developing and offering high, centrally developed standards including the Council’s stringent certification requirement as the defining resource for vetting potential vendor partners. The Council is also providing access to standardized, enforceable and specific service level agreements (SLAs) to assist providers in managing quality partner relationships over the duration of contracts.

One of the Council’s objectives is to address the inefficiencies found in the third party supply chain ecosystem. Today, suppliers are typically required by their provider customers to complete unique questionnaires with as many as 300 questions or other assessment requests relating to their risk management posture. These individual audits, multiplied by hospitals’ hundreds of new contractor candidates every year, are unnecessarily time-consuming and expensive — both to the provider and the contractors. Often these efforts are check-the-box or fill-in-the-blank exercises that do not generate the vendor transparency needed by providers to feel confident of vendors from a risk management standpoint. Worse, it is difficult for providers to confirm vendors’ reported policies, procedures, and vulnerabilities.

“By reducing wasted effort and duplication, suppliers will find their products and services will be acquired more quickly by healthcare providers,” says founding participant and governing member, Omar Khawaja, VP and CISO of Allegheny Health Network and Highmark Health. “This will also reduce the complexity of contracts and provide third parties with better visibility regarding the requirements to do business with providers.”

“We’re creating a lot of waste; we’re taking time away from our organizations and we’re taking time away from suppliers,” said Taylor Lehmann said, CISO at Wellforce and a TPRM Council spokesman. “The current way we’re doing supply chain risk management, it doesn’t work, and it doesn’t scale. We are still seeing breaches, and the breaches are still coming after we do all this screening.” The scaling factor is a major concern; large hospital systems may be able to afford lengthy and expensive vendor vetting procedures, but small hospitals cannot.

By reducing the multiple audits and questionnaires, the financial savings will allow business partners to invest in substantive risk reduction efforts and not redundant assessments, the Council leaders say.

Continuity of vendor quality over time and across the industry is key to the Council. As part of this initiative, provider organizations that join in will have to require third-party vendors to become HITRUST CSF Certified within the next two years, by September 2020. HITRUST CSF is an industry privacy and security framework that is continuously evolving with the changing cyber landscape. HITRUST, a data protection standards development and certification organization, has developed its Risk Triage Methodology in consultation and coordination with the TPRM Council over the last year.  The purpose of the methodology is to assess the risks posed by third-party vendors and to prescribe the assurance necessary to protect patient privacy and hospitals’ sensitive information and support regulatory compliance. The HITRUST methodology differentiates inherent risks by identifying common factors that categorize risk in three areas: organizational, compliance, and technical.

“The TPRM Council has been actively engaging with industry to reduce risks and increase efficiencies around third-party risk management through promoting a standardized set of policies, practices and approach,” says John Houston, Vice President, Information Security and Privacy; Associate Counsel, UPMC and co-chair of the TPRM Council. “This risk triage methodology [announced by HITRUST in January, 2019] has been a missing component and can be used as the first step in an organization’s third-party risk management process…” The methodology provides a risk scoring model to help quantify risks and offer specific recommendations for the rigor of individual providers’ assessments.

The Council’s vision of a standardized approach to manage third party suppliers to healthcare firms has promise. It is gaining momentum and support, even from suppliers, according to Council members. Learn more.

For more information on HIPAA risk management, please contact us.