April 21, 2016
Cybersecurity breaches among healthcare providers and payors have justifiably dominated the press in the last year, propelling long-needed scrutiny of internal data security risks and protections. But what about healthcare organizations’ external vulnerabilities, created by their vast array of business associate relationships with vendors and other entities that may have just as much access to protected health information (PHI)? If healthcare organizations — in particular, hospitals — have inadequate security defenses, imagine how little they know of the security practices and vulnerabilities of their systems vendors, hosting companies, medical device providers, consulting companies, coding and billing firms, and even housekeeping services. You don’t have to imagine for very long…here are some worrisome facts to consider if you are renewing your attention to data security management, and some recommendations to mitigate your security risks with business associates.
A chain is only as strong as its weakest link, and business associates (BAs) are strong candidates for that distinction. A Ponemon healthcare security study in 2015 reported that 87% of BAs had experienced electronic data security incidents in the last two years, in contrast to 65% of healthcare providers and payors. Nearly 60% of all participants said their incident response process had inadequate funding and resources, and the majority had not performed risk assessments, despite the federal mandate to do so.
Though this year’s Ponemon survey (February 2016) did not separate BAs out from healthcare organizations, it noted that 38% of the 535 respondents were BAs. On average every participating organization experienced one cyber attack per month over the past 12 months. Over 30% experienced between 6 and 50 cyberattacks. Just under half had incidents involving loss or exposure to patient information. Exploits of existing software vulnerabilities and malware attacks were the most common, having been experienced by over 70% of participants, and 50% or more also dealt with zero-day attacks, spyware, and lost or stolen devices.
Notably, about two-thirds of all respondents felt their organizations’ cyber security position was not effective. Nearly half (45%) said that business associate agreements do not do enough to ensure the security of patient information.
Which brings us right back to the problematical security chain created by third party BA relationships. Another recent Ponemon survey “Data Risk in the Third-Party Ecosystem,” conducted across multiple industries, reveals much about the challenges of these relationships since about half of the respondents said they had experienced serious data breaches caused by a vendor partner and 73% said such incidents are increasing.
Security issues specific to business associates include:
Some would say that the challenge of managing business associate relationships from a security perspective is not just difficult — it is impossible. Once again, as is always the case with security, risk mitigation is the order of the day. Perfection is not.
Here are some recommendations for reducing the security risks your organization faces in contracting with and managing business associates:
A final thought…Your organization undoubtedly is paying thousands, perhaps millions, for business associates’ services and products, and your BAs have signed BA agreements. You and/or some of your staff may infer that related PHI security is therefore your BAs’ problem — a risky perspective at best. Ultimately, it is your organization’s patients who will have had their information compromised, and it may be held responsible by the OCR and your patients if you haven’t taken at least the above steps.
Phoenix (a division of Medsphere) has performed objective, external security risk analyses and developed sustainable security programs with hospital clients for over 20 years. Please contact us if you would like to discuss how we can help mitigate your security risks.