Cybersecurity breaches among healthcare providers and payors have justifiably dominated the press in the last year, propelling long-needed scrutiny of internal data security risks and protections. But what about healthcare organizations’ external vulnerabilities, created by their vast array of business associate relationships with vendors and other entities that may have just as much access to protected health information (PHI)?  If healthcare organizations — in particular, hospitals — have inadequate security defenses, imagine how little they know of the security practices and vulnerabilities of their systems vendors, hosting companies, medical device providers, consulting companies, coding and billing firms, and even housekeeping services. You don’t have to imagine for very long…here are some worrisome facts to consider if you are renewing your attention to data security management, and some recommendations to mitigate your security risks with business associates.

A chain is only as strong as its weakest link, and business associates (BAs) are strong candidates for that distinction.  A Ponemon healthcare security study in 2015 reported that 87% of BAs had experienced electronic data security incidents in the last two years, in contrast to 65% of healthcare providers and payors. Nearly 60% of all participants said their incident response process had inadequate funding and resources, and the majority had not performed risk assessments, despite the federal mandate to do so.

Though this year’s Ponemon survey (February 2016) did not separate BAs out from healthcare organizations, it noted that 38% of the 535 respondents were BAs. On average every participating organization experienced one cyber attack per month over the past 12 months. Over 30% experienced between 6 and 50 cyberattacks. Just under half had incidents involving loss or exposure to patient information. Exploits of existing software vulnerabilities and malware attacks were the most common, having been experienced by over 70% of participants, and 50% or more also dealt with zero-day attacks, spyware, and lost or stolen devices.

Notably, about two-thirds of all respondents felt their organizations’ cyber security position was not effective. Nearly half (45%) said that business associate agreements do not do enough to ensure the security of patient information.

Which brings us right back to the problematical security chain created by third party BA relationships. Another recent Ponemon survey “Data Risk in the Third-Party Ecosystem,” conducted across multiple industries,  reveals much about the challenges of these relationships since about half of the respondents said they had experienced serious data breaches caused by a vendor partner and 73% said such incidents are increasing.

Security issues specific to business associates include:

• Inability of healthcare organizations to sufficiently understand and have confidence in third parties’ data safeguards, security procedures, and overall security posture. From our experience with hospitals, this problem increases as the size and sophistication of the business associate decreases. Very large BAs, particularly technology vendors, are more likely to have the resources to ensure strong data security. Smaller BAs such as transcription or coding services are not likely to have either the knowledge or the funds for a robust security program.
• Healthcare organizations are not able to determine the number and identities of third, fourth, fifth (etc.) BA parties with access to PHI. While the most recent HIPAA regulations require direct business associates to establish BA agreements with their sub-contractors, it is difficult to learn those down-the-chain details. This issue is exacerbated by the fact that responsibility for managing specific BAs is often spread across different departments of the healthcare organization. Without proper policies in place, your security officer may not even know that some BAs exist.
• Even if healthcare organizations have a good handle on who their BAs (and “sub” BAs) are, we have seen that they rarely conduct reviews of vendor security programs. The sheer number of BAs and the stretched finances of hospitals in particular make this important security step a difficult and prohibitively expensive one.

Some would say that the challenge of managing business associate relationships from a security perspective is not just difficult — it is impossible. Once again, as is always the case with security, risk mitigation is the order of the day. Perfection is not.

Here are some recommendations for reducing the security risks your organization faces in contracting with and managing business associates:

• Look for a security oriented “attitude” in potential BA partners — a mindset in their representations and conduct. Include your security officer in the contracting process to do some verbal information mining with the right questions about policies, procedures, experiences with security incidents, security upgrades, etc. Thereafter, your security officer should meet regularly with the BA’s security officer to keep on top of issues and changes in policies and procedures.
• Require every BA to forward the results of its annual security risk analysis, and keep track of the firm’s schedule for this task. Sadly, chances are that few of your BAs actually conduct these analyses, so you will have to insist on them. They are required by HIPAA/HITECH regulations. Don’t rely on assurances.
• Review your BA agreement files, and you are likely to find that many of those agreements are out of date. The 2013 Omnibus HIPAA regulations are much stricter with business associates than the original HIPAA security rules. If any of your BA agreements are dated before 2013, they are automatic candidates for immediate updating with your vendors. Of course, insist on compliance with the newer rules as a condition of your continued relationship.
• Recognize that a reality with many BAs is that their ground floor staff, people who aren’t in a patient environment, feel less urgency or panic about a security incident than you and your staff. You should require that your BAs’ employees complete PHI-oriented security training, just as our company’s employees do.  Great online training programs exist, and they work. We recommend that you ask for documentation of this training annually.
• Budget for necessary security, including monitoring business associates. As we discussed recently, data security — protecting your organization against the bad guys out there (and sometimes inside) — is a way of life in most industries and must be in ours.

A final thought…Your organization undoubtedly is paying thousands, perhaps millions, for business associates’ services and products, and your BAs have signed BA agreements. You and/or some of your staff may infer that related PHI security is therefore your BAs’ problem — a risky perspective at best. Ultimately, it is your organization’s patients who will have had their information compromised, and it may be held responsible by the OCR and your patients if you haven’t taken at least the above steps.

Phoenix (a division of Medsphere) has performed objective, external security risk analyses and developed sustainable security programs with hospital clients for over 20 years. Please contact us if you would like to discuss how we can help mitigate your security risks.