Navigating Business Associate Security RisksRisk Management Expert Discusses Top Concerns
Now, more than ever, managing the risks involved in working with business associates and their subcontractors should be a top priority for healthcare organizations in their efforts to safeguard patient information, says risk management expert Andrew Hicks.
When it comes to data breach prevention, "the number one thing that concerns me today is the downstream aspect of having vendors," says Hicks, healthcare and life sciences practice director at risk management consulting firm Coalfire.
"Vendor management programs are concerning. The industry has evolved somewhat, but there is still a significant risk in sending my data downstream to a vendor and not knowing if they have strong security measure in place to safeguard that data," he says in an interview with Information Security Media Group.
Many business associates "don't know what PHI [protected health information] is. They don't know how to spell 'HIPAA,' and they do pose a risk to the upstream business associate or upstream covered entity," he says. "And those are things organizations should acknowledge as part of their enterprise risk management programs."
Business Associate Breaches
One recent case that's calling attention to vendor management issues is electronic health records vendor Epic Systems' trade secret theft lawsuit against Indian IT consultancy Tata Consultancy Services, which resulted in the EHR vendor winning nearly $1 billion in damages.
The EHR vendor alleged that TCS consultants inappropriately downloaded thousands of sensitive Epic documents containing trade secrets to benefit "in the development or enhancement" of TCS's competing EHR software, Med Mantra. But TCS disputes that and plans to appeal.
Business associates have been the culprits in at least 20 percent of the 1,530 breaches on the Department of Health and Human Services' Office for Civil Rights "wall of shame" website, which lists incidents affecting 500 or more individuals since September 2009.
The largest of the breaches involving a business associate was a 2011 incident involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of their covered entity client, the military health program TRICARE.
In the interview, Hicks also discusses:
- How resource-strapped organizations must balance readiness for a HIPAA compliance audit with bolstering their preparedness to deal with emerging cyber threats, including ransomware;
- The value of recently issued OCR cyber-awareness guidance on dealing with cyberattacks;
- Security issues concerning mobile devices and medical devices.
Hicks, healthcare and life sciences practice director at Coalfire, has more than a decade of experience in IT governance, including data security, risk management, audit, business continuity, disaster recovery and regulatory compliance. He has implemented and managed IT internal control programs relative to compliance with Sarbanes-Oxley, HIPAA, HITECH Act and PCI.