A cyberattack affecting nearly 200 hospitals, clinics and independent practices—exposing an estimated 3.9 million records—occurred in 2015 when systems at NoMoreClipboard, an online patient portal and personal health record provider, were compromised.
The exposed data may have included victims’ names, home addresses, social security numbers, health information and other personal information, according to a notice posted on the vendor’s website.
Healthcare data breaches involving protected health information (PHI) are growing increasingly common. Almost 90% of healthcare organizations experienced a data breach in the previous two years, according to a May 2016 study from research firm Ponemon Institute, which includes both covered entities and business associates (BA). Moreover, 45% of those had suffered more than five breaches within the reporting period.
So while practices are monitoring their own in-house security methods to avoid jeopardizing patient data, they also face the threat of a cyberattack on one of their business partners, putting that same information at risk.
“A small physician practice is at a disadvantage because they’re heavily relying on third parties to support them,” says Chris Logan, MBA, CISSP, senior healthcare strategist at software provider VMware in Palo Alto, California, and former chief information security officer for health system Care New England.
These BA relationships provide independent practices with much-needed resources and expertise, but what happens when patient data is compromised within a vendor’s network?
Cybersecurity and data privacy experts offer several strategies independent practices can use to determine how patient notification and internal security measures should be handled if a BA-based compromise occurs.
Responding to a BA Breach
The sometimes-nebulous nature of BA breaches, where multiple provider firms may be impacted and the scope could take weeks or months to determine, can make responding to them difficult.
What should a practice do if it gets that dreaded phone call from a BA? Charles Carmakal, MS, vice president of Milpitas, California-based cybersecurity firm Mandiant says the first priority must be to quickly gather as much information as possible.
“They’ll want to try to get an understanding of what data [of theirs] was actually impacted, because it will tell them who they need to notify,” says Carmakal. It may not be necessary (or prudent) to notify the entire patient base if only a portion has been impacted, he adds.
Hot topic: Are HIPAA and interoperability at odds?
With the “what” determined—in terms of which data was exposed—the next step is to address the “how.” Carmakal stresses the need to determine as many technical details about the breach as possible.
“What else about the compromise can the business partner share with the practice, so they can figure out if perhaps their systems and data were directly impacted as well?” he asks.
Depending on the nature of the attack and the infrastructure involved, the hackers may have moved on to the medical practice’s network, too. Knowing the details will enable the medical office and its breach response partners know if immediate action should be taken to secure its own systems.
Many answers may not be immediately available because the investigation into the exposure is still underway. The breached BA should be working to determine precisely what occurred and how to contain the incident and thwart the attackers, but that process takes time.
Carmakal says investigations may range from a couple of weeks to several months, depending on the complexity of the breach and the size of the organization where the exposure occurred.