Good cybersecurity also means protecting patient data when it’s held by a business associate
A cyberattackaffecting nearly 200 hospitals, clinics and independent practices-exposing an estimated 3.9 million records-occurred in 2015 when systems at NoMoreClipboard, an online patient portal and personal health record provider, were compromised.
The exposed data may have included victims’ names, home addresses, social security numbers, health information and other personal information, according to a notice posted on the vendor’s website.
Healthcare data breaches involving protected health information (PHI) are growing increasingly common. Almost 90% of healthcare organizations experienced a data breach in the previous two years, according to a May 2016 study from research firm Ponemon Institute, which includes both covered entities and business associates (BA). Moreover, 45% of those had suffered more than five breaches within the reporting period.
So while practices are monitoring their own in-house security methods to avoid jeopardizing patient data, they also face the threat of a cyberattack on one of their business partners, putting that same information at risk.
“A small physician practice is at a disadvantage because they’re heavily relying on third parties to support them,” says Chris Logan, MBA, CISSP, senior healthcare strategist at software provider VMware in Palo Alto, California, and former chief information security officer for health system Care New England.
These BA relationships provide independent practices with much-needed resources and expertise, but what happens when patient data is compromised within a vendor’s network?
Cybersecurity and data privacy experts offer several strategies independent practices can use to determine how patient notification and internal security measures should be handled if a BA-based compromise occurs.
The sometimes-nebulous nature of BA breaches, where multiple provider firms may be impacted and the scope could take weeks or months to determine, can make responding to them difficult.
What should a practice do if it gets that dreaded phone call from a BA? Charles Carmakal, MS, vice president of Milpitas, California-based cybersecurity firm Mandiant says the first priority must be to quickly gather as much information as possible.
“They’ll want to try to get an understanding of what data [of theirs] was actually impacted, because it will tell them who they need to notify,” says Carmakal. It may not be necessary (or prudent) to notify the entire patient base if only a portion has been impacted, he adds.
Hot topic: Are HIPAA and interoperability at odds?
With the “what” determined-in terms of which data was exposed-the next step is to address the “how.” Carmakal stresses the need to determine as many technical details about the breach as possible.
“What else about the compromise can the business partner share with the practice, so they can figure out if perhaps their systems and data were directly impacted as well?” he asks.
Depending on the nature of the attack and the infrastructure involved, the hackers may have moved on to the medical practice’s network, too. Knowing the details will enable the medical office and its breach response partners know if immediate action should be taken to secure its own systems.
Many answers may not be immediately available because the investigation into the exposure is still underway. The breached BA should be working to determine precisely what occurred and how to contain the incident and thwart the attackers, but that process takes time.
Carmakal says investigations may range from a couple of weeks to several months, depending on the complexity of the breach and the size of the organization where the exposure occurred.
Next: It’s possible some details might never be fully known
Second, it’s possible some details might never be fully known by the BA or its IT support staff. How did the breach happen? Which data sets were accessed? Was the breach limited to a certain kind of data, such as personal or financial details, or was clinical information also exposed?
“Notifications may happen prior to all those answers being known, but the practice still needs to ask for the details,” Carmakal says.
When a BA alerts a practice to a potential breach, the practice should quickly determine who will take the lead on sending notifications to patients impacted by the exposure, says Thomas Grove, principal at health IT consulting firm Phoenix Health Systems.
“The practice is on the hook for them, but very likely the vendor will do them because it’s probably not just your data that’s been affected, but also other practices’ data.”
During that first phone call it’s also important to ask if any alerting will be necessary in addition to notifying patients, such as reporting to any state or federal authorities. “Disclosure rules vary from state to state,” Grove says.
Vendors should be aware of these requirements, but the practice should be clear about the next steps and ensure all parties know who will handle each of them.
As part of the early breach response, the practice should gather any BA agreements covering the vendor(s) involved in the exposure.
“[The U.S. Department of Health and Human Services] has been very aggressive in going after covered entities that don’t have business associate agreements in place and up to date,” says Michael Vatis, JD, a partner in the New York office of the law firm Steptoe & Johnson, and founding director of the National Infrastructure Protection Center at the FBI.
Because BAs are obliged to comply with HIPAA regulations concerning data security, and because covered entities are under tight legal requirements for structuring those agreements, the practice should have the BA agreement with every vendor readily available.
In case you missed it: How will health IT trends evolve in 2017?
Vatis says that confirming the language and date of the agreement won’t mitigate the harm to victims of a breach, but it is the kind of documentation that may be important to have handy as the investigation moves forward and the scope of the damage becomes clear.
Though the entire healthcare industry is a target for hackers and thieves, hospital systems and other large organizations often have the resources to better combat third-party risks through vendor management programs. Physicians in independent practices rarely have the resources to support such measures.
The process Logan’s team at Care New England used to identify and mitigate potential privacy risks across the hospital’s BA network required significant time and labor investments, such as visiting vendors that handled PHI to review and assess their security measures.
“For a small practice, it’s a balancing act,” Logan says. “They don’t have the staff to do that vendor management function.”
Next: Understand whether a breach may be related to a wave of attacks
Because most independent practices can’t dedicate internal employees to this task, outside services can be hired to conduct the due diligence. However, costs to use vendors for the work are high and physicians must weigh breach risks against the expenditures’ impacts to the business.
Medical practices are likely to find a security vendor extremely beneficial. A proactive approach to data protection is always best, and an experienced firm can help to direct those efforts most effectively.
“It’s also useful to understand whether a breach may be related to a wave of attacks against the broader industry,” Carmakal says.
A security firm with knowledge of the healthcare sector will typically have insight into breach trends and may also be aware of concurrent exposures with similar traits. In addition, because time is of the essence when a breach occurs, a relationship with a security firm will enable the practice to respond quickly.
Popular online: Health IT creates lose-lose situation for physicians
Another area of expertise a practice may want to have in place is legal counsel familiar with breach response obligations and practices.
“Firms should at least know who their breach counsel is going to be. They don’t want to be shopping for lawyers when a breach happens, because they’ll have enough to deal with already,” Vatis says.
The responsibility for notifying affected patients is something practices may choose to address in the BAA, putting the onus on the service provider to handle. This shifts the financial and time burdens for mailing notifications, contacting media outlets and any other necessary activities away from the medical practice.
However, Vatis says, “It’s ultimately the covered entity’s responsibility to be sure notifications are done, and done correctly.” Working with legal counsel will ensure that breach notification efforts-not just to patients but also to any government agencies that require it-are carried out in a timely and appropriate manner based on where the breached PHI originated and how the exposure occurred.
To respond quickly and effectively to any BA-based data breach, practices should consider identifying all the providers that may have access to patient PHI. This will help highlight the scope of what information is available for exposure and all the places sensitive data resides.
“You will then know for which vendors you need to have business associate agreements in place,” Vatis says, “and you can be better prepared in the event one has a breach.”