When a security breach occurs, reporting it is essential. But what happens when that breach occurs within your business partner’s system rather than your own?
In March 2016, Allscripts Healthcare Solutions and the 2,700 hospitals that use its products were shut down by SamSam ransomware, according to media reports. In January 2018, the company’s partners proposed a class-action lawsuit against Allscripts for failing to monitor and audit its systems. The company’s failure exposed all of its partners’ patients’ data to the ransomware.
To be clear, not every attempted attack against a system needs to be reported. According to the Cisco "2017 Annual Cybersecurity Report," such attacks will continue growing by approximately 350 percent each year. Given the sheer volume of attacks on healthcare systems, reporting every single attempt would be unmanageable.
However, every successful breach constitutes a HIPAA violation, which covered entities must document and report every time. Therefore, keeping an eye on business partners that might be compromised is also vital. It’s the only way to avoid being blindsided by an attack that threatens your organization through one of your partners’ systems.
Before, During, and After a Partner’s Breach
Knowing about a business partner’s data breach early is vital to responding to it. If a business partner’s breach affects your practice or makes the "Wall of Shame," you should be notified automatically.
To be absolutely sure, you should also review the Department of Health and Human Services' breach portal at least once a month as a precaution. To receive notifications about attacks that are trending or particularly dangerous, you can join email lists for the National Institute of Standards and Technology, HHS, and the FBI. You can cast your net further by setting up Google Alerts for keywords such as “breach + [your city].”
Knowing is only half the battle, though. To protect yourself against a business partner’s breach (or the potential for one), follow these steps before, during, and after a cyberattack:
1. Prioritize BAAs from the Start
Emphasizing business associate agreements (BAAs) as integral to your partnership isn’t just about breaches; it's about adhering to HIPAA standards in general. For Illinois’ Center for Children’s Digestive Health (CCDH), not having one turned out to be a $31,000 mistake. After a review by the HHS Office for Civil Rights in 2015, CCDH was fined that amount for potentially violating HIPAA rules when it couldn’t produce a BAA for its 12-year partnership with FileFax.
To avoid the same mistake, begin every partnership with every vendor with an official BAA. The agreement will lay out your and the vendor’s reporting rules and obligations in case of a breach on either side. If you don’t have a BAA with a vendor that handles protected health information (PHI), have one signed immediately or find another vendor that's willing to sign one.
2. Join Forces With Vendors During the Attack
If more proactive, collaborative policies were in place in 2017, the infamous WannaCry attack might not have been able to sweep across more than 150 countries. The exploit that WannaCry used, called EternalBlue, allowed one remote computer to shut down an entire company and spread the attack through files shared with that organization’s business partners. But that exploit was patched before the attack even occurred.
The problem was that countless organizations were using older systems that couldn’t be automatically updated. However, by closely collaborating with vendors and affected entities, many organizations were able to recover and implement better security measures quickly. For instance, Windows rolled out a free patch for older systems, and IT vendors helped clients revamp their data systems to address the new (and evolving) threat as soon as possible.
3. Immediately Report Breaches That Affect You
Whether a partner’s breach affects your organization or vice versa, you must report the breach as soon as possible. Even if you aren’t sure whether you’re in breach of HIPAA, your organization must report any PHI that was involved and the extent of the breach. If more than 500 people were affected, you only have 10 days to provide thorough details to HHS.
If you’ve been compromised, consult with your compliance officer or HHS for detailed instructions on what to report and how. Your existing BAAs will guide your organization in reporting to all associates, and collaborating with vendors will help everyone involved resolve the security breach as soon as possible.
Cyberattacks are too successful for hackers to give up any time soon, and healthcare will always be a prime target for information thieves. Comprehensive security standards and close collaboration with business partners can be a formidable barrier, but the most essential protective measures against ransomware and other data breaches are immediate notification and action.