Business Associate Breaches: Key IssuesTwo Recent Incidents Shine Spotlight on Challenges
When it comes to health data breaches, business associates are again grabbing headlines, calling attention to the importance of scrutinizing vendors.
See Also: HIPAA Audits: A Revised Game Plan
In the most recent development, North Shore-LIJ Health System reports that it did not learn of a business associate's breach until eight months later. And last week, Medical Informatics Engineering, which offers a Web-hosted electronic health record system as well as personal health records, revealed that it was the target of a breach that affected its clients and their patients (see EHR Vendor Target of Latest Hack).
Security experts say the two cases highlight critical issues, including the need to:
- Carefully vet vendors and clearly spell out security and privacy expectations before signing contracts, including the timeframe for notification about breaches;
- Periodically review whether business associates are effectively adhering to security and privacy requirements spelled out in their BA agreements;
- Assess the cyber-risks to protected health information posed by EHRs and other software hosted by third-party vendors.
"Covered entities should continue to recognize that their privacy and security is only as good as their weakest business associate," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "Accordingly, they should consider whether they are comfortable with how their BAs are addressing the increasing risk environment and changing landscape of healthcare, including their confidence that the BA will even be around in a few years."
Security expert Mac McMillan, CEO of the consulting firm CynergisTek, notes: "The bad guys know that the EHR is the largest repository of patient information and therefore a lucrative target. Software-as-a-service, cloud, or hosting models would be likely targets. This is exactly why covered entities need to get serious about vetting their vendors better before contracting with them, and periodically [checking up on them] throughout the relationship."
Stolen Laptops Incident
The business associate breach affecting patients of North Shore - LIJ Health System, in Manhasset, N.Y., involved the theft of five unencrypted laptop computers from the Dallas office of Global Care Delivery, or GCD. The company provided North Shore - LIJ with payment-related services.
The laptops were discovered stolen while GCD was moving its offices on Sept. 2, 2014, Mark Bodnar, the company's CEO, tells Information Security Media Group. GCD immediately reported the theft to law enforcement, he says. But the company did not notify North Shore of the incident until May 11, 2015, because it took about eight months for GCD and "a couple of different entities" to determine during forensic analysis that while the stolen laptops had "different levels of password protections, their hard drives were unencrypted," Bodnar says.
GCD eventually determined that four of the five stolen laptops "potentially" contained protected health information of about 18,000 North Shore - LIJ patients, he says. That PHI included name, date of birth, insurance identification and some clinical treatment information. Of those individuals affected, about 2,000 potentially also had their Social Security numbers on the stolen devices, he says.
The lack of encryption on those laptops was against GCD's usual policy to encrypt mobile devices, Bodnar says. However, in the wake of the incident, GCD no longer uses portable computing devices, and it has transitioned to using only encrypted desktop computers, he says.
GCD has also brought in an outside security firm review the company's HIPAA compliance and to provide refresher training to its workforce, he says. GCD reported the incident to the U.S. Department of Health and Human Services the same time the vendor notified North Shore-LIJ about the breach, he says.
In the wake of the incident, North Shore-LIJ is re-evaluating relationships with various vendors, including ensuring that business associates are complying with required security measures to keep data protected, says a North Shore-LIJ spokesman. "We deal with thousands of outside vendors, and this incident reinforces the fact that we need to put additional precautions on what data is shared with a business associates, such as Social Security numbers," he says.
Although neither GCD nor North Shore-LIJ are aware of any access or misuse of the data, GCD is offering identity theft protection and credit monitoring services to affected individuals for one year.
North Shore-LIJ requires its business associates to notify the organization immediately of any breaches compromising PHI, the covered entity's spokesman says. However, "[GCD] claimed they didn't know PHI was on the laptops until recently," the North Shore-LIJ spokesman says.
Privacy attorney Greene says HIPAA generally requires BAs to report a breach without unreasonable delay, and in no case later than 60 days. "There can be delay based on a law enforcement request, and it is unclear whether such a request may have contributed to the delay in notification here," he says.
Bodnar tells ISMG that when GCD reported the theft to law enforcement, "authorities didn't see it as a big issue" in terms of PHI or patient privacy potentially being at risk.
Greene notes that "BA agreements generally spell out reporting requirements, at a minimum requiring reporting as required by HIPAA, but potentially providing for more stringent reporting deadlines. This is often an area of significant disagreement when negotiating BA agreements."
Meanwhile, the recent cyber-attack on Medical Informatics Engineering, a provider of hosted electronic health record software, and its patient portal and personal health record subsidiary, NoMoreClipBoard, highlights the potential risks posed to covered entities by cloud-based and other software vendors that handle protected health information.
The attack affected an undetermined number of patients at four Medical Informatics Engineering clients - all healthcare providers - as well as an undetermined number of individuals who use NoMoreClipBoard Web-based patient portal or personal health record services.
The incident at Medical Informatics Engineering "is just the tip of the iceberg" when it comes to breaches involving software vendors, predicts privacy and security expert Rebecca Herold, CEO of the Privacy Professor consultancy. "More EHR vendor startups are popping up every day, and in my experience, most startups are not implementing comprehensive, or effective, security. It makes it that much more important for covered entities to be more proactive in validating the security controls and programs of the EHR vendors they contract, and then establish ongoing oversight to ensure those security practices are continued and updated accordingly."
Medical Informatics Engineering says in a statement that the breach has been reported to law enforcement, including the FBI, and the company is cooperating with the investigation. Upon discovering the breach, the company says it "immediately began an investigation to identify and remediate any identified security vulnerability."
Herold predicts other incidents involving EHR vendors likely will be disclosed in the months ahead. "I'm sure there have been other breaches that have occurred. I know of at least one that I'm not at liberty to discuss. But given the growing numbers of them, and the ineffective and lacking security controls often within the associated vendors, it would probably be a winning bet to say there have been many others."