OCR: Pay More Attention to Business Associate RisksCyber-Awareness Alert Offers Advice on Preventing Vendor Breaches
Federal regulators are reminding healthcare organizations about the urgency of having plans in place to manage security issues, including data breaches, involving their business associates.
The alert from the U.S. Department of Health and Human Services Office for Civil Rights comes in the wake of hundreds of healthcare organizations, as well as entities in other sectors - including the U.S. Office of Personnel Management - suffering major breaches involving their vendors.
"Despite the requirements of HIPAA, not only do a large percentage of covered entities believe they will not be notified of security breaches or cyberattacks by their business associates, they also think it is difficult to manage security incidents involving business associates and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach," notes OCR's latest monthly cyber-awareness alert issued May 3 via email.
"As such, covered entities and business associates should consider how they will confront a breach at their business associates or subcontractors, respectively," OCR says. "For example, since the Office of Personnel Management had a data breach in 2015, OPM has been drafting new contract rules on reporting security incidents."
Investigators believe that hackers gained access to the OPM systems by first stealing OPM access credentials from an employee of KeyPoint Government Solutions, a contractor providing background-check services for OPM. The OPM breach affected about 21.5 million individuals.
Business associates are a constant security worry for many healthcare organizations.
"Our experience with covered entities confirms the fact that they are very concerned with the security risks involving their business associates," says Dan Berger, CEO of the security consulting firm Redspin. "It is a difficult challenge for a CE to assess whether appropriate security policies and safeguards are in place at BAs."
As of May 5, OCR's "wall of shame" tally of healthcare data breaches affecting 500 or more individuals listed 1,542 breaches affecting a total of 158 million individuals since September 2009. Of those incidents, about 20 percent - or 311 breaches impacting a total of 26.6 million individuals - involved business associates.
The percentage of breaches involving business associates is likely higher because some incidents that are known to have involved business associates - based on the notification letters covered entities sent to individuals - aren't listed on the "wall of shame" as having a business associate "present."
For example, at least two hacking incidents reported to OCR in March and April aren't listed as business associate breaches on the tally even though they apparently resulted from a cyberattack last year on electronic health records vendor Bizmatics Inc.
According to OCR's breach tally, Pain Treatment Centers of America of Arkansas on April 11 reported a hacker attack impacting 19,397 individuals, and Complete Family Foot Care of Nebraska on March 7 reported a hacking incident affecting 5,883 individuals. In their respective notification statements, the organizations say PHI was potentially compromised by a hacker attack on Bizmatics.
The largest breach involving a business associate listed on the OCR tally is a 2011 incident involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of their covered entity client, the military health program TRICARE.
Under the HIPAA Omnibus Rule that went into effect in 2013, BAs and their subcontractors became directly liable for HIPAA compliance. Still, many organizations resist complying with some of the rule's requirements, Berger says.
For instance, Berger says BAs often "push back" on the requirement under the HIPAA Security Rule to perform a security risk assessment. "BAs may have a more narrow definition of what constitutes a comprehensive and thorough assessment" than what their covered entities expect, he says.
Steps to Take
In its cyber-awareness alert, OCR offers a number of steps that covered entities need to consider regarding the information security of their BAs and subcontractors:
- Define in BA agreements how and for what purposes PHI can be used or disclosed so that any use or disclosure of PHI not provided for in the contract can be reported;
- Indicate in BA agreements the time frame for reporting a breach, security incident, or cyberattack;
- Identify in BA agreements the type of information a BA or subcontractor must provide in a breach or security incident report, including BA point of contact information, description of incident and types of unsecured PHI involved;
- Train workforce members at BAs and covered entities on incident reporting and conduct security audits and assessments to evaluate business associates' or subcontractors' security and privacy practices.
OCR notes that organizations must keep in mind that "incident reporting should be done in a timely manner, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR and the media, as applicable. The quicker the incident is reported, the faster a covered entity or business associate can respond."
Considering the potential security risks posed by vendors, it's important for OCR to shine a spotlight on the issues, says privacy attorney David Holtzman, vice president of compliance at security consultancy CynergisTek. "It is helpful for OCR to call attention to the issue of how contractors and vendors report and respond to incidents that potentially expose e-PHI," he says.
In addition to OCR's advice, Holtzman says he recommends "taking a broader, proactive approach to identifying and selecting contractors or vendors who are in the best positions to prevent security incidents or breaches from taking place."
That includes evaluating and auditing business associates' security measures to ensure that there are appropriate safeguards in place. "Some suggestions include sending out a questionnaire prompting questions such as 'When was the date of your last risk assessment? When were your privacy and security policies last updated? What was the date of your last workforce education specific to HIPAA compliance?'"
Covered entities should also periodically request documentation to ensure that business associates' risk assessments are current, Holtzman advises. And they should also request documentation for data backup, data destruction and other security measures, he adds.