Software Vendor Breach Spotlights Broad BA RisksPatients at 11 Organizations Affected by Hacker Attack
A recent hacking attack targeting a revenue cycle management software and services vendor, which impacted more than 31,000 patients at 11 healthcare organizations, illustrates the potentially broad security risks posed by business associates.
See Also: HIPAA Audits: A Revised Game Plan
In an Aug. 17 notification statement, Lafayette, La.-based Acadiana Computer Systems, which operates ACS Medical Business Solutions, says it became aware on July 16 that an employee's email account had been accessed by an unauthorized individual.
An investigation into the incident indicated that emails within the account may have contained personal information belonging to patients of several of ACS's clients, the company says.
Those clients include Radiology and Interventional Associates of Metairie, La., LSU Healthcare Network, LSU Health Sciences Center Shreveport, Poly Ryon (Oakbend) Medical Group, Oceans Acquisition, South Louisiana Medical Associates, Southern Surgical, Truman Medical Centers, University Hospital and Clinics, University of South Alabama and Willis-Knighton Medical Center, the notification says.
"The involved information may have included names, addresses and treatment billing information belonging to those individuals," The notification states. "In addition, a small number of patients' Social Security numbers were potentially impacted."
ACS provides revenue cycle management services, proprietary revenue cycle management software and healthcare consulting services to over 3,000 providers ranging from large academic teaching facilities to physician practices and other healthcare entities, according to the company's website.
In the wake of the breach, ACS says it is taking steps to bolster security, including "increasing email account security, updating relevant policies and procedures, and retraining staff." While ACS advises impacted individuals to obtain free credit reports and to consider placing fraud alerts on their credit accounts, the company makes no mention of offering free credit or identity monitoring services to victims of the incident.
ACS did not immediately respond to an Information Security Media Group request for comment.
Top 10 Breaches Involving BAs So Far in 2018
|Tufts Associated HMO||70,000|
|Golden Heart Administrative Professionals||45,000|
|Acadiana Computer Systems||31,000|
|Orlando Orthopaedic Center||19,000|
|Capital Digestive Care||18,000|
Large BA Breaches
The apparent phishing incident at ACS is among the top 10 largest health data breaches involving business associates added so far this year to the Department of Health and Human Services' HIPAA Breach Reporting Tool website. Commonly called the "wall of shame," the website lists health data breaches impacting 500 or more individuals.
A Sept. 6 snapshot of the wall of shame shows that business associates were reported as being involved in 58 major health data breaches so far this year, impacting a combined total of more than 2.3 million individuals. That's about 34 percent of the 6.6 million breach victims in all 241 breaches added to the wall of shame so far this year.
"Vendor/business associate issues are an enormous challenge for any HIPAA covered entity - or any company regardless of industry that uses vendors to provide services," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "Not only do the principals never know as much about the vendor's activities as they would their own, but most companies utilize dozens or hundreds of vendors, which simply multiplies risk in general."
As for incidents like the one involving ACS, "all companies - whether the principal or the vendor - need to make sure that employees are trained on appropriate security techniques, including how to recognize common security risks like phishing. That is obviously an important element of protection for any company," he adds.
Indeed, the security risks posed by vendors appear to be growing worries for many healthcare provider organizations.
Just last week, a group of healthcare CISOs announced they had partnered with the Health Information Trust Alliance - best known for its Common Security Framework - in an effort to reduce the security risks posed by vendors (see CISO Council to Address Vendor Risk Management).
The new Provider Third Party Risk Management Council said its member organizations will require their vendors to become HITRUST CSF certified within the next 24 months in the quest to improve uniformity and efficiency in the way organizations review the security controls and practices of third-party vendors that handle sensitive patient data.
Healthcare entities that don't have the wherewithal to pressure all their vendors to obtain HITRUST CSF or other certifications can take other steps to better assess the security practices of their business associates.
"Few organizations can sufficiently audit all of their vendors," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "So I recommend taking a risk-based approach, focusing on vendors who have access to large amounts of protected health information, but have not produced evidence that their information security has recently been independently assessed."
Covered entities can ask business associates what controls framework they have adopted and whether they have been tested against it, Greene adds. "I don't think a covered entity necessarily has to insist on a particular controls framework, but it may be a red flag if the business associate cannot point to any or simply states that they comply with the HIPAA Security Rule, which I do not think of as a detailed controls framework."
Nevertheless, Kate Borten, president of security and privacy consulting firm The Marblehead Group, says many covered entities need to do a better job assessing their business associates' HIPAA compliance efforts.
"Signing a BA agreement may strictly meet the rules, but is not enough in reality," she says.
Additionally, many small and midsize covered entities "struggle with their own compliance and often face staff and budget constraints, making BA oversight a lower priority, if it's even on the list," she says.
"HIPAA's security rule includes the 'evaluation standard,' a requirement to routinely assess compliance and security practices, and this applies both to CEs and to BAs," she notes. While HITRUST CSF certification is one way to vet BAs, it is not the only approach to assessing and validating an organization's compliance, she points out.
"Note that U.S. taxpayer-funded National Institute of Standards and Technology provides a free security framework, and ISO, the International Organization for Standardization, also has internationally accepted security standards," she says. "BAs should be prepared to provide at least a high-level summary of a security compliance audit, including remediation, to their CEs."