Business Partners: A New Risk to Health Data Security?

by John Moore, iHealthBeat Contributing Reporter

Third-party business partners represent a significant security risk to health care providers, who may need several layers of protection to ensure the security of patient data.

The HIPAA Privacy Rule refers to third parties as “business associates” and defines them as individuals or organizations that handle protected health information, or PHI, in the course of working with a covered entity. The category may cover a range of companies, including data processing firms, IT consultants and cloud computing providers.

HIPAA’s Security Rule calls for covered entities to create contracts with business associates to ensure that the partner “will appropriately safeguard” PHI. The HITECH Act of 2009 further strengthened HIPAA’s rules regarding business associates and security obligations.

While the HIPAA rules have been around for a while — the Security Rule’s compliance date goes back to 2005 — hospitals and other health care providers have not consistently devoted a significant amount of time to business associate security.

Read John’s entire article here: http://www.ihealthbeat.org/features/2012/business-partners-a-new-risk-to-health-data-security.aspx

4/18/12 Webinar – Continuous Privacy and Security Compliance: Healthcare’s New Performance Target

Register Here:  https://iatric.webex.com/mw0307l/mywebex/default.do?nomenu=true&siteurl=iatric&service=6&rnd=0.941068

One of the lessons learned coming out of The Office for Civil Rights (OCR) HIPAA Audit Program is the we must understand where our ePHI is and what our team members and business partners are doing with it.  Operational practices and controls must safeguard every record, all the time.  Audit controls must be designed and documented to account for ePHI and what activities around that ePHI need to be monitored, internally and with our business associates.  Most healthcare organizations have yet to make the leap to this new level of performance.

What will likely emerge in the omnibus rule related to breach notification, HIPAA enforcement and HITECH’s changes to the HIPAA privacy and security rules that may raise the bar even higher?

This 60-minute webcast will provide insight and knowledge that:

1.  Enumerates the lessons learned from the OCR HIPAA Audit Program through the experience of one of the “First 20” audited organizations

2.  Defines healthcare’s continuous compliance challenge for privacy and security and the potential impact of the omnibus rule

3.  Establishes the business case for evaluating technologies that contribute to continuous compliance

Presenters:

Mac McMillan CEO, CynergisTek and Chair, HIMSS Privacy and Security Policy Task Force

 

 

 

 

  James Lawson, VP, Strategic Integration Development, Iatric Systems, Inc.

Latest Blog Post – Reducing Risk: Improve Vendor Management

In a continuation of Mac’s blog series on the OCR HIPAA audit process, he takes a look at one aspect of an organization’s privacy and security program — management of business associates — which represents a considerable risk for many covered entities today.

Business associates provide many important services that support the business of the covered entity. These services include transcription, claim processing, laboratory tests, radiology, system administration, data hosting, etc., and they make it possible for small organizations in particular to offer full-service support to patients.  Such services can require us to permit access to critical systems that hold patient information, or, in some cases, transfer patient data to a third party for processing and retention.  When we engage with these business associates, we need to ensure that sound practices are in place for managing the risk involved.

Read the full article here:  http://www.physbiztech.com/blog/reducing-risk-improving-vendor-management

HCCA Compliance Institute 2012 – CynergisTek @ Booth 205

CynergisTek is pleased to enter its 8th year of participation in the Health Care Compliance Association’s (HCCA) annual Compliance Institute.  HCCA is the preeminent membership and bellwether organization serving healthcare compliance professionals to advance ethical practice and compliance standards across the healthcare industry.

This year’s Compliance Institute will be held at Caesar’s Palace in Las Vegas, NV from April 29 – May 2, 2012.  Over 225 faculty members will lead over 125 educational sessions at this year’s Institute.

Please visit CynergisTek at booth #205, just across from HCCA’s booth, as we launch two new solutions portfolios:  one dedicated to OCR Audit readiness and one dedicated to Business Associate compliance management.  We also hope you will visit our valued business partners, Iatric Systems in booth #413 and ZixCorp in booth #111.

For more information and to register for the conference, please visit:  http://www.compliance-institute.org/index.htm.

Viva Las Vegas!

Security Risk Assessments Gaining Traction in Health Care

Author: John Moore, iHealthBeat Contributing Reporter

Security risk assessments are gaining a higher profile in the health care field as providers look to prevent data breaches, prepare for government audits and qualify for meaningful use incentive dollars.

A security risk assessment takes stock of an organization’s data protection policies and procedures, with an eye toward identifying weakness and establishing an improvement regimen. This aspect of IT security, although not entirely unknown in health care, has been more prevalent in other regulated industries such as financial services. However, a number of factors are driving interest in risk assessments among hospitals, medical practices and other covered entities under HIPAA.

Consider the following:

• Rising data losses — Breaches of protected health information nearly doubled between 2010 to 2011, according to Redspin‘s 2011 PHI Breach Analysis;
• Government oversight — HHS’ Office for Civil Rights last year kicked off a pilot program in which it will conduct 150 audits to assess health care facilities’ privacy and security compliance; and
• Meaningful use qualification — Hospitals and eligible professionals must “conduct or review a security risk analysis” to qualify for Medicare and Medicaid incentive payments under Stage 1 of the meaningful use program.

“I think there is a lot more risk analysis and risk assessment activity today than there ever was before,” said Mac McMillan, CEO of CynergisTek, a company that provides security services to health care organizations. “But we are still not where we need to be. A lot of the other regulated industries are much more mature,” he said.

Spotty Assessments

McMillan said many health care organizations have yet to embrace risk assessment in an organized and consistent fashion. Part of the problem, he said, is a lack of standards in how such assessments should be conducted. In 2005, HIPAA’s Security Rule issued the health care industry’s first risk assessment requirement, McMillan said. But the rule left a lot to interpretation.

The rule “didn’t provide a lot of guidance around what a risk assessment … should be,” McMillan said.

“One of the things that the health care market has been looking for has been additional guidance as to what these assessments should look like,” said Daniel Berger, president and CEO of Redspin. “The HIPAA Security Rule does talk about lots of different things, but when it comes to the requirements to conduct a security risk assessment and remediate vulnerabilities, it is actually pretty light on specifics.”

As a consequence, risk assessments run the gamut from thorough, enterprise-wide initiatives to limited, single-system checkups. Some facilities have yet to complete an assessment of any kind.

“We still have folks that come to us and say, ‘We have to do a risk assessment for meaningful use,’ and we’ll ask them, ‘When did you do your last one?’ and they’ll say, ‘We’ve never done one,'” McMillan noted.

A Comprehensive Approach

Security consultants recommend a comprehensive approach to risk assessment as the best way to protect PHI. Berger noted, however, that some providers are tempted to narrowly interpret the meaningful use risk assessment directive as focusing strictly on electronic health record systems. He said that’s too limited a scope to achieve the requirement’s security aims.

“If you just concentrate a security risk assessment on [an] EHR [system], you are not going to necessarily include tangential systems — workstations or servers that also have the ability to access the information the EHR provides,” Berger explained.

Accordingly, determining scope is one of the critical elements of a risk assessment, which, depending on the methodology used, may include the following steps:

• Scope definition;
• Review of provider’s security policies and procedures;
• Interviews with key provider officials;
• Technical review, including the scanning and testing of internal systems;
• Identification of vulnerabilities and assessment of their potential impact; and
• Development of remediation strategies.

As for setting the scope, the main considerations boil down to the provider’s goals and the size of its environment. Scope also determines an assessment’s price tag, which can run from $30,000 to $60,000 for a thorough review. Assessments for smaller practices are considerably lower.

Areas to consider include:

• Whether the risk assessment is intended to provide a general review of data security or focus on a particular compliance requirement;
• The boundary for the assessment; and
• If it covers several systems, a portion of a hospital or multiple facilities.

After the scope is defined, an assessment then moves into policy and procedure reviews. If a hospital opts to bring in an outside consultant to run the assessment, it can expect an onsite visit at this point. Berger said his company typically sends out two engineers for two to four days, depending on the size of the engagement.

This policy review stage may involve interviews with a provider’s key players — IT, human resources and finance officers, for example. A technical review, meanwhile, aims to assess system and network vulnerabilities. The two reviews may dovetail. A risk assessment often involves testing systems to determine whether an organization’s stated polices are being followed in actual practice. For instance, a password analysis for a given system will reveal whether employees use weak passwords such as “guest” or observe the health organization’s password strength guidelines, Berger explained.

A report documenting the risk assessment’s findings will follow the onsite review. The report spells out the organization’s vulnerabilities and suggests a mitigation strategy.

“A comprehensive evaluation will likely identify many risks,” said David Finn, health information technology officer at Symantec Corp. “Once identified, you can develop plans and timeframes to reduce these risks starting with those that have the greatest potential for negative impact,” he said.

Finn referred to risk assessment as the first step of risk management, which he described as the ongoing process of identifying risk, developing mitigation plans and executing those plans.

Casting a Wider Net: Business Associates

Another source of vulnerability exists beyond the walls of the health care provider: business associates. Business associates are defined under HIPAA as third parties handling PHI in the course of doing business with a covered entity. Breaches involving a business associate increased 76% from 2010 to 2011, according to the Redspin report.

“Hospitals in the past have generally done a poor job of due diligence with respect to the people they share data with,” McMillan said.

Under HIPAA, providers are required to ink a business associate agreement with each data-sharing partner. A business associate that signs the agreement acknowledges its data protection responsibilities. But the pacts typically don’t detail specific security requirements. What’s more, business associate agreements usually surface when a covered entity and its partner are finalizing a business deal, so the time for vetting has already passed.

“A better solution is to use an independent security questionnaire during the selection/RFP process, which is when you should be vetting the capabilities of the vendor,” McMillan said.

Several companies now offer risk assessment services that assess business associates.

ATMP Solutions, a Michigan-based company that conducts HIPAA compliance assessments, has been using eGestalt Technologies’ tool with smaller practices and business associates. Joe Dylewski, managing partner and owner of ATMP, said business associates are drawn to assessments for two reasons.

“To be a business associate and to have gone through a third-party assessment adds credibility to their business value,” he said, adding, “And they are kind of guided by the large covered entities to get this work done for them.”

Read more: http://www.ihealthbeat.org/features/2012/security-risk-assessments-gaining-traction-in-health-care.aspx#ixzz1p3Z8QEkR

Business associates under fire as security risk

Author: Beth Walsh

Featured as a CMIO.net Web Exclusive on March 1, 2012

 

Business associates (BAs) are a huge area of concern when it comes to healthcare data privacy and security. “If you look at the statistics, there were nearly 400 healthcare data breaches in the last two years and almost half are due to BAs. But, “that half accounts for more than 75 percent of all records involved,” said Mac McMillan, CEO of Austin, Texas-based health IT security firm CynergisTek, and co-chair of the Healthcare Information and Management Systems Society (HIMSS) Privacy and Security Policy Task Force.

“While a covered entity has all the information for the patients it cares for, a BA could have data from 100 covered entities or more. You’re talking magnitudes of data.”

This area is a big problem because, while healthcare providers in general have gotten very little attention, BAs have gotten virtually none, McMillan said. That’s partly because providers and BAs aren’t concerned about it yet. Plus, there’s confusion about what constitutes a BA.

“A lot of BAs don’t really consider themselves BAs even though they are,” he said. “Hospitals have companies that perform some third-party service for them and have protected health information (PHI) but they don’t feel that it applies to them because they’re just a hosting service or pass through.”

These companies don’t realize that the way the rule was written, once they take PHI from a covered entity, the provision of access is met. That means that whether they access the data or not, they are a BA. Just because they don’t access the data doesn’t mean they can’t, and that is what makes a company a BA.

McMillan said many covered entities have sent out security questionnaires to their BAs, particularly those who have PHI, and gotten some surprising answers. Some BAs don’t even have the rudiments of a security program. They are almost completely focused on the business service and have not considered the data or HIPAA compliance.

Several factors contribute to the problem: lack of knowledge, lack of concern for enforcement and the general cost of doing business, according to McMillan. For example, if a company has to change its network then it probably has to charge for more services so it becomes harder to keep and get clients. Another aspect of many third-party providers is that they are very small companies just getting started and therefore, are more likely to take risks, he added.

As written, the breach notification rule places responsibility on the covered entity. The BA has to notify just the source of the data, but the covered entity has to make all the required notifications of the breach, which includes notifying patients and the media. “Unless the contract is written smartly, there is nothing in the law that transfers the responsibility for cost,” said McMillan. “It’s really something the covered entity has to pay attention to with their BAs and do a better job of due diligence.”

McMillan said that he is amazed at some hospital experiences in this area. For example, a big hospital in New Jersey had a longstanding BA with access to enormous amounts of data. When the hospital asked the BA some basic security questions, the response was “we don’t have that kind of security on our network, we don’t have those policies and procedures and we can’t afford it.”

This BA was performing a very important function for the covered entity, so it had to decide between continuing to use the BA as is, find another BA or invest in helping the BA become HIPAA compliant. The hospital decided it was in its best interest to help the BA become compliant.

“It was amazing,” said McMillan. “This is a BA doing business with multiple hospitals and nobody had ever looked under the hood. If it’s not in the contract, then they are not responsible for doing it.”

The idea that just because HIPAA is applicable to BAs would affect their behavior is nonsense, he said. He has told BAs they have the same responsibilities as covered entities and he said that nine out of 10 say they are not ready.

Three things could force change, asserted McMillan.

“The absolute, biggest, most effective pressure on BAs is the people they do business with,” said McMillan. “Hospitals must say they’re tired of having to deal with breaches and notifications and then do a better job of putting requirements for security in their contracts.” Having the right language in the contracts provides for clear cases of negligence and breach of contract.

There are lawsuits in progress that allege negligence as opposed to harm that also could force change. “Those lawsuits probably will have the biggest impact in the short run,” said McMillan. “You’ll see much bigger costs associated with that than you will with fines from the government.”

Third, government enforcement will play a role as well. However, “there is no way the government has enough resources to enforce HIPAA proactively and in a manner so dramatic that it would change behavior.” The $1.5 million maximum fine is a “game changer” for small companies but that amount won’t faze bigger companies.

“Companies follow rules because they get audited,” noted McMillan. “If they don’t, there are repercussions. In healthcare there is no active auditing of BAs. Unless the covered entity is monitoring or managing them proactively, basically they’re out there doing whatever they want. Nobody’s checking on them.

“Some companies are doing well with these requirements but unfortunately, a lot of folks are trying to manage costs,” he remarked. “Security is a cost.”

McMillan stated the Office for Civil Rights’ new audit program includes asking questions about BAs, such as: Have you done any due diligence with respect to BAs? Do you know if your BAs have a backup plan with respect to the data you’ve given them? Have they provided evidence they are backing up data or are capable of reconstituting it?

“These questions may cause covered entities to start telling BAs to meet their requirements or lose my business,” he said.