So far in 2016, third-party data breaches have impacted 4.5 million patients, indicating that third-party business associates pose an alarming risk to patient data, according to a new report from Protenus and DataBreaches.net.
Breaches involving business associates or vendors accounted for a disproportionate amount of affected patients and breached records for the first eight months of 2016, with 30 percent of breaches and 35 percent of breached records reported to the U.S. Department of Health and Human Services’ (HHS) public breach portal are a direct result of third parties, according to the report.
In fact, the report authors contend that based on data form HHS, the 193 breach incidents that occurred through August 2016 impacted 12,801,481 patients. Based on an analysis by Protenus and DataBreaches.net, there were at least 4.5 million patients affected by a breach involving a third party vendor or business associate, for a mean of 79,008 patients or records per incident. The mean number of records per incident for the 135 incidents that did not involve third parties was 62,004.
“It appears, then, that breaches originating with third parties were associated with 27 percent more affected patients per incident than originating at providers or health plans,” the report authors wrote.
The study authors note community physicians, affiliates, and certain vendors often have extensive access to patient data in the electronic health record (EHR). And, the increased number of users with EHR access creates a huge vulnerability for healthcare systems and a headache for compliance teams. While vendors are often long-time trusted partners, relationships that add a large number of new EHR users or provide vendor employees with access to patient data create significant patient privacy monitoring challenges.
The Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule requires all covered entities have Business Associate Agreements (BAAs) in place by September 22, 2014 to govern and regulate how electronic protected health information (ePHI) flows between covered entity and the business associate and spells out what business associates need to do to comply with HIPAA requirements. However, many business associates operate without BAAs in place.
In the past year, HHS’s Office of Civil Rights (OCR) has penalized healthcare organizations and their vendor partners with large fines for potential HIPAA privacy violations. Oregon Health and Science University agreed to a $2.7 million settlement and OCR alleges it found that OHSU stored over 3,000 individuals’ ePHI in a cloud computing system without any BAA with the cloud computing vendor.
Catholic Health Care Services, a business associate providing management and information technology services to six skilled nursing facilities, agreed to pay $650,000 as part of a settlement for potential violations stemming from a data breach due to the theft of a mobile device.
Advocate Health Care Network will pay $5.55 million to settle charges stemming from multiple breaches, one of which involved a hacking incident at its business associate. HHS OCR charged Advocate Health with failing to obtain written business associate contracts.
According to the report, DataBreaches.net examined the rate and impact of third-party breaches in 2016 and conducted a month-to-month recap which indicated that 60 breach incidents were attributable to third parties. According to the report authors, third-party vendor breaches are more frequent than HHS’s breach portal tool suggests. A close reading of HHS’s closing notes for incidents makes clear that BAs and vendors are involved in more incidents than the tool reports, the report authors note.
“It appears that when covered entities report incidents, they often do not recognize that there is a way to indicate that a business associate had been responsible for the breach. There is an option labeled, ‘Are you a Covered Entity filing on behalf of a Business Associate?’ but some entities think, ‘I’m not filing on their behalf,’ so they don’t pick that option,” the report authors wrote.
“If HHS/OCR wants entities to take business associate security seriously, it would help if the public breach tool yielded a more accurate estimate of what percent of breaches and records were a result of business associates or third parties,” the report authors stated.
An examination of third-party incidents indicates that insider and external incidents appeared equal in terms of frequency, however, this might not tell the whole story in terms of impact or risk of harm. For instance, a hacking incident involving vendor Bizmatics earlier this year, which was previously reported by Healthcare Informatics, affected multiple healthcare providers and so far it appears that those incidents affected up to 150,000 patients, most it’s likely even more patients were impacted.
In order to protect patient information, the report authors assert that healthcare institutions and their partners to focus on, and invest in, collaborative, on-going, and continuous processes that will protect the institution’s data over time.
The report outlines a number of recommendations to reduce business associate risk. For healthcare organizations, a top priority is to ensure up-to-date BAAs are in place. “Have a process to both standardize and regularly review this process, as these documents form the legal core of your BA management program,” the report authors wrote.
Healthcare organizations also need to retain and update human resources data to understand individual users and their roles within the system. And, healthcare organizations need to effectively manage the identities of individuals with access to EHR systems, whether an employee or a BA.
Additionally, healthcare organizations need to implement a proactive security posture rather than a reactive one, such as deploying a privacy analytics platform to identify and resolve privacy violations quickly and efficiently.
The report also recommends healthcare organizations take steps to understand the risks associated with subcontractors to business associates or vendors by asking to review the sBAAs (Subcontractor Business Associate Agreements) with BAs that have access to an extensive amount of the organization’s data.
The report authors also recommend that HHS amend its breach portal to more accurately reflect the prevalence and scope of third-party breaches. “In the interim, we encourage covered entities to require greater physical and technical safeguards for PHI held by third parties and to audit compliance with those requirements throughout the year,” the report authors wrote.