I came across an interesting breach analysis Chris Hourihan of HITRUST (Health information Trust Alliance) published last month on breaches affecting 500 million or more individuals in healthcare.
Since the HIPAA Breach Notification Rule took affect this time last year (September 23, 2009) through the publication date of the analysis (August 2010) 108 breaches affecting approximately 4,089,670 individuals and health records were reported to the U.S. Department of Health & Human Services (HSS) Office for Civil Rights. Hourihan estimates that the cost to these organizations is close to $1 Billion to deal with the incidents.
There is a lot of good information in the report breaking out breaches by records affected, type of breach, location etc. but of particular interest was the implication of breaches to a business associate or 3rd party, since IDology serves the healthcare industry. Of the breaches reported, 18.5% implicated a business associate which equates to 11% (or 457,000) of records accessed by an unauthorized individual.
While the HITECH Act makes business associates directly responsible for the provisions of the HIPAA Security, Privacy and Breach Notification Rule, the ultimate responsibility still falls on the covered entity.
Here are the top 5 areas healthcare companies need to evaluate when choosing a 3rd party technology vendor to ensure their business associates are operating securely:
1. Data Access– How much patient data does the vendor need access to? What types of data do they require to perform their job? Obviously, the less you provide, the better, since it reduces the risk associated with a breach.
2. Data Retention Policy – How long is the information you provide kept? How is it stored? What are the access policies to this data? How is it deleted or removed? Keeping sensitive data without a strong justifiable reason for long periods of time should be a red flag as it raises the risk of someone gaining unauthorized access to it.
3. Technological Infrastructure – How is the technology delivered? How secure is the network? Who has access to it? Does the vendor use any 3rd parties? If so, what are the due diligence procedures? Are there any routine security audits or vulnerability scans? Push to get copies of any reports so that you can evaluate for yourself.
4. Business Continuity – What are the normal performance levels? How is disaster recovery handled? What kind of media is used for back-up? A viable company has defined how business will continue to run in the event of minor and major disruptions.
5. Incident Response Plan – Does the vendor already have an incident response plan? What are the procedures and the timeline for being notified? Has the plan ever been invoked? Stay away from a vendor who is just hoping for the best and is not prepared to take action if a breach were to occur.