Light Dark
November 11, 2016 By Christopher Burgess 3 min read
Healthcare

If you work in the health care sector, you’ve likely reviewed a business associate agreement to find that you own the vendor’s errors. The U.S. Department of Health and Human Services’s (HHS) Office for Civil Rights (OCR) received more than 20,000 complaints in 2016 and adjudicated settlements of over $20 million from covered entities, according to FierceHealthcare. This far exceeds the 2015 total of $6.5 million.

The OCR’s Final Omnibus Rule

In 2013, the OCR levied the final Omnibus Rule. This brought business associate agreements into the spotlight, since it expanded the responsibility of securing protected health information (PHI) to the business associate. The OCR noted that many of the most significant breaches reported to HHS involved business associates.

Fast forward to 2016 and the situation remains the same. Often business associate agreements are not aligned with the regulations and technology and PHI is frequently compromised.

Enforcing the Business Associate Agreement

The OCR issued 12 settlements so far in 2016. A recent settlement involved a covered entity whose business associate compromised PHI. The covered entity and the business associate paid a total settlement of $550,000, split between the OCR and a state attorney general office.

For a period of almost a year between September 2014 and August 2015, a hospital granted its business associate access to PHI and permission to transmit it without the assurances required under the Health Insurance Portability and Accountability Act (HIPAA). Furthermore, the hospital did not update its business associate agreement with the implementation specifications required under the regulation.

“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” said OCR director Jocelyn Samuels. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements, which include provisions for reporting.”

In a separate settlement, PHI was exposed due to poor technological implementation and a lack of risk review and remediation. The hospital in question settled for $2,140,500 and was ordered to “adopt a comprehensive corrective action.” The company failed to adequately evaluate the environmental and operational impact of a new server it implemented in 2011. This oversight potentially compromised the PHI of 31,800 patients.

“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” Samuels said. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

A Clear Demand for PHI

Intellectually, most health care and cybersecurity professionals understand the need to protect PHI. Yet many fail to consider the resale value of PHI on the criminal market.

“If it is targeted, then that suggests a clear demand; and if there is a demand, then there must be a return on investment,” Raj Samani noted in his introduction to the McAfee report, “Health Warning: Cyberattacks Are Targeting the Health Care Industry.” He’s certainly not wrong about the demand — medical information is worth 10 times more than credit card data on the black market.

Indeed, the report illustrated how PHI is separated from financial records such as credit card details and sold separately, providing cybercriminals a dual stream of income, as well as an opportunity to commit crimes from multiple angles.

Preventive Medicine

The McAfee report also identified the efforts of the criminals targeting PHI to recruit insiders. When an insider enters the mix, much of the security infrastructure in place become moot. Covered entities should closely examine every business associate agreement to ensure that it addresses the insider threat in terms of both technological implementation and user education.

The “2016 HIMSS Cybersecurity Survey” shone a very bright spotlight on the shortcomings of the health care sector when it comes to securing PHI. Perhaps the most glaring issue is the general lack of encryption for data at rest and in transit. As noted in the survey, “the lack of encryption means that data may be tampered in transit — thus, there is little assurance that the sender’s data has fidelity with the receiver’s data.”

Now is the time to bolster the security surrounding PHI, not only within your infrastructure, but also deep into the infrastructure of any entity with which you share a business associate agreement. Protecting the entire infrastructure is paramount. Don’t collect what you can’t protect.

Listen to the podcast: Data Security Insights from a Health Care Insider

 |  |  |  |  | 
Christopher Burgess
CEO at Prevendra

More from Healthcare
October 29, 2024

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

September 26, 2024

Ransomware on the rise: Healthcare industry attack trends 2024

4 min read - According to the IBM Cost of a Data Breach Report 2024, the global average cost of a data breach reached $4.88 million this year, a 10% increase over 2023.For the healthcare industry, the report offers both good and bad news. The good news is that average data breach costs fell by 10.6% this year. The bad news is that for the 14th year in a row, healthcare tops the list with the most expensive breach recoveries, coming in at $9.77…

September 18, 2024

Cybersecurity risks in healthcare are an ongoing crisis

4 min read - While healthcare providers have been implementing technical, administrative and physical safeguards related to patient information, they have not been as diligent in securing their medical devices. These devices are critical to patient care and can leave hospitals at risk for cyberattacks, causing major disruptions to patient care. In fact, 88 million individuals were affected by large breaches, compromising vast amounts of electronic protected health information (ePHI) last year according to the U.S. Department of Health & Human Services. This year,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature