November 11, 2016 By Christopher Burgess 3 min read

If you work in the health care sector, you’ve likely reviewed a business associate agreement to find that you own the vendor’s errors. The U.S. Department of Health and Human Services’s (HHS) Office for Civil Rights (OCR) received more than 20,000 complaints in 2016 and adjudicated settlements of over $20 million from covered entities, according to FierceHealthcare. This far exceeds the 2015 total of $6.5 million.

The OCR’s Final Omnibus Rule

In 2013, the OCR levied the final Omnibus Rule. This brought business associate agreements into the spotlight, since it expanded the responsibility of securing protected health information (PHI) to the business associate. The OCR noted that many of the most significant breaches reported to HHS involved business associates.

Fast forward to 2016 and the situation remains the same. Often business associate agreements are not aligned with the regulations and technology and PHI is frequently compromised.

Enforcing the Business Associate Agreement

The OCR issued 12 settlements so far in 2016. A recent settlement involved a covered entity whose business associate compromised PHI. The covered entity and the business associate paid a total settlement of $550,000, split between the OCR and a state attorney general office.

For a period of almost a year between September 2014 and August 2015, a hospital granted its business associate access to PHI and permission to transmit it without the assurances required under the Health Insurance Portability and Accountability Act (HIPAA). Furthermore, the hospital did not update its business associate agreement with the implementation specifications required under the regulation.

“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” said OCR director Jocelyn Samuels. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements, which include provisions for reporting.”

In a separate settlement, PHI was exposed due to poor technological implementation and a lack of risk review and remediation. The hospital in question settled for $2,140,500 and was ordered to “adopt a comprehensive corrective action.” The company failed to adequately evaluate the environmental and operational impact of a new server it implemented in 2011. This oversight potentially compromised the PHI of 31,800 patients.

“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” Samuels said. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

A Clear Demand for PHI

Intellectually, most health care and cybersecurity professionals understand the need to protect PHI. Yet many fail to consider the resale value of PHI on the criminal market.

“If it is targeted, then that suggests a clear demand; and if there is a demand, then there must be a return on investment,” Raj Samani noted in his introduction to the McAfee report, “Health Warning: Cyberattacks Are Targeting the Health Care Industry.” He’s certainly not wrong about the demand — medical information is worth 10 times more than credit card data on the black market.

Indeed, the report illustrated how PHI is separated from financial records such as credit card details and sold separately, providing cybercriminals a dual stream of income, as well as an opportunity to commit crimes from multiple angles.

Preventive Medicine

The McAfee report also identified the efforts of the criminals targeting PHI to recruit insiders. When an insider enters the mix, much of the security infrastructure in place become moot. Covered entities should closely examine every business associate agreement to ensure that it addresses the insider threat in terms of both technological implementation and user education.

The “2016 HIMSS Cybersecurity Survey” shone a very bright spotlight on the shortcomings of the health care sector when it comes to securing PHI. Perhaps the most glaring issue is the general lack of encryption for data at rest and in transit. As noted in the survey, “the lack of encryption means that data may be tampered in transit — thus, there is little assurance that the sender’s data has fidelity with the receiver’s data.”

Now is the time to bolster the security surrounding PHI, not only within your infrastructure, but also deep into the infrastructure of any entity with which you share a business associate agreement. Protecting the entire infrastructure is paramount. Don’t collect what you can’t protect.

Listen to the podcast: Data Security Insights from a Health Care Insider

More from Healthcare

Cost of a data breach 2023: Healthcare industry impacts

3 min read - Data breaches are becoming more costly across all industries, with healthcare in the lead. The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year. Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and…

Cyberattackers target the Latin American health care sector

3 min read - Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern. The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to reputational risks, interruption of operations,…

Increasingly sophisticated cyberattacks target healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today