To guard against data breaches, healthcare organizations must demand more proof of how their business associates are safeguarding patient data and mitigating related risks, says privacy and security expert Daniel Schroeder.
"We're seeing much more heightened awareness of the risk that is represented by business associates [and] the interdependency of the elaborate web of business associates that support our healthcare system," says Schroeder, partner-in-charge of the information assurance services practice at the consulting firm Habif, Arogeti & Wynne.
In fact, business associates have been implicated in about 20 percent of incidents listed on the Department of Health and Human Services' Office for Civil Rights' "wall of shame" website of health data breaches affecting 500 or more individuals since September 2009. That includes a hacking incident revealed this year by web-based electronic health records vendor Medical Informatics Engineering that exposed the protected health information of 3.9 million individuals.
"Increasingly, covered entities are becoming more and more aware of these risks and are raising the bar on their business associates with respect to their expectations for them to be able to demonstrate and provide appropriate forms of evidence that they've done the right sort of things - and not just for HIPAA compliance - but also for effective risk management, Schroeder says in an interview with Information Security Media Group. Sometimes, the nature of a cyberthreat could require risk mitigation that is greater than what is called for under the HIPAA Security Rule, he notes.
"We're seeing an expectation [from covered entities] saying, 'we want to see evidence' that [business associates] have thought through their risks and followed the spirit of what's called for by the risk analysis requirement of the [HIPAA] Security Rule and that [the BA] has taken a very thoughtful approach to risk management," Schroeder says.
Also, while demanding their BAs provide a risk analysis "is a good start, it's not nearly enough," Schroeder notes. So, many covered entities are demanding other proof of steps BAs are taking to address risks, he says. That proof can range from security audit and certification reports to findings from independent security testing, he notes.
In the interview (see audio link below photo), Schroeder also discusses:
- Various kinds of security-related certifications that business associates can seek to better assure covered entities about their risk management programs;
- Questions covered entities should ask their business associates about security;
- Terms that should be part of business associate agreements.
Schroeder is the partner-in-charge of the information assurance services practice at Habif, Arogeti & Wynne LLP. He leads the firm's services related to risk analysis, including cybersecurity assessments; privacy and security gap assessments; audit and certification reporting, including SSAE 16, SOC 2, PCI, and ISO 27001; vendor management risk assessments and audits; and CISO advisory services.