Breach Preparedness , Data Breach , Events

Tips for Preventing Business Associate Breaches CIO Ed Ricks on Bolstering BA Security
Tips for Preventing Business Associate Breaches
Ed Ricks, CIO of Beaufort Memorial Hospital

Plenty of healthcare organizations have been stung by data breaches big and small caused by their business associates. That's one reason why Beaufort (S.C.) Memorial Hospital has been taking a variety of measures to help prevent reportable incidents involving its BAs, says CIO Ed Ricks.

The Department of Health and Human Services' Office for Civil Rights' "wall of shame" website shows that business associates have been culprits in at least 17 percent of breaches affecting 500 or more individuals.

That includes some of the largest recent breaches. For instance, the tally shows that a 2016 cyberattack targeting Newkirk Products - a BA that issues insurance cards for large health plans, including several Blue Cross Blue Shield organizations - affected 3.4 million individuals. It ranks among the top five largest health data breaches involving a BA.

Beaufort Memorial has been taking steps to beef up security practices related to its BAs for several years, Ricks says. And so far, the community hospital's approximately 200 BAs are not believed to have experienced a breach affecting the hospital's patient data, he says in an interview with Information Security Media Group.

Multi-Step Effort

The hospital's effort to bolster BA security began as it worked to comply with requirements of the HIPAA Omnibus Rule, which made BAs directly liable for HIPAA compliance, he notes.

The hospital, for example, takes steps to ensure it has appropriate BA agreements with any company that handles its protected health information, he says. "It's a work in progress, we try to ... look at them annually," he says. The hospital has a system in place "to help us track that, monitor changes we've made for certain [BAs] based on their criteria," he says.

Ricks notes that "a lot of electronic PHI can go back and forth" between BAs and Beaufort Memorial, so the hospital strives to ensure that its BAs are handling PHI according to the high standards Beaufort Memorial maintains for its internal users.

A continuing challenge, Ricks, says, is tracking the PHI that each BA can access. "We monitor how they can connect to our systems ... It's not just an open door policy."

In the interview (see link to audio below photo), Ricks also discusses:

  • Identity and access management challenges involving insiders and BAs;
  • Top privacy and security challenges facing community hospitals;
  • Beaufort Memorial's top security and privacy priorities for 2017.

Ricks is the vice president of information services and CIO for Beaufort Memorial Hospital, a 197-bed not-for-profit acute care facility in Beaufort, S.C. He has more than 25 years of information systems experience and has worked for four healthcare systems, including 15 years in senior leadership positions.

Ricks will be presenting on cloud challenges at the upcoming Healthcare Information and Management Systems Society 2017 Conference in Orlando.




Around the Network