Recent health system data breaches were exploits of vendor IT systems, not internal defenses. What does this mean for healthcare companies and their IT vendors?
If you are a B2B software company that works in healthcare IT, this may be pertinent to you. The giant sucking sound of healthcare data breaches may be from one of your systems.
This month, two major health systems reported massive healthcare data breaches.
Arizona-based Banner Health discovered that personal information of around 3.7 million patients might have been compromised in a cyberattack through unauthorized access to payment card data at food and beverage outlets at some Banner Health locations. The attackers targeted the data as it was being routed through payment processing systems.
Bon Secours Health System, based in Richmond, Va., announced that personal information on more than 650,000 patients might have been compromised due to data being exposed from a vendor’s information systems.
What connects these two incidents is that the data breaches are the results of attacks on business associates (BA), not the health systems themselves.
What’s equally important about these data breaches is that the hackers were not necessarily looking for patient medical records — they seem to have been looking for any personal information they could steal.
BA, BAA, HIPAA – who is it, what is it, and why should you care?
Under HIPAA rules, covered entities such as hospitals, health insurance companies, clinics, nursing homes and pharmacies must comply with requirements to protect the privacy and security of health information. If a covered entity engages a vendor — referred to as a business associate (BA) — the covered entity needs to have a written business associate agreement (BAA) in place. The vendor is also directly liable for compliance with certain provisions of the HIPAA rules.
The U.S. Department of Health and Human Services (HHS) defines a business associate as a “subcontractor that creates, receives, maintains or transmits protected health information on behalf of another business associate.”
BAAs lay out all the responsibilities of the vendor as it relates to the handling of personal information; they also lay out the obligations in the event of breaches.
The bottom line is that technology companies that are BAs are liable for any data breach attributed to a failure at their end. Many BAAs have no limits on liabilities, hence a BAA can create significant financial risks for a BA.
For covered entities, these recent data breaches indicate that an ongoing review of their business partner relationships is becoming critically important, because the ultimate liability for these breaches falls on the covered entities.
Why is this important for B2B healthcare technology companies?
Enterprises in sectors such as financial services have been deploying sophisticated information security systems for years, therefore the effort and cost of trying to penetrate information systems of financial services companies have become prohibitive for hackers. Healthcare, with its vulnerable legacy systems, has been a lucrative target (with some estimates putting the black market value of a stolen health record at $60). Some hospitals have been victims of ransomware as well. However, health systems have been tightening up IT security in the wake of unprecedented data breaches in 2015 and 2016, prompting hackers to focus on the next layer of vulnerability — BAs.
Healthcare IT companies that have been in the medical market for a while understand HIPAA and their obligations under a BAA. They have compliance training programs in place for employees and documented processes for dealing with HIPAA violations and data breaches.
However, the healthcare B2B vendor landscape has changed significantly in the past few years.
The new landscape of healthcare IT
New technology companies are trying to get in on the opportunities opening up due to healthcare consumerism and digital transformation in the sector. The need for cost control is also driving healthcare enterprises to use cloud-based services and turn to offshore-based operations to support critical IT systems.
Here are examples of trends that might impact IT security and expose healthcare enterprises to data breaches:
Digital health: The era of healthcare consumerism and digital transformation is upon us. Hundreds of digital health startups have sprung up, fueled by billions of dollars in venture capital. These startups are focused primarily on growth, and compliance is not a high priority for them.
Cloud migration: With the rapid movement of IT to the cloud, covered healthcare entities are finding themselves contracting with emerging technology companies that operate with cloud-based models, such as Amazon Web Services (AWS) or Microsoft Azure. In many cases, covered entities may not be dealing directly with cloud providers, but through a BA who delivers a cloud-based service.
Outsourcing and offshoring: Covered entities such as health plans and health systems have large offshore-based operations teams supporting their IT environments. These teams could be vendor organizations, or even captive centers that are extensions of the parent entity. While no data ever leaves the United States, as per regulatory requirements, offshore teams have access to production systems and databases that expose them to consumers’ personal information.
Health systems are under pressure today to innovate and tap into partnerships to deliver bottom-line value to the enterprise. However, they need to protect their IT systems from vulnerabilities arising from these partnerships.
Many health systems are doing just that, as I discussed in one of my earlier blogs on this topic.
Healthcare technology companies, for their part, need to be aware of their obligations under HIPAA and understand that compliance is not just about IT security but also about physical and administrative safeguards. If technology companies fail to protect their systems, there can be a serious financial impact, not to mention reputational consequences as well, for themselves as well as the covered entities they work for.
The chain is only as strong as its weakest link, as the saying goes.
This article was published originally in CIO Online