Any organization that allows third-party vendors access to its network or data is exposing itself to an increased level of risk. The more parties that can gain access to sensitive information, the more potential points of entry there are for cybercriminals, and the less control organizations have, which only exacerbates the growing problem of cybercrime. In spite of this, many organizations appear to be failing to recognize the risks or do anything to mitigate them.
A recent study into security risks presented by third-party suppliers – which included IT professionals from the healthcare industry – revealed that, on average, 89 vendors are accessing a company’s network every single week. More concerning, was that when it comes to selecting vendors, 64% say their organization prioritizes cost over security.
Regardless of industry, this is a worrying revelation. But for healthcare specifically – an industry that affords zero margin for error when it comes to cybersecurity due to commitments under HIPAA (Health Insurance Portability and Accountability Act of 1996) – security must take priority over cost or convenience without exception.
Vendor or Business Associate? Assessing the risks
The level of risk presented by a third-party vendor depends largely on the level of access they have to an organization’s network and/or data; an office janitor will typically present less risk than a cloud services provider, for example.
When it comes to HIPAA, healthcare organizations have a legal obligation to safeguard their patients’ protected health information (PHI). This is a widely acknowledged fact and something all HIPAA covered entities should be well aware of. However, what many fail to acknowledge is that the rules of HIPAA also apply to any individual or organization that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Under HIPAA, such entities are known as business associates, or BAs for short.
In order for a covered entity and a business associate to work together, HIPAA requires that a Business Associate Agreement (BAA) must exist between the two parties. In simplest terms, the BAA exists to document a business associate’s commitment to safeguarding PHI in accordance with HIPAA’s Privacy, Security, and Breach Notification rules.
Even with a BAA in place however, there are no guarantees that the business associate will remain HIPAA compliant through the duration of the contract, and therefore covered entities should thoroughly vet potential vendors before entering into an agreement with them. It is also important to note that any failings that a business associate makes during a relationship with a covered entity may be considered a failing on the covered entities part, too.
As part of the vendor selection process, covered entities should look to obtain information in the following key areas:
- Safeguarding PHI: Ensure the prospective business associate collects, processes, stores, and exchanges PHI in accordance with HIPAA rules.
- Track record: Investigate any past incidents that may indicate a lack of security controls or other failing.
- Incident detection & response plan: Ensure the potential business associate has a breach incident detection and reporting plan in place – The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI.
Finally, if a business associate refuses to enter into a BAA, covered entities should be wary. David Holtzman, formerly of the HHS’s Office for Civil Rights (OCR), Privacy Division states: “If a provider offers a business associate agreement, it is willing to stand behind its compliance and say in writing that it has the proper privacy and security controls in place. If your business is going to use a vendor that stores PHI on your behalf, you must have a business associate agreement in place. If they refuse to sign, don’t use the service.”
When it comes to selecting vendors to work with, cost will always be a consideration, however any short term savings are likely to count for very little if longer term commitments to cyber security and HIPAA compliance are ignored. By blindly entering into a relationship with a vendor, covered entities are putting themselves and their patients at significant risk.
For further reading on business associates and business associate agreements visit https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html