Written by Karen Pursch, Director, Patient Privacy Solutions
A great deal of your hospital’s patient information is now handled by outside partners — physician practices, outside labs, insurance companies, and many others. In an ideal world, you could trust these business associates and their subcontractors to always take the necessary precautions to keep sensitive information safe. Dream on!
Third parties are often the weakest link in a hospital’s security efforts, and their vulnerabilities can lead to your own organization being compromised, with all the cost and drama that result. According to the Ponemon Institute Sixth Annual Benchmark Study on Privacy and Security of Healthcare Data (May 2016), nearly 90 percent of healthcare organizations had a data breach in the past two years, at an estimated average cost of more than $2.2 million. The high value of healthcare data is highlighted by Symantec’s 2016 Internet Security Threat Report, which ranked healthcare at the top of high-risk industries based on incidents caused by cyber criminals or insider theft.
With the increased sharing of digital data, CMS and OCR now recognize that every partner to whom you grant network access represents a potential breach of patient privacy. The HIPAA Omnibus Final Rule requires hospitals to ensure that any business associate that creates, receives, maintains, or transmits PHI on their behalf also complies with HIPAA requirements for patient privacy. Hospitals that fail to adequately monitor business associates are not only at risk of a breach, but also risk a charge of willful neglect.
Thus you need to understand how your third-party vendors are accessing PHI, what systems they are accessing, and who is accessing them. You also need to be able to prove that you’re in compliance, and you’re doing all you can to keep patient information safe.
Viewpoint From a CIO
Rob Rhodes knows these challenges well. As a hospital CIO for many years (and now Vice President, Product Management, at Iatric Systems), Rob has been working since the late nineties to address the security risks faced by hospitals when sharing digital information with third parties. As demand grew, he realized how important it was to put in place sound practices to protect against data theft as well as disruption to hospital operations.
Over the past 15 years, the solutions developed by Rob and his colleagues have been adopted by hundreds of other hospitals. But in those early days, they had to solve security problems on their own. “We would begin by asking questions. For example, how well do we know this organization? What type of data is being exchanged? Who needs to see it, and what will they do with it? Based on what we learned, we determined levels of risk and created policies, defining things like encryption required, credentials users would need, and levels of access they would be granted. We then put automated controls in place to enforce those policies, monitor access, and detect inappropriate behavior.”
Rob has seen healthcare emerge as a prime target for cyber criminals and is on the front lines helping hospitals adapt as technology and the threat landscape evolve. “We’re now in a much more connected world, which means we have to defend against state actors, criminal syndicates, and the insider threat constantly probing for vulnerabilities to exploit.” As he works with hospitals and partners to deal with current threats, he draws upon lessons learned from the early days, when all the challenges were new. “It was well before the Omnibus Rule but we needed to be proactive to create good security practices. We’ve carried that thinking forward and built on it, and it’s helped get us where we are today.”
Compliance is Within Reach
Monitoring and auditing an ecosystem of third parties can be daunting for many CIOs and CISOs, who already have a lot on their plate. A recent study by Ponemon Reseach, Data Risk in the Third Party Ecosystem, found that there is a lack of confidence in third parties’ data safeguards, security policies and procedures, and if their security posture is sufficient to respond to a data breach or cyber attack.
Take advantage of those third party relationships while protecting patient privacy and your hospital’s reputation by joining our upcoming webinar demonstration on Partner Risk Manager™.