Written by Guy McAllister, Director, Privacy & Security - iatricSystems
Vendors always attempt to position themselves as a partner and a friend. The vendor relationship can sometimes get confusing and cause frustration around expectations, and one of those expectations is protecting data. So, the Vendor Relationship: BFFs? or Covered Entity and Business Associate?
It’s enough stress on CIOs and IT Directors to worry about a breach occurring in their own organization; but add to that stress the concern of being responsible as well, if a breach happens at one of their vendors. It can be overwhelming!
The responsibility for protecting your patient’s Protected Health Information (PHI) falls squarely on the shoulders of the covered entity. That means worrying about a potential breach at home and away from home - through your vendors.
The recent Atrium-AccuDoc breach reminded me just how perilous our vendor relationships can be. Vendors have a unique and beneficial relationship with healthcare systems. They provide services with specialized skill sets that improve the services of our organizations; however, often those services require PHI to be shared.
That’s when the relationship changes to a covered entity and a business associate, with the covered entity ultimately being responsible for any breaches. The agreement for how they work together is the Business Associate Agreement, or BAA.
So, why the refresher on the history of a BAA? According to the HIPAA Omnibus Final Rule, when the vendor fails in their responsibilities of protecting your valuable data – PHI, it becomes your problem.According to the article in HealthInfoSecurity, Attack on Billing Vendor Results in Massive Breach, “AccuDoc did not immediately respond to an Information Security Media Group inquiry about whether any of the vendor's other clients were impacted by the cyberattack,” says article author, Marianne Kolbasuk McGee.
While I am not attacking AccuDoc, read the articles and reports from that breach and you’ll see it’s the covered entity that is front and center in notifying the public and the affected patients of the breach, not the vendor where the breach occurred.
This breach should be used as a learning tool for covered entities so you can be prepared in case you find yourself in a similar situation, or better yet, use it as a wake-up call to take steps now to prevent it.
Covered entities are always ultimately the responsible custodian of PHI and all of your vendors have some of your information; financial, PHI, or strategic. So how do you manage vendor risk?
Here are seven basic steps to help with Vendor Risk Management:
Having a Vendor Risk Management solution in place is the critical answer to number 6 above. A Vendor Risk management solution will identify the potential risk of a vendor based on a scoring method. That score is driven by the information and access a vendor requires. A vendor risk score is based on a type of security rating, much like a FICA credit score. A strong Vendor Risk Management solution also manages compliance of the remote access of vendors to your network.
While these components are helpful in managing vendor risk, always remember, choose your vendors wisely.
Some questions to ask yourself about the vendors you are choosing:
You are welcomed to schedule a meeting with me to discuss vendor risk management for your healthcare system.