Vendors always attempt to position themselves as a partner and a friend. The vendor relationship can sometimes get confusing and cause frustration around expectations, and one of those expectations is protecting data. So, the Vendor Relationship: BFFs? or Covered Entity and Business Associate?
It’s enough stress on CIOs and IT Directors to worry about a breach occurring in their own organization; but add to that stress the concern of being responsible as well, if a breach happens at one of their vendors. It can be overwhelming!
The responsibility for protecting your patient’s Protected Health Information (PHI) falls squarely on the shoulders of the covered entity. That means worrying about a potential breach at home and away from home - through your vendors.
The recent Atrium-AccuDoc breach reminded me just how perilous our vendor relationships can be. Vendors have a unique and beneficial relationship with healthcare systems. They provide services with specialized skill sets that improve the services of our organizations; however, often those services require PHI to be shared.
That’s when the relationship changes to a covered entity and a business associate, with the covered entity ultimately being responsible for any breaches. The agreement for how they work together is the Business Associate Agreement, or BAA.
So, why the refresher on the history of a BAA? According to the HIPAA Omnibus Final Rule, when the vendor fails in their responsibilities of protecting your valuable data – PHI, it becomes your problem.According to the article in HealthInfoSecurity, Attack on Billing Vendor Results in Massive Breach, “AccuDoc did not immediately respond to an Information Security Media Group inquiry about whether any of the vendor's other clients were impacted by the cyberattack,” says article author, Marianne Kolbasuk McGee.
While I am not attacking AccuDoc, read the articles and reports from that breach and you’ll see it’s the covered entity that is front and center in notifying the public and the affected patients of the breach, not the vendor where the breach occurred.
This breach should be used as a learning tool for covered entities so you can be prepared in case you find yourself in a similar situation, or better yet, use it as a wake-up call to take steps now to prevent it.
Covered entities are always ultimately the responsible custodian of PHI and all of your vendors have some of your information; financial, PHI, or strategic. So how do you manage vendor risk?
Here are seven basic steps to help with Vendor Risk Management:
- Assign risk that characterizes vendors in terms of data classification, history, and agreement terms
- Prioritize your vendors in terms of assignment of risk. High-risk business associates could be those that don’t have a HIPAA training policy or proof of employee training, do not have a HIPAA breach policy, or lack clear policies and procedures regarding the protection of PHI.
- Determine which vendors require additional evaluation
- Have the ability to monitor progress, and report findings and deficiencies for further investigation
- Be alerted when users associated with a terminated business associate agreement are identified as accessing PHI
- Be able to perform an immediate risk assessment if a breach or suspicious activity occurs (which is required by the Omnibus Rule)
- Identify technology that can assist you with Steps 1 – 6
Having a Vendor Risk Management solution in place is the critical answer to number 6 above. A Vendor Risk management solution will identify the potential risk of a vendor based on a scoring method. That score is driven by the information and access a vendor requires. A vendor risk score is based on a type of security rating, much like a FICA credit score. A strong Vendor Risk Management solution also manages compliance of the remote access of vendors to your network.
While these components are helpful in managing vendor risk, always remember, choose your vendors wisely.
Some questions to ask yourself about the vendors you are choosing:
- What is the track record of the vendor based on current and previous clients?
- Has the vendor experienced a breach in the past or ever been reported for security issues?
- Can your vendor that is storing your PHI provide a SOC 2 report on their data center and information systems?
- What is the vendor willing to do if a HIPAA breach does occur within their realm?
You are welcomed to schedule a meeting with me to discuss vendor risk management for your healthcare system.