Securing the Healthcare Data Supply Chain
Published On June 16, 2020
Blog Post by Cliff Baker, CEO at CORL Technologies
I recently had the opportunity to deliver a presentation alongside leadership from the Office for Civil Rights (OCR) on the state of HIPAA Security Rule compliance and risk management for third-party Business Associate vendors servicing the healthcare industry.
The breach data and enforcement updates supplied by OCR reinforced my perspective on the paradigm shift currently underway for healthcare delivery in the migration of critical business functions to third-party cloud-based platforms. I believe this movement has reached a critical-mass threshold and introduces game-changing implications for information security and compliance programs.
The ability to get visibility into third-party data supply chains and their respective security and compliance postures will soon become the paramount mandate for information security programs. Effective healthcare security and compliance programs of the next decade must quickly adjust their orientation in 2020 towards the oversight and protection of downstream vendors and systems responsible for critical business functions.
Electronic Boundaries are Rapidly Disappearing
Gone are the days of 1-on-1 relationships between physicians and patients for the evaluation and delivery of care. High-quality patient care in 2020 and beyond requires an army of specialists, technology, analytics, and data, the majority of which are supplied by third-party organizations. These third parties, in turn, leverage their own partners and suppliers as terabytes of sensitive data gets shuffled along to a growing number of people and platforms.
The speed to adoption and implementation of third-party cloud-hosted solutions vastly surpasses legacy IT implementation models. The downside to that rapid deployment pace, however, is that security and compliance teams have less time to evaluate and remedy potential security weaknesses. For example, migrating major business systems like email and calendaring to Office 365 in the cloud may now take weeks and months rather than years.
The marketing and sale of solutions directly to business units and the bypassing of standard IT and security checkpoints, often referred to as “Shadow IT”, has also resulted in substantive blind spots for security teams that has hindered the ability of many organizations to maintain consistent alignment with security and compliance standards.
Third-Party Dependence Introduces New Business Risk Exposures
The healthcare industry has begun en masse to move critical business and clinical operations to the cloud including Electronic Health Records, finance and billing systems, and more. This means that information security risks for these business functions are becoming less focused on regulatory compliance and more driven by the availability and integrity of these essential systems used for the routine delivery of care.
As a result, third-party risk management programs have been vaulted from primarily compliance-driven functions to critical business-enabling functions that monitor and manage the organization’s vulnerable dependence on third parties to maintain patient safety and core business operations.
CORL’s assessment results of over 65,000 vendors servicing healthcare demonstrates clearly that third parties are not consistently exercising the level of care and diligence necessary to deliver reliable care and uphold the regulatory requirements that Covered Entities are responsible for ensuring across their supply chain.
A Compliance Lens: Regulatory Updates from OCR for Business Associates
Let’s take a look at the breach and enforcement trends provided by OCR this week that related specifically to third-party Business Associate compliance liability and risk factors.
- 2019 was the biggest year of reported breaches of over 500 records to date, with 511 reported breaches in 2019 compared to 371 in 2018, 358 in 2017, 329 in 2016, and 270 in 2015.
- Hacking and IT/Network based incidents were identified as the largest growing source of beaches in 2020. This corresponds with other industry reports of massive increases in network and cloud-based attacks including a recent report from McAfee that cites a 630% increase in remote attacks on third-party cloud services.
Source: US Department of Health and Human Services Office for Civil Rights June Presentation with CORL Technologies
- Email and phishing were identified as the most dominant attack vector for reported breaches in 2020.
- OCR issued guidance in 2019 on the direct liability of Business Associates. Business Associates must comply with the HIPAA Security Rule, must provide breach notification to Covered Entities and other Business Associates, and must cooperate with investigations from HHS and OCR.
- Top sources of Covered Entity fines from OCR include Business Associate Agreements as the #1 item on the list.
- Business Associate Agreements
- Risk Analysis
- Failure to Manage Identified Risk, e.g. Encryption
- Lack of Transmission Security
- Lack of Appropriate Auditing
- Patching of Software
- Insufficient Data Backup and Contingency Plan
- Individual Right to Access
- Security risk analysis activities by Covered Entities are too often lacking and not inclusive of third-party platforms and systems.
- Some Business Associates have taken a position that if they refuse to sign a Business Associate Agreement (BAA) then they are not liable for HIPAA Security Rule compliance mandates. OCR reiterated that the law specifies that organizations acting as Business Associates are in scope for HIPAA regardless of whether or not a formal BAA was executed.
- Breach reporting is taking longer, and rules are not being interpreted correctly. For example, OCR indicated that you can’t wait for a full forensics investigation with your Business Associate or otherwise in order to start the 60 day counter for notification. The 60-day mark starts as soon as you are aware of a potential breach. You must notify OCR “without reasonable delay”; 60 days is the maximum and you should not wait that long every time out.
Fines and resolution agreements last year that featured Business Associate compliance gaps include:
- West Georgia Ambulance ($65k) - OCR cited a lack of policies and procedures implemented to cover third-party Business Associates.
- Bay Front Health ($85k) - citied with a lack of training and acknowledgement for the organization’s Business Associates and inadequate reporting of Business Associates who violate related policies and procedures.
- Dr Steven Porter ($100k) - fined in part for lacking executed Business Associate Agreements.
- Sentara Hospitals ($2.1m) - failed to execute a Business Associate Agreement with a sub-entity that experienced a breach event.
- Touchstone Medical Imaging ($3m) - OCR issued a resolution agreement with a requirement to revise and implement all policies and procedures for handling and maintaining Business Associate compliance and related agreements (BAAs).
OCR leadership noted some exceptions the HIPAA Security Rule requirements during COVID-19 including the lack of penalties for good faith sharing of PHI for public health including sharing from Business Associates.
Recommendations for Healthcare Third-Party Vendor Security Programs
- Develop repeatable, scalable, high-quality, and efficient vendor assessment models to keep pace with the rapid deployment of critical systems to cloud-hosted and downstream platforms.
- Invest in controls and business relationships to respond and recover from incidents involving third-party organizations and platforms.
- Incorporate third-party vendor assessments into your HIPAA Security Rule risk analysis processes and reporting models.
- Inventory and prioritize cloud-hosted platforms for compliance and business criticality including patient care and operations (telehealth, EHRS, billing, etc.).
- Conduct targeted security assessments including penetration tests of critical and newly deployed cloud platforms including Office365, AWS, Azure, telehealth, and others. Attacks are ramping up and it is critical to identify any material exposures.
- Continue to require and pursue security certifications like SOC 2 and HITRUST for cloud-hosted solutions to obtain third-party validation of controls.
- Build a cloud-specific security strategy; this may very well become the foundation of your overall enterprise security risk management program in the coming decade.
The future threat to healthcare information security and compliance will be less related to disclosure of sensitive patient information and more about patient safety, availability, and integrity of core business processes. Our team here at CORL has the experience and capabilities to accelerate and position your third-party security risk program to address the current and future protections required for securing the healthcare data supply chain.
Watch our webinar replay with OCR for more information and details on OCR's 2019-2020 year in review.