BA Security Is Probably a Lot Worse Than You ThinkTally of Health Data Breaches Apparently Undercounts Incidents Involving BAs
The federal tally of major health data breaches is littered with hundreds of incidents blamed on business associates that affected a total of tens of millions of individuals. But vendor involvement in breaches is probably actually a lot worse than what's reflected on the Department of Health and Human Services' Office for Civil Rights' "wall of shame".
A May 13 snapshot of the tally, which lists breaches affecting 500 or more individuals, shows 1,551 breaches impacting 158.2 million individuals since late 2009, when OCR began keeping track. Of those breaches, 311 affecting a total of 26.6 million individuals are listed as incidents where a covered entity reported to OCR that a business associate was "present."
Stemming BA breaches requires covered entities to exercise more scrutiny over vendor security practices before - and after - they sign vendor contracts.
But a review of a few recent breaches listed on the OCR tally as having no BA "present" reveals some inaccuracies.
For instance, on April 28, Northstar Healthcare Acquisitions LLC - parent of Northstar Healthcare Surgery Center - reported to OCR a stolen laptop breach that impacted nearly 20,000 individuals. The OCR tally's listing for the incident does not list a BA as "present," which conflicts with an earlier public breach notification statement.
Software vendor EqualizeRCM Services, in an April 28 breach notification, acknowledges that it was the root of the breach.
"On Feb. 26, we learned that an EqualizeRCM laptop containing patient data was stolen from one of its employees. Law enforcement was informed and EqualizeRCM immediately began an investigation into the incident and what information may have been impacted," the vendor says in the notification posted on its website.
The statement lists eight healthcare providers whose patient data was contained on the stolen laptop, including Northstar Healthcare Surgery Center, which appears to be the only affected healthcare entity so far listed on the wall of shame.
Northstar Healthcare did not immediately respond to my inquiry about why its recent laptop breach is listed on the wall of shame as having "no" BA involved.
Several other recent incidents listed on the wall of shame are described as having no BA "present" despite evidence that BAs, indeed, were involved.
Based on what OCR tells me, there doesn't seem to be a clear reason for the apparent discrepancies. "We confirm all breach reports with the entities before posting, and we post the information as reported and confirmed by the entity to the [breach tally] website," an OCR spokeswoman says.
"We do not independently modify any information on breach reports before or after posting," she says. "However, in cases where a business associate is responsible for in a breach involving over 500 individuals, OCR investigates the business associate, as well as the covered entity. OCR can open a compliance review on a business associate responsible for a breach at any time."
My main concern isn't the accuracy of information listed on the wall of shame, but the fact that BAs are culprits in far more breaches than many organizations realize. In fact, OCR even reminded healthcare organizations in recent guidance about the serious security and privacy risks that BAs pose, and the steps that should be taken to mitigate those risks.
More than half of the covered entities that participated in a recent health data security and privacy survey conducted by the Ponemon Institute admit they are not vigilant in ensuring that their partners and third parties protect patient information (see What's Fueling Surge in Health Data Breaches?).
Clearly, vigilance is warranted. Some 61 percent of BAs surveyed by Ponemon said they had at least one data breach involving the loss or theft of patient data in the past 24 months, while 28 percent of those vendors admitted their organization had more than two breaches during the same period.
A majority of surveyed BAs blamed their security vulnerabilities on employees' negligence in handling patient information, followed by a lack of technologies to mitigate a data breach.
Stemming BA breaches requires covered entities to exercise more scrutiny over vendor security practices before - and after - they sign vendor contracts. Preventing these breaches also requires far more effort by the vendors and their subcontractors - ranging from security and privacy training for staff to implementing stronger policies, procedures and technologies.