Preventing Business Associate Health Data BreachesPrivacy and Security Expert Susan Lucci Outlines Action Items
Because business associates have been culprits in heath data breaches impacting millions of individuals, healthcare entities need to be diligent in taking steps to reduce the persistent risks these vendors pose, says privacy and security expert Susan Lucci.
"Business associates should be viewed as an extension of your workforce," says Lucci of the consultancy tw-Security.
"In other words, they're fulfilling roles and doing tasks that need to be done in the delivery of healthcare," she says in an interview with Information Security Media Group. "But what happens is that this is handled through contracting. ... I would like to see better relationship building. Know who the privacy and information security officer is on the business associate side."
Covered entities also need to do a better job vetting their business associates, she says.
A recently formed CISO council is pushing its vendors to become certified in the HITRUST common security framework. But that's not necessarily a tactic that works for smaller organizations, Lucci notes.
"It can't be a one-sized fits all [approach]. Certainly the larger business associates can afford to go down these rigorous prescriptive steps in terms of security compliance. But smaller organizations simply don't have the ability to do that," she says.
Plus, enforcement of these demands by covered entities can prove difficult, she notes. "I'm not sure that there's enough of the checks and balances going on in the first place."
Relationship building and ongoing dialogue could help to ensure vendors are taking steps to meet their security and privacy obligations, she says.
In the interview (see audio link below photo), Lucci also discusses:
- Issues contributing to hacker attacks and unauthorized access and disclosure incidents, two of the most common health data breaches involving business associates;
- Ways to reduce the risk of insider breaches;
- Key steps healthcare organizations should take to improve their breach prevention programs in the year ahead.
Lucci, a senior privacy and security consultant at tw-Security, has more than 35 years of health information management and HIPAA compliance leadership experience. She serves on the American Health Information Management Association's privacy and security practice council. She is also author of the Association for Healthcare Documentation Integrity's "2017 HIPAA Compliance Guide & Quick Reference," as well as a contributor to several other books and publications.