Preventing Insider Breaches at BAsExperts Provide Tips for Reducing Vendor Risks
Covered entities often find it difficult to detect and prevent unauthorized access to patient information by members of their staffs. Preventing breaches involving insiders at business associates can be even trickier.
In one recent incident, for example, Meritus Health reports that an employee at one of its business associates was found to be snooping in more than 1,000 patients' electronic health records.
It's impossible for covered entities to be 100 percent certain that BA employees aren't inappropriately accessing protected health information, says Keith Fricke, principal consultant at tw-Security. "People are the weakest link in security; behavior contrary to company policy and poor choices in how privileged access is used will always be a risk. Covered entities should assess the policies, practices and technology investments a BA has in order to gauge the BA's ability to prevent and detect inappropriate access."
Meritus Health is now dealing with the aftermath of an insider breach at a BA. In a statement, executives at one of its facilities, Hagerstown, Md.-based Meritus Medical Center, say that on May 5, they discovered during "routine compliance and self-audit efforts" that an employee of one of the hospital's "trusted vendors" may have accessed limited patient information outside of their normal job duties between July 2014 and April 2015.
A spokeswoman for Meritus Health declined to name the business associate involved with the privacy breach. But she tells Information Security Media Group that the vendor's employee was involved with patient services and had authorized access to the medical center's EHR system. A recent routine review of EHR access records, and a subsequent investigation, determined that the vendor's employee was "randomly" snooping at records of patients for whom the worker was not involved in care, the spokeswoman says.
The information that was potentially accessed by the vendor's employee included patients' names, age, gender, medical record number and, in some instances, health insurance information, plus certain clinical information, such as treatment and/or diagnosis, according to Meritus. Also, a small subset of the affected patients may have had their Social Security number accessed, the healthcare provider says.
Meritus says it has no evidence that any of the information has been misused; it will provide free credit monitoring services on a case-by-case basis.
"To help prevent something like this from happening again, we are working to further strengthen controls related to vendor access to patient information, and we are enhancing our existing system monitoring capabilities with regard to vendor access," Meritus says in its statement.
The medical center provides role-based access to its EHR system, the Meritus spokeswoman says. However, because workers' roles frequently change within healthcare settings, she advises that other healthcare organizations also have their supervisors regularly review EHR access logs to help ensure privacy compliance.
The Meritus incident, which was reported to the Department of Health and Human Services' Office for Civil Rights on June 26, affected about 1,029 individuals, according to the OCR's "wall of shame" website, which lists health data breaches affecting 500 or more individuals since September 2009.
A July 7 snapshot of the wall of shame shows a total of 1,261 major breaches. Of those, 277, or nearly 22 percent, are listed as incidents involving "unauthorized access/disclosure." Of those breaches, 77 involved business associates and "unauthorized access/disclosure." However, the federal website doesn't list details of whether the unauthorized access/disclosure incidents involved insiders or others, such as hackers.
When it comes to employees of BAs, safeguarding protected health information can be tricky, for a number of reasons, privacy and security experts say.
"BAs are required under HIPAA Omnibus to conduct security awareness training for employees," notes Dan Berger, CEO of security consulting firm Redspin. "This is a start. They also need to be encouraged to create a 'culture of compliance' so that other employees speak up if and when they witness activity that seems suspicious or inappropriate."
Covered entities need to be more assertive in their dealings with their business associates, Berger stresses. For instance, they have the right to require that business associates conduct HIPAA security risk assessments, he notes. "We recommend adding this requirement to contract language come renewal time."
Steps to Take
Rebecca Herold, partner and co-founder of SIMBUS Security and Privacy Services and the SIMBUS Tracker, says covered entities can take several other steps to help ensure that employees of business associates don't inappropriately access PHI.
"For BAs who are coming into the covered entity's systems/applications/networks, those BA accounts should have logging turned on. Access to PHI data files should also be logged," she says. "The access logs should be reviewed regularly; typically daily, weekly or otherwise, depending upon the types of services the BA is providing."
In situations where BAs actually possess the PHI, such as a cloud service that stores data for a covered entity, "then audits need to also be performed, as appropriate, for the service for which they are providing," Herold says. "These can be accomplished in many different ways." Key steps to consider, she says, include:
- Contractually requiring access to PHI to be logged, and then sending the log reports regularly to the covered entity for review;
- Requesting BAs to complete and return security and privacy assessments;
- Having BAs complete monthly security attestations to establish accountability;
- Requiring BAs to provide a third-party risk assessment to show they have adequate security controls in place;
- Requiring BAs to provide documentation verifying the training activities they are providing to workers who have access to PHI.
Andrew Hicks, healthcare practice director at risk management consulting firm Coalfire, says information access management can play a key role in thwarting insider breaches at BAs.
"The covered entity should ensure a business associate provides access according to applicable requirements of the HIPAA Privacy Rule," Hicks says. "This will include controls over access to workstations, transactions, programs, processes or other mechanisms along with following minimum necessary standards in establishing/modifying user access."
Hicks also points out that healthcare entities have the responsibility to perform due diligence on their vendors and develop a comprehensive vendor management program.
"The HIPAA Omnibus Rule not only mandates that BAs comply with HIPAA regulations, but covered entities must gain 'satisfactory assurances' that their BAs and the BAs' downstream subcontractors have a mature security program in place to protect their CE customers' ePHI," Hicks notes. "However, the fact remains that most BAs - large and small - do not have strong controls in place when it comes to people, processes and technology, so these breaches are going to continue."