[BreachExchange] BA Security Is Probably a Lot Worse Than You Think

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 16 18:36:00 EDT 2016


http://www.databreachtoday.com/blogs/ba-security-probably-lot-worse-than-you-think-p-2133

The federal tally of major health data breaches is littered with hundreds
of incidents blamed on business associates that affected a total of tens of
millions of individuals. But vendor involvement in breaches is probably
actually a lot worse than what's reflected on the Department of Health and
Human Services' Office for Civil Rights' "Wall of Shame".

A May 13 snapshot of the tally, which lists breaches affecting 500 or more
individuals, shows 1,551 breaches impacting 158.2 million individuals since
late 2009, when OCR began keeping track. Of those breaches, 311 affecting a
total of 26.6 million individuals are listed as incidents where a covered
entity reported to OCR that a business associate was "present."

Stemming BA breaches requires covered entities to exercise more scrutiny
over vendor security practices before - and after - they sign vendor
contracts.

But a review of a few recent breaches listed on the OCR tally as having no
BA "present" reveals some inaccuracies.

BAs Present?

For instance, on April 28, Northstar Healthcare Acquisitions LLC - parent
of Northstar Healthcare Surgery Center - reported to OCR a stolen laptop
breach that impacted nearly 20,000 individuals. The OCR tally's listing for
the incident does not list a BA as "present," which conflicts with an
earlier public breach notification statement.

Software vendor EqualizeRCM Services, in an April 28 breach notification,
acknowledges that it was the root of the breach.

"On Feb. 26, we learned that an EqualizeRCM laptop containing patient data
was stolen from one of its employees. Law enforcement was informed and
EqualizeRCM immediately began an investigation into the incident and what
information may have been impacted," the vendor says in the notification
posted on its website.

The statement lists eight healthcare providers whose patient data was
contained on the stolen laptop, including Northstar Healthcare Surgery
Center, which appears to be the only affected healthcare entity so far
listed on the Wall of Shame.

Northstar Healthcare did not immediately respond to my inquiry about why
its recent laptop breach is listed on the Wall of Shame as having "no" BA
involved.

Several other recent incidents listed on the Wall of Shame are described as
having no BA "present" despite evidence that BAs, indeed, were involved.

OCR Response

Based on what OCR tells me, there doesn't seem to be a clear reason for the
apparent discrepancies. "We confirm all breach reports with the entities
before posting, and we post the information as reported and confirmed by
the entity to the [breach tally] website," an OCR spokeswoman says.

"We do not independently modify any information on breach reports before or
after posting," she says. "However, in cases where a business associate is
responsible for in a breach involving over 500 individuals, OCR
investigates the business associate, as well as the covered entity. OCR can
open a compliance review on a business associate responsible for a breach
at any time."

BA Accountability

My main concern isn't the accuracy of information listed on the Wall of
Shame, but the fact that BAs are culprits in far more breaches than many
organizations realize. In fact, OCR even reminded healthcare organizations
in recent guidance about the serious security and privacy risks that BAs
pose, and the steps that should be taken to mitigate those risks.

More than half of the covered entities that participated in a recent health
data security and privacy survey conducted by the Ponemon Institute admit
they are not vigilant in ensuring that their partners and third parties
protect patient information (see What's Fueling Surge in Health Data
Breaches?).

Clearly, vigilance is warranted. Some 61 percent of BAs surveyed by Ponemon
said they had at least one data breach involving the loss or theft of
patient data in the past 24 months, while 28 percent of those vendors
admitted their organization had more than two breaches during the same
period.

A majority of surveyed BAs blamed their security vulnerabilities on
employees' negligence in handling patient information, followed by a lack
of technologies to mitigate a data breach.

Stemming BA breaches requires covered entities to exercise more scrutiny
over vendor security practices before - and after - they sign vendor
contracts. Preventing these breaches also requires far more effort by the
vendors and their subcontractors - ranging from security and privacy
training for staff to implementing stronger policies, procedures and
technologies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160516/23296763/attachment.html>


More information about the BreachExchange mailing list