Knowing what vendors your BAs may use to provide services to your organization is crucial. Those downstream vendors could be the cause of a breach of your data. Signing a BAA does not prove a BA is properly securing your data. Vetting your vendors is as important as making sure your vendors are vetting their vendors.
In this episode:
Vendors In Your Breaches – Ep 391
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
The Privacy and Security Boot Camp
3.5 day In Person Event
Mar 12, 13, 14 and 15, 2023
PriSecBootCamp.com
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Overdue shout out to Wendy who sent us a link to one of the 2021 website tracking settlements. Thanks for the note and thanks for listening. Just so you all know Wendy said: “Love your podcast and I don’t even work in healthcare!”
HIPAA Say What!?!
BAAs
[10:05] Same issue popped up twice in two weeks here at Kardon. Do you have to have a signed BAA?BAAs must be signed by both parties. It is the responsibility of the upstream CE or BA to make sure that you have a BAA legally executed before giving anyone access to any PHI. That includes having it signed and countersigned. You must actually have a copy of it to be able to prove it.
Do your contract audits sooner rather than later, if you haven’t done one recently.
Privacy Rule changes
[15:48] A question came up about changes to the Privacy Rule in 2023.First, we have a lot of Privacy Rule changes in the NPRM request for comments from way back in 2019/2020, that were extended and have been in a holding pattern since then. Well, those may be coming back to the top of our list. I say “may” only because it isn’t really clear. If you look in the official legal details: Rule Change Status it says it has been in the “Final Rule Stage” since 2021. But…. It also says the final action date is 03/00/2023. The question is what will they do in March?
There are some less complex changes in the proposed rule that won’t be that bad to implement, but some of the requirements will take much longer to evaluate and implement. If they do call it final in March, we all still have 200+ days to implement the changes after that. Stay aware that the changes may be finalized in March, but at this point we are keeping an eye on them. If you have a large entity where these things take years to address, start sorting it out now.
Second, we will likely see the updates proposed to align with the 42 CFR common rules for substance abuse requirements come into play this year also.
We recommend you keep an eye on these updates and prepare to address them. Take a few minutes to review our episodes on them and start a plan for implementation of the big ticket items.
Privacy Rule Proposed Changes – Ep 291
4 Ransomware Stats For Planning – Ep 362
Vendors In Your Breaches
[21:28] Each year we export the OCR Breach Portal stats to do some analytics on the breaches occurring and what we can learn from the info. Two things are very obvious:- IT Incidents and Hacking are by far the most likely breach for 500+ patients.
- Vendors are very much involved in the breaches being reported.
Before we get started, we have to remind ourselves and everyone else that these stats only relate to breaches involving 500+ patients. If there were 10 breaches of 400 patients those numbers don’t get included here. Oh, and another important thing, we downloaded the raw data from the portal and ran these numbers ourselves. THESE ARE NOT AUDITED NUMBERS AND MAY NOT MATCH OCR REPORTING.
The number of cases and patients by entity type are telling. First, we see the numbers by the reported entity. Keep in mind, a CE can report a breach by a BA. We will see those accounted for next.
Now, the same numbers when the BA reported it and the CE said a BA was involved combined for comparison purposes.
These numbers are exactly why we are discussing vetting vendors and BA’s dealing with breach notifications at the PriSec Boot Camp.
These numbers do not tell us how secure the sites were when a breach occurred. They simply tell us the problem is there no matter how well you are protected.
[32:58] These cases continue to become more complicated:Hack on a Services Firm’s Vendor Affects 271,000 Patients
This article written by Marianne Kolbasuk McGee on the Healthcare Info Security site covers some interesting points. First, let’s explain what is known.
A BA based in Oklahoma, Avem Health Partners, that is a provider of administrative and IT services to healthcare organizations has reported a breach to the Maine AG. That was filed Dec 13. It said there were 271,000 patients involved. However, that breach doesn’t appear to be listed on the OCR portal yet.
According to the Maine notification “patient information stored on servers of one of its vendors was subject to unauthorized access in an external hacking incident in May”. Supposedly, the hacking incident involved a third-party data storage vendor,
The statement on the Avem website with a title of Notice of 365 Data Centers Data Security Incident, says they were “notified of a data security incident experienced by 365 Data Centers, a data storage vendor used by a third-party service provider engaged by Avem.”
So, a CE hires Avem to do IT work, they hire someone else to manage data storage who then hires 365 Data Centers to house the data. CE – Avem – BA of Avem – 365 Data Centers – three levels downstream from the CE. That is how far removed from the CE the incident occurred.
To complicate matters further the incident was discovered in May 2022. Avem was notified Sept 9. Avem did their review that concluded on Oct 6. The undated website notice only says they will soon begin mailing letters to patients. They do complete that short notice by saying:
The plot does thicken though. It seems 365 Data Centers are not happy to be thrown under the bus. Here is what their lawyer told the website when asked about the incident.
But Avem’s Maine filing “fails to include the fact that on July 13, our client 365 notified all its affected clients that a highly reputable independent third-party cybersecurity firm had examined 365’s systems and attested ‘with a very high degree of confidence [that 365’s] cloud environment’s connected devices contain no malware and that there is no evidence of unauthorized access to or exfiltration of data’ from the 365 system,” he says.
“In other words, if Avem data had been in the 365 cloud environment, the cybersecurity expert found no indication that those data had been accessed or removed,” he says.
Avem hasn’t responded to that as far as we can tell.
[44:21] The article also references some quotes from an attorney,The number of BAs who tell us they don’t have to worry about the breach notification rule because that is an upstream problem needs to start thinking about a much bigger picture and soon.
Just another reason to come to the PriSec Boot Camp in March 2023! We are starting the Boot Camp discussing supply chain risk management because it can affect everything else you are doing.
Covered entities have got to tighten up their BA management processes. It’s not just about having a signed BAA. You have got to understand what services your BAs are providing you and whether they utilize additional vendors to manage those services. Downstream BAs could be the source of a breach of your data one day. Vet your vendors, folks. And make sure your BAs are vetting their downstream BAs as well.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
