Healthcare // Security & Privacy
News
3/18/2014
12:45 PM
Connect Directly
RSS
E-Mail
50%
50%

Healthcare Data Security: Focus On 'Business Associates'

Healthcare professionals don't trust service providers' handling of patient data, study shows. Cloud services aim to help providers take control of those relationships.

8 Data Centers For Cloud's Toughest Jobs
8 Data Centers For Cloud's Toughest Jobs
(Click image for larger view and slideshow.)

With regulators seeking tighter control over the role of external contractors in assuring healthcare privacy and security, other third parties are offering to help audit those relationships with services from the cloud.

Under the Department of Health and Human Services (HHS) HIPAA Final Omnibus Rule, contractors and subcontractors who work with healthcare providers, insurers, or other services that process patient health information (PHI) must meet HIPAA privacy rules. Referred to by regulators as "business associates," these external parties also include IT service providers. Despite the mandate that business associates meet HIPAA requirements, 40% of healthcare professionals are "not confident" and 33% are only "somewhat confident" in their partners' capacity to manage patients' sensitive data, according to Ponemon Institute's Fourth Annual Benchmark Study on Patient Privacy & Data Security, released on March 13.

Many business associates are falling short, said Larry Ponemon, chairman and founder of the Ponemon Institute, during a conference call to discuss the report. "I don't think it's malicious or deliberate, but I don't think they're doing everything they need to do to comply with the Omnibus rule and HIPAA requirements," he said.

[Are new healthcare regulations luring more data thieves? Read Obamacare Vs. Patient Data Security: Ponemon Research.]

IT service providers pose the biggest threat, according to 75% of those surveyed. Claims processors took second place with 47%, and benefits managers came in third at 33%. Nearly 20% of respondents cited pharmacy benefits managers as the greatest threat. Fewer than 10% of respondents also listed data analysts and consulting, accounting, and legal services.

Their concerns may be well founded. Although the deadline for compliance was September 2013, a survey that month showed that 60% of third-party service providers were somewhat or not at all sure of their responsibilities under the Omnibus Rule -- and only 44% were compliant. Only 36% had been asked to sign a new business associate agreement, according to Coalfire Systems, which sponsored the report.

Large healthcare organizations often have hundreds of business associates, Rick Kam, president and co-founder of ID Experts, pointed out. Updating, reviewing, and maintaining those contracts is time-consuming -- but on the other hand, the costs associated with a poorly designed program can be both huge and public.

"The key variable is to know the organizations that you've contracted with, [and] to make sure they've stepped up to the plate in ensuring the data you've entrusted them with," said Ponemon. "Are they compliant with other generally accepted good practices? There's a lot that can be done." For example, he suggested, providers can conduct audits, centrally manage agreements, and buy adequate amounts of the right insurance.

Creating conviction
Despite overwhelming distrust on the part of healthcare professionals, IT service providers want to resolve the credibility gap when it comes to handling patient data, according to Coalfire, a 13-year-old company that provides cloud-based IT audit, risk assessment, and compliance management systems and services to various vertical-market healthcare, financial, and retail customers.

Coalfire's HIPAAcentral, a cloud-based compliance exchange, is designed to help covered entities, business associates, and subcontractors manage, maintain, and exchange regulatory compliance data. Under the exchange, business associates assess their own compliance and share the results, explained Andrew Hicks, director of Coalfire's healthcare practice lead, in an interview. Covered entities can centrally manage their partner relationships. The company's compliance-as-a-service offering includes a free entry-level assessment, with paid tiers of service such as Rapid HIPAA for risk tolerance. Business associates can disclose their compliance and controls -- such as meeting minutes or policies -- to healthcare providers.

When investing money at a bank, Hicks said, you look for cameras, vaults, and security systems. When healthcare providers share patient data, they want to ensure partners have invested in security systems and policies. "CEs want to know, 'Hey, this is my data. How are you securing it? How are you going to keep it safe?' "

Convenience and risk reduction are two reasons HealthShare Montana recently signed on with Coalfire, according to Brad Putnam, executive director at the electronic health information exchange for the state of Montana.

"Many healthcare organizations, especially those smaller facilities located in rural and frontier areas, updated their BA agreements but do not have the internal capacity or acumen to effectively manage the due diligence responsibilities associated with them," he explained. "Coalfire's HIPAAcentral provides a very low-cost way to help healthcare organizations with the understanding of what is now required to manage BA relationships and a single location from which to do it. HIPAAcentral can easily reduce costs and provide ROI by reducing the risk of significant fines for not properly managing BA relationships as well as making the entire process of managing those relationships far quicker reducing the labor costs associated with complying with the [Omnibus] Rule."

For its part, Kroll Advisory Solutions developed the Business Associate HIPAA Self Assessment Risk Management (BA HSRA), a self-guided assessment available through Kroll's client portal. The tool includes on-demand access, collaboration capabilities, unlimited access for 12 months, and reporting review. The final report documents an organization's completion of the assessment, overall scoring, and full responses to each question.

Download Healthcare IT In The Obamacare Era, the InformationWeek Healthcare digital issue on changes driven by regulation. Modern technology created the opportunity to restructure the healthcare industry around accountable care organizations, but ACOs also put new demands on IT.

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
pfretty
50%
50%
pfretty,
User Rank: Moderator
3/18/2014 | 1:54:18 PM
Cost of Healthcare breaches
Understandable that healcare firms would like to keep data access closer to the vest. According to the Ponemon's 2013 Cost of Cyber Crime report (http://www.hpenterprisesecurity.com/ponemon-study-2013), cyber crime on average costs organizations within this sector $6.83 million per year.  It takes a solid mix of security intelligence, education and technology to battle the risks. 

Peter Fretty, IDG blogger working on behalf of HP
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
3/19/2014 | 9:28:52 AM
Re: Cost of Healthcare breaches
Security breaches cost healthcare organizations not only in fines and penalties, but in lost trust and reputation damage. We've seen the impact on Target and many security and healthcare pros agree that a similar situation is likely to occur within healthcare. Given the many links in the chain of healthcare relationships, it's understandable that providers are nervous about merely taking partners' assurances for granted. Yet does this industry need another layer of certification? I don't think so: If partners can prove they truly are HIPAA-compliant, then that should assure healthcare providers about the safety of sharing data with these business associates.

In reality, I believe cloud -- from a HIPAA-compliant, proven and reputable provider -- is more likely to be secure than ensuring data to a bunch of providers' on-site datacenters. After all, cloud providers focus exclusively on providing these services to customers. If they don't meet (or surpass) physical and cyber security best practices they will be out of business. How many companies can afford armed guards, the highest level of security systems, and the latest cybersecurity systems? Not many -- yet these are typical at cloud service providers.
mattt1986
50%
50%
mattt1986,
User Rank: Apprentice
3/19/2014 | 2:10:15 PM
Interesting but...
Interesting story, but the first thing that caught me was Alison Diana's avatar...her face says..."This photo was taken without much warning and I am not too happy about being in it". :)
mattt1986
50%
50%
mattt1986,
User Rank: Apprentice
3/19/2014 | 2:20:34 PM
Re: Interesting but...
OK, now a real comment. Speaking as someone in (but not necessarily representing) the healthcare data hosting industry, I can tell you that the regulatory burdens placed on BA's by HIPAA are WAY out of line with the actual threats that face our industry.

Instead of figuring out creative ways to protect and insure availability of patient data, BA's spend their time complying with onerous, mealy-mouthed and outdated regulations that have no bearing on the actual protection of patient data. Just a honey pot for auditors and lawyers.

Also, let's be honest. What are the REAL consequences if your ePHI is compromised? If your debit card is stolen, the theives drain your checking account, or god forbid your savings account, and you are ruined. If the results of your last colonoscopy are stolen, I highly doubt that could be used against you in any measurable way.

My point is, we spend a lot of time and money protecting data that has very little real value to anyone but the owner.
matsmd
50%
50%
matsmd,
User Rank: Apprentice
3/19/2014 | 9:28:38 PM
Re: Interesting but...
I don't think anyone would be very interested in your colonoscopy result. But let's say that you have recently been treated for Gonorrhea and the names of the 10 women you infected the last year also are in your file (as they would be since it's a reportable veneral disease)

Is this something you would feel comfortable sharing with your church group, your boss or your co-workers?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
3/20/2014 | 3:45:21 PM
Re: Interesting but...
Not sure whether it's reality or perception, but some people worry that that if their individual health information gets out there it could hurt them financially. You mentioned stds in your third comment: That might affect their employment or advancement opportunities at work. And while they may have successfully hidden the affliction from a partner, once it becomes public that might be more difficult to do, leading to a breakup/expensive divorce/public embrarassment. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
3/20/2014 | 3:46:59 PM
Re: Interesting but...
You can go to a bank and reset your credit card or debit card information. Although it's expensive and time-consuming, you can get your financial history reset. But your health information stays with you for life. Once it's out there and public, there's nothing anyone can do to get it back in the bottle, so to speak. I think that's the main reason people and government want to ensure it's always secure. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
3/20/2014 | 3:41:30 PM
Re: Interesting but...
Unlike my teenage daughter, I'm not that fond of having my photo taken, no! - Alison
matsmd
50%
50%
matsmd,
User Rank: Apprentice
3/19/2014 | 9:07:06 PM
How do you know
In the article above it says: "Under the exchange, business associates assess their own compliance and share the results". How would you know that a shady IT company don't lie about their complience and everything else?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
3/20/2014 | 3:49:41 PM
Re: How do you know
That's a definite weakness because you're relying on self-reporting. This system says the next step (which is paid for) allows partners to upload evidence -- like meeting minutes, reports, etc. -- to prove they have done what they said. The BA grants access to its partners to view the evidence (these reports don't just sit there for anyone to review). 
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.