From the June 2017 issue of HealthCare Business News magazine
In 2016, 43 percent of data breaches were the result of insiders – either the result of simple human error or actual malicious wrongdoing. Hacking and ransomware were responsible for 26.8 percent of breaches, although this number is likely underreported and very much on the rise. While covered entities are not technically liable for security breaches at a business associate, there are many reasons why it pays to select business associates who take data privacy seriously.
Condider the following five key safeguards and processes to establish for mitigating data breaches and cyberattacks:
• Establish continuous security control compliance assessments, evaluation of gaps and remediation due diligence processes at your health care organizations systemwide. Health care organizations currently only do periodic assessments of their controls. Vulnerabilities are identified, but required remediation to fix the gaps is not acted upon in a timely fashion. It would be ideal to have health care organizations establish a SWAT team-like approach to identify gaps and get them fixed. The longer the gap is present on your information systems, the increased likelihood of you becoming the next victim of a data breach or ransomware cyberattack.
• Exercise your audit rights with your business associates. While most business associate agreements include the right for a covered entity to audit the business associate’s security compliance processes, not many do this. Utilizing a closed-loop, third-party auditing software is ideal for this as all the information, communication and evidence of compliance will be logged and trackable. Document all PHI sent to third parties and pay special attention to the management (and appropriate renewals) of business associate agreements across the health care system.
• Require approval for subcontractors. Often, business associates have the discretion to utilize subcontractors to fulfill the work. This adds another layer in an already complex relationship, and subcontractors are not always bound by the same guidelines of the BAA signed by the covered entity. Require notification and consent with the option to terminate the agreement, if needed.
• Be proactive as opposed to reactive with what devices are on your network and their state of compliance. Establish tools that can identify threats at your endpoints and protect them continuously. With very few good solutions on the market, endpoint security is emerging as the next frontier for health care organizations to address.
