Are Your Business Associates Putting Your Facility At Risk?

This week I had the privilege of discussing hospital and clinic security at the Quad States Health Information Management Association’s Annual Conference in Myrtle Beach, SC. There were a ton of very friendly, smart and detailed stewards of our health information that are very concerned about patient data, particularly in regards to security and privacy of that information.

About 100 health information professionals showed up bright and early Monday morning for my talk on why HIPAA is failing when it comes to keeping data secure. Part of my discussion struck a chord with these folks. You see, many folks in medical records, billing and other information-related positions within healthcare facilities, recognize the clear and present dangers when it comes to transferring data facility to facility (think HL7 for instance).

Just for a second, imagine that you could develop a communication interface between health systems or facilities.

You test to verify that data you send from your facility’s EHR platform goes through to some of your business associates and providers. Let’s assume that the exchange of information between platforms was seamless (we all know that HL7 and interexchange of information is a HUGE problem in health information and data management). For the sake of this discussion, let’s assume that HL7 worked perfectly in how systems integrated and communicated with each other.

You send out some data on patient stays to your collections vendor. You have a VPN set up so that billers and other vendors have a fast pass onto your network to speedily process or use your data. But at the point where the data moves between your facility and that other facility, you no longer have control over it.

I understand the cheapest and easiest solution for vendors to get connections to your network is through a Virtual Private Network (VPN), but in today’s world of cyberattacks, are you doing enough?

What ALL of those vendors are missing when they have VPN carte-blanche access to your network and data is if their data security is not to your standards and they end up having infected computers or servers with a ransomware virus, they can most certainly infect you, too!

And we’ve seen this happen with EHRs, medical billing companies, lab connections and even PACS.

The bottom line: even if HL7 is working the way it originally was described through seamless connections, if you aren’t evaluating how data is coming in and leaving your network—even to vendors you’ve worked with for years—you may be risking it to ransomware and cyberattacks if you don’t monitor your VPN connections.

The problems we see with facilities today:

1. They give access to providers and other facilities without monitoring those connections—in essence, as I mentioned above, hospitals and clinics are allowing for vendors to connect directly to their networks. The big problem with this is we’ve seen that VPN connections contribute to nearly a quarter of cyberattacks in healthcare. We’ve seen EHR platforms even as the source of attacks, and no one was the wiser until the attack crippled facilities—one recent vendor attack led to over 40,000 providers’ networks infected.
2. Business associates are not stewards of your data—while many of us think that other vendors or providers would have as good or better security standards than at our facilities, the real heart of your cybersecurity problem might be tied to having vendors with poor data security hygiene. What does that mean for you and your information? You—either as a health information management professional or as someone responsible for your hospital’s security or security compliance—are a steward of data coming and going from your network. Could you work with vendors that are not keeping your patients’ data secure? Most folks simply assume they are (when nearly a quarter of the time, they have little to no security policies and procedures in place—even those in IT-related fields). Just a refresher, a business associate is considered any organization, provider, or group that touches, uses, or interfaces with your protected health information.
3. You do not have up-to-date business associate agreements—even if you are concerned about your business associates keeping to your expected security standards, without an updated business associate agreement (BAA), you will be held responsible for that business associate. In fact, OCR (Office of Civil Rights) of the Department of Health and Human Services (HHS) can fine you for not having appropriate BAAs in place with ALL of your vendors.

Health information professionals are a significant asset to the health community. Could you even imagine a health system without data? These folks are making huge contributions to how facilities are run and ensuring that data integrity and privacy are enforced. And as security experts, we are equally concerned with organizations like the Quad States Health Information Management Association, along with the American Health Information Management Association, as to privacy and security of healthcare data.