Massachusetts General Hospital (MGH) experienced a healthcare breach that left 9,900 patients’ protected health information (PHI) exposed. Hackers gained access to MGH’s research databases through a third-party vendor. The exposed information included data collected for research such as names, dates of birth, dates of study visits and tests, type of study and research study identification numbers, demographic information, medical record numbers, diagnosis and medical history, and biomarkers and genetic information. Research participants that are deceased also had death dates and autopsy results exposed.
Although the compromised data did not include financial information or Social Security numbers, the healthcare breach still puts affected individuals at risk. According to Matthew Gardiner, cybersecurity strategist at Mimecast, hackers can still use the information, “This type of medical-related data, for example, can be used in various forms of identity theft, blackmailing of patients with diagnoses that they prefer to keep private, and building false trust as part of targeted phishing and impersonation attacks.”
Vendor Management Can Prevent Healthcare Breaches
With the increase of vendor-related healthcare breaches of late, healthcare organizations must be diligent when choosing who to work with. A recent Ponemon report determined that 56% of hospitals have experienced a data breach at the fault of a vendor. Thoroughly vetting vendors can prevent healthcare organizations from falling victim to a third-party breach.
Working with a vendor that does not have proper safeguards in place to secure PHI can be a detriment to covered entities (CEs), “Organizations need to be much more aware of what data they are sharing with third-party vendors and what kind of security practices these third-party vendors employ. It is simply not enough to merely comply with the HIPAA requirements to obtain the business associate agreement,” says David Holtzman, executive adviser at cybersecurity firm CynergisTek.
Healthcare organizations must be aware of the security practices of their business associates (vendors) to ensure that they are adequately protecting the PHI shared with them. Before choosing a vendor to work with, covered entities should send them a Security Risk Assessment (SRA). An SRA is used to determine if entities have proper administrative, technical, and physical safeguards in place in accordance with HIPAA standards. Once an SRA is completed, organizations are able to determine any gaps they may have, and develop remediation plans to address those gaps.
In addition, business associate agreements (BAAs) must be signed before any PHI can be transmitted between parties. A BAA is a legal contract that dictates that both parties are obligated to be HIPAA compliant, and each party is responsible for their own compliance. A BAA limits the liability for both parties if a healthcare breach should occur as it maintains that only the party responsible for the breach will be at fault. However, when an organization does not adequately vet their vendors or have a signed business associate agreement, both parties will be held accountable for a healthcare breach.
Do you Need Help with Vendor Management
Compliancy Group can help! Our cloud-based compliance software the Guard™ has everything you need to vet your vendors, document your due diligence, and provide you with business associate agreements. Find out how Compliancy Group can help you Achieve, Illustrate, and Maintain™ HIPAA compliance!
