BAs are in the HIPAA spotlight now more than ever. There have been several reports of the OCR and OIG reviewing and auditing business associate security. The first story involves our old friend, TheDarkOverlord. He was clearly using some BA applications to infiltrate networks and exfiltrate PHI. In our next report, The Office of Inspector General reviewed Alaska VA system after some breaches. Their report specifically points to the need to monitor BAs. And finally, OCR audits of BAs are about to start. They had previously announced them for the end of September but are now saying October.
TheDarkOverlord was able to get in to many clinic records through BAs. He obtained the source code from Pilot Fish technology, and Quest was mentioned by Athens Orthopedic Clinic. TDO got in using RDP connections, so who set up the BA’s connections? This one may be steeped in BA issues and we just don’t know it yet because we are not aware of every single detail.
OIG Report on Business Associate Security
- A BA was specifically the issue, they provided home oxygen services.
- In December 2014, the VA Office of Inspector General (OIG) Hotline received an allegation that ProCare Home Medical, Inc. (ProCare) was improperly storing and sharing VA sensitive data on contractor personal devices in violation of Federal information security standards. More specifically, the complainant alleged that ProCare was allowing its employees to use personal computers and phones to access the company computer system. They were then downloading VA sensitive data, including veterans’ personal health information.
- The OIG substantiated the allegation accessed electronic sensitive veteran data with their personal computers through an unauthorized cloud-based system without encryption controls.
- ProCare employees or malicious users could potentially use personal devices on an unauthorized wireless network to access sensitive veteran information.
- ProCare was storing sensitive hard copy and electronic veteran information in an unsecured manner at their facility.
- It was further noted that ProCare could not provide evidence that applicable ProCare personnel had completed VA-required security awareness training. They also could not provide evidence of the signed Contractor Rules of Behavior, prior to receiving access to VA sensitive data.
- These security deficiencies occurred because VA did not provide effective oversight of ProCare personnel to ensure the appropriate protection of veteran information at the contractor facility. As a result, veteran sensitive information was vulnerable to loss, theft, and misuse, including identity theft or fraud. There was no evidence found that veteran sensitive information was compromised.
- It was recommended to the VA Northwest Health Network management to assign a local Contracting Officer’s Representative and Information Security Officer to provide oversight of Alaska VA Healthcare System contractors. OIG also recommended the VA Northwest Health Network management, in conjunction with the Assistant Secretary for Information and Technology, conduct a site assessment of ProCare information security controls to ensure compliance with VA information security requirements.
- BA’s have only 10 days to submit detailed documentation about specific aspects of their HIPAA compliance after they receive notification from OCR.
- “Business associates should be prepared to produce their policies and procedures for notifying their covered entities when there has been a breach incident, as well as samples of when and how they have done so.” The OCR can request these from up to 6 years ago.
- This is going to be really challenging for any “lucky business associate” that gets selected for the first BA audits.
- “The OCR knows very little about business associates at this point, and this is likely to alert them to the enormous variations among business associates.”
- “”The same process is planned for the business associate desk audits,” McGraw says.”
- You NEED to have a plan for the audits!