Are you ready for extreme vendor vetting? Many vendors have been pushing back against any covered entity or business associate that asked them to answer questions about their privacy and security programs. They believe signing a business associate agreement (BAA) meets the legal requirements and that is all they must do. Well, the times they are a changing – again.
There are many different factors making it necessary to ask these type questions and not just accept a BAA as reasonable assurances. What are those factors and how things are changing are the topics we discuss in this episode.
In other news:
- Vandy study that 2,100 patient deaths relate can be tied to data breaches
- Delta breach caused by plugin on their website
- Panera bread breach: Researcher notified them for weeks they had exposure and nothing happened until they went public.
Ready for extreme vendor vetting?
New Jersey AG Announces Settlement / Corrective Action Plan
VMG agreed to implement a Corrective Action Plan that that includes hiring a third-party professional to conduct a thorough analysis of security risks associated with the storage, transmission, and receipt of ePHI in VMG buildings, and to submit a report of those findings to the Division within 180 days of the settlement and every year thereafter for two years. VMG also agreed to pay a $417,816, comprised of $407,184 in civil penalties and $10,632 in reimbursement of the Division’s attorneys’ fees and investigative costs.
The server misconfiguration occurred in January 2016. All potentially affected patients, which included 1,617 New Jersey residents, were notified about the security breach in early March 2016.
The VMG privacy breach occurred when Best Medical Transcription, a Georgia-based vendor hired to transcribe dictations of medical notes, letters, and reports by doctors at the three VMG practices, updated software on a password-protected File Transfer Protocol website (“FTP Site”) where the transcribed documents were kept. During the update, the vendor unintentionally misconfigured the web server, allowing the FTP Site to be accessed without a password.
The Division’s investigation found that even after Best Medical Transcription corrected the server misconfiguration, removed the transcribed documents from the FTP Site, and restored the password protection on January 15, Google retained cached indexes of the files which remained publically accessible on the internet.
On January 22, VMG received a phone call from a patient indicating that her daughter had found portions of her medical records from Virtua Gynecological Oncology Specialists on Google. The Division’s investigation found that at that time, VMG was not aware of the source of the information viewed by the daughter because Best Medical Transcription had not notified them of the security breach.
They had BAA with a 20-day notification requirement. The law says the BA could have as much as 60 days. It also says you can negotiate a different time frame as long as it is less than 60 days. It can not be longer than 60 days.
It seems they were still in that 20-day time frame but maybe it was very close. ALSO:
The state’s investigation also found that VMG was unaware until February 2016 that Best Medical Transcription had subcontracted with a New Delhi, India-based company to perform medical transcription services for the VMG practices that were impacted in the breach.
The settlement alleges that VMG engaged in additional violations of HIPAA’s Security Rule and Privacy Rule with regard to the VMG data breach, including:
- Failing to implement a security awareness and training program for all members of its workforce, including management.
- Being delayed in identifying and responding to the security incident; mitigating its harmful effects; and documenting the incident and its outcome.
- Failing to establish and implement procedures to create and maintain retrievable exact copies of ePHI maintained on the FTP Site.
- Improperly disclosing the protected health information (“PHI”) of its patients.
- Failing to maintain a written or electronic log of the number of times the FTP Site was accessed.
- The Division further alleged that the public exposure of at least 462 patients’ doctors’ letters, medical notes, and other reports, and VMG’s violations of HIPAA’s Security Rule and Privacy Rule, constituted separate and additional unconscionable commercial practices, in violation of the New Jersey Consumer Fraud Act.
“Patients entrust doctors with their most intimate healthcare details, and doctors have a legal responsibility to keep that information private and secure, whether it is held in an office file cabinet or stored on a computer server,” said Attorney General Gurbir S. Grewal. “Electronically stored data is especially vulnerable to security breaches and doctors must follow strict rules to safeguard it. When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken.”
“Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it,” said Sharon M. Joyce, Acting Director of the Division of Consumer Affairs. “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”
Vendor Management Discussions At the HIPAA Summit
Managing vendors was a frequent discussion during the HIPAA Summit sessions. That tied directly into this settlement announcement. On particular session was specifically about how one organization is vetting all of their vendors now. It is no longer a sometimes vendor vetting or only high-risk vendor vetting policies.
The presenter worked for the state of West Virginia. When he covered the business associate due diligence (BADD) that he does on their vendors it made ours seem like a preschool pop-quiz! He encouraged everyone there to do deeper dives on their vendors. The things they have found make them have little trust that their vendors will take care of their access to PHI.
An example he shared was one particular vendor that said they had HIPAA covered. During the vendor vetting process, they found out that the vendor had 230 subcontractors but only 4 of them had BAAs in place.
He has started doing things like calling the vendor’s main number and ask to speak to the Privacy or Security officer. Hello, right there my three questions came right out of his mouth about asking them things to see if all workforce members knew the answers.
I did get a kick out of the phrases he used to refer to vendor vetting like “kicking the tires” and “are you tall enough to ride our ride”. That is why he says every single BAA should include the right to do assessments of the vendor’s privacy and security programs.
It was nice to hear that the pushback we normally get is exactly like the pushback he gets. “No one else makes us do this” or “It is proprietary information” are common for us. However, he added one we hadn’t hear before: “You have to pay me to complete the assessment since it isn’t in our scope of work”. That one takes some……
He firmly believes that we should all vet anyone that wants to connect anything to our network. He has a good point because anything can be the broken link. When we just worry about systems with PHI and not others, it leaves you wide open to tons of other ways you can get attacked like IoT malware.
Finally, he mentioned what we have always included in our process. Assess vendors annually but he also added that you should do it any time that there is a substantive upgrade to vendor services, systems, applications, etc
This is truly an example of extreme vendor vetting. It goes well beyond what we
BA Results from Phase II Audits
As a final point in this episode, the results from the phase II desktop audits were announced during the HIPAA Summit, also. This was the first look we have had of the audit results from the business associate audits. Basically, it was similar to the CE findings but it also reinforced the messages of the importance of vendor vetting.
They did a good job trying to spread it out across types of BAs. It is such a small sample and it was done via desktop only. That means the findings may just be scratching the surface of potential problems.
It is obvious from these numbers that CEs and BAs have the same problems in Risk Analysis and Risk Management. Plenty of the BA results show that they have a 4 or 5 rating which means it was turned over to the regional OCR offices to evaluate whether or not the findings warrant an investigation.
The audit results show that if you are not worried about vendor vetting then you are just making things worse for yourself in the long run. They are just as disconnected as the covered entities. If you are on point with your compliance don’t risk the assumption that your vendors are good to go because they signed the BAA.
While we have been vetting vendors for years now, many others have not. That is why we hear that “no one else makes us do this” whining so often. The fact is that vendor vetting is becoming a thing that everyone needs to do. Some are doing it in a way that is much more extreme than we have been doing it but they are also large entities. If you want to be a business associate you should be prepared for these vendor vetting questionnaires coming your way sooner rather than later.