How to Manage Security Incidents Involving Healthcare Business Associates

May 30, 2016

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just released a brief on how to manage security incidents involving business associates, from ensuring policies and safeguards are adequate to being notified and responding effectively to a data breach. As the recent Ponemon survey revealed, many healthcare organizations and their business associates (BAs) are currently negligent in their handling of patient information, with insider threats and cyberattacks topping the list, with an unnecessary amount of “finger pointing” going on between healthcare organizations and BAs who should be doing more to protect data.

According to the OCR brief, covered entities believe they will not be notified of security breaches or cyberattacks by their BAs, another point of miscommunication that introduces additional risk to data security in healthcare. With the current level of infighting and lack of communication, it is difficult for covered entities to determine if the data safeguards and security policies of their BAs are adequate. The new guidance puts greater pressure on BAs to keep covered entities in the loop of any potential cyber attacks or other security breaches.

The OCR recommends that covered entities:

• Within the service-level or business associate agreement, define how PHI is used with reporting mechanisms that cover instances where PHI is disclosed or a security incident takes places
  • Make clear the HIPAA definition of a security incident as an attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations (with even more specificity for cybersecurity incidents)
  • Make clear the HIPAA definition of a data breach as the impermissible acquisition, access, use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information
• Specify a time frame for reporting a breach, security incident or cyberattack (applies to both BAs and covered entities, respective of each other). HIPAA-breach reporting must be timely, so negative repercussions could ensue for delays.
• Identify what kind of information should be reported in a breach or security incident report (details listed in the guide)
• Specify how employees will be trained on incident reporting (with additional suggestions to run security audits and assessments of BA security and privacy practices)

The new guide re-iterates the importance of visibility and a persistent connection to both the devices and the healthcare data they contain, no matter their location. In order to prove compliance, covered entities and BAs must be able to describe the kinds of data involved in a data incident and how that data was protected.

Absolute DDS for Healthcare provides valuable inside into all of your endpoints, so you can have accurate information on your fleet of devices, as well as the information they contain, with alerts for events and activities that could be precursors to a security incident. With Absolute DDS, you can help shine a light on dark data on the endpoint, helping you address the ever-prevalent insider threat, prevent or respond to data breaches, and prove compliance if needed. Absolute DDS for Healthcare is a comprehensive on boarding program which pairs our highest level of endpoint security with expert forensic support to respond to and contain security incidents. Learn more at Absolute.com

Arieanna Schweber

Arieanna Schweber has been a part of the Absolute writing team since 2007. Arieanna was Canada's first female professional blogger and has been professionally blogging since 2006 and has spoken at leading blogging conferences including BlogHer and Northern Voice. Arieanna has a joint degree in Business and Communications from Simon Fraser University and continues to build communities for Vancouver-based clients.

All Posts By This Author