Today, it is impossible for just about any medical practice to care for patients without having third-party vendors that will have access to Protected Healthcare Information (PHI). These come in the forms of Electronic Medical Records (EMR) software vendors, laboratories, IT service companies, medical billers, transcriptionists, and the list goes on. What is often overlooked when working to ensure your own practice is HIPAA-compliant are vendor breaches. What happens when a third-party vendor that your practice relies upon is hacked and your patient’s data is exposed? As the Covered Entity (CE), they are your Business Associate, so, ultimately, you are responsible. This will likely concern you, especially since you may be doing everything right only to find out that you are now involved in a HIPAA breach of your patient’s data.
In this article, we will discuss the types of breaches that have already happened and what you can do to minimize your own risk. Find out how to protect yourself from vendor breaches.
Third-Party Vendors and HIPAA
If a CE uses a third-party vendor that will have access to any of your PHI, they are considered to be a Business Associate. Let’s give examples that you may have in your own practice.
- Electronic Medical Records (EMR): Today, most EMRs are cloud-based. This means that your practice’s PHI is stored in the EMR’s company’s servers.
- Billing Services: These are outside billers who access your practice’s data to perform billing services on your behalf. The current trend is to outsource this overseas. This also creates new risks due to those countries are not bound by HIPAA regulations. The billing service you hire does this, they are often unable to guarantee that your data is secure. We had a vendor whose billing service didn’t pay its oversea’s employees. These employees decided to steal the patient data and then delete it from the customer’s server. The practice was ultimately responsible for the vendor breach.
- IT Services: These range from onsite support to remote support or managed services. As these companies have access to your computers and network devices, they are considered to be Business Associates.
- IT Products: Email services, file storage (Dropbox, Google Drive, etc.), e-fax services, and similar products. All of these have the potential to receive (and store) PHI. These types of services are often overlooked with working on a practice’s compliance program.
Vendor Breaches
In February 2024, ConnectWise had its product, Screen Connect, compromised. Screen Connect is a remote support product that allows IT Support staff to remotely handle user IT issues. In this case, the breach was limited to those vendors that were self-hosting Screen Connect, but these vendors were used to spread ransomware to their own customers. To date, there were nearly 10,000 servers exposed to the vendor that managed millions of endpoints. Many of these are located in local governments.
In May 2020, Solar Winds, another IT services company, was breached. This was an extremely dangerous event because Solar Winds is used by large corporations, hospitals, and government agencies. This attack was performed by the Russian foreign intelligence service, the SVR, their CIA. It was able to compromise over 100 companies and a dozen government agencies. The way they did it was especially destructive. The hackers were able to penetrate Solar Winds months before and alter their software to contain malicious code. This app, was, then, pushed out to Solar Winds customers as an update. The customers naturally trusted the update from Solar Winds and installed the update. This led to the compromise and is known as a supply chain attack. Those customers had no way to protect themselves from this attack since it came from a trusted source.
Imagine if you received an SMS from your spouse’s cell phone to click on a link. Most likely, you would click on it. But if this were an attacker that had successfully accessed your spouse’s device, you would have been breached because of the trust you had in the message.
Here is an example more specific to healthcare. In 2018, a medical billing company was successfully breached and exposed to ransomware. This impact dozens of practices and even a community hospital had their billing data exposed. It took 40 days for the billing company to recover and restore access, but the damage had already been done. Imagine not being able to bill for 40 days, and now you’re also responsible for your patient’s data that was exposed.
What can you do?
The first step is to create a vendor diligence checklist. Make sure it includes the important items that you need to ensure that potential vendors understand their obligations under HIPAA and other related laws. Here are some questions to ask all potential vendors:
- When did you last perform a risk assessment? May we see it?
- How often do you perform risk assessments?
- Do you provide security awareness training for your staff? How often?
- Do you have policies and procedures documented for handling security incidents? May we see them?
- How do you ensure that your employees adhere to these policies?
- Do you have a documented backup and disaster recovery policy? May we see it?
- How do you ensure your employees have the least necessary access to PHI?
- Do you utilize multifactor authentication to protect account access?
- Do you utilize end-point protection application?
- Do you have a patch management policy?
- Do you allow other parties to access our data (third-party to you) and how do you ensure they follow your security policies?
- Do you have a documented security policy? May we see it?
While not a complete list, it should provide you a good starting point to build your own. If a vendor isn’t willing to answer these questions or provide the policies you are requesting, it’s time to find a new vendor. If the vendor does fill out your checklist, keep that in your HIPAA documentation to show your own due diligence.
Once you have decided on a vendor, have them execute a Business Associate Agreement. Keep this in your HIPAA documentation as well.
These are the bare minimum you should do to ensure your vendors don’t have their own vendor breaches.
Periodically, follow up with the vendor and ask for current risk assessments. This will be needed to ensure the vendor remains in compliance. Each time you receive these documents, add them to your own documentation.
While none of the steps above will prevent a vendor breach, they will help limit the risk. In addition, should a breach occur, you will be able to provide investigators proof that you performed your own due diligence on every vendor with access to PHI. This will go a long way to helping you as the investigation progresses.