Don't ignore the inherent security risks of third-party business associates


Given the potential liability, assessment of business associate risk needs to be a prerequisite part of any organization's overall security management program.

Following the enactment of the Health Information Technology for Economic and Clinical Health Act (HITECH) and the more recent revision of the Breach Notification Rule via the Omnibus Rule, security breaches have become a focus for all healthcare organizations.

Most covered entities have some form of an internal security risk analysis process to evaluate risks that could lead to security breaches, but many lack visibility into external security risks. One area of external security risk concerns business associates that store, process, or transmit Protected Health Information (PHI) on behalf of covered entities.

Based on the breach data from the Office for Civil Rights (OCR), part of Health and Human Services (HHS), business associates have been responsible for more than 20% of the breaches reported and more than 50% of the records that have been lost, stolen, or accessed by unauthorized individuals.

The security risk associated with third-party organizations is often overlooked in the typical security risk management program. Many covered entities assume that a confidentiality agreement or business associate agreement (BAA) eliminates any risk to the covered entity. This is rarely the case as the media attention from a breach will most certainly impact a covered entity's reputation in a negative way, regardless of whether the business associate was at fault. In addition, there can be significant costs associated with the notification of victims (which often includes identity theft protection services), technical investigations, and legal fees.

Business associate risk needs to be assessed as part of an organization's overall security management program and should include an analysis of the controls, processes, and technology solutions in place to protect a covered entity's confidential information.

The approach to assessing potential third-party security risks should be similar to how an organization would assess its internal departments or physical sites. An organization should start by bringing key stakeholders to the table to create an organizational risk profile which evaluates various types of security risk to determine what risks are acceptable and which ones are not.

With the finalization of the Omnibus Rule earlier this year, which made business associates subject to the HIPAA Security Rule and parts of the HIPAA Privacy Rule, it is important to understand that there is a legal obligation for business associates to protect the PHI which they store, process, or transmit. This obligation should be expressly stated in the BAA and should be factored in to the risk profile process.

The assessment process needs to categorize the third parties according to the following criteria:

  • how important the third party is to the business operations of the covered entity;
  • what level of access the organization has to confidential information; and
  • how well the third-party organization is prepared to protect the covered entity's confidential information in which they have access.

The first and second groups are relatively easy to figure out while the third takes a little more effort. The simplest way to determine the maturity level is to create a business associate questionnaire or to request an audit report from the business associate from a third-party entity, e.g. SSAE16. The information from the questionnaire or audit report can be analyzed by the covered entity's information security or compliance team.

Next, it is important to implement a process for rating any security risks discovered (typically by measuring the impact of the risk being realized and the likelihood of the risk being exploited). One method for breaking this seemingly impossible task into more manageable pieces is to create a rating system which allows the covered entity to break its business associates into tiers corresponding to the three groups above. Each tier can then be treated according to the risk level that the third-party organizations present. Higher risk business associates may require a more in-depth analysis such as an onsite visit.

Third parties pose a significant security risk to covered entities and some level of due diligence beyond simply signing a BAA is necessary to mitigate these risks and avoid security breaches.

Greg Michaels, CISSP, HCCP, HITRU ST, CR/SC, C/SM, CISA, CBCP, PMP, is the former Chief Security Officer at BluePrint Healthcare IT.