Large corporations and government agencies are increasingly suffering data breaches stemming from lax security on the part of their service providers. Investigators are learning that the gigantic breach at the Office of Personnel Management this summer may have been the result of two previous hacks experienced by its subcontractors.
In the health-care field, almost one in four of organizations reporting data breaches are service providers (called “business associates” by the Office for Civil Rights). Here are some recent examples:
- Just last month, 40 hospitals were forced to notify their emergency-room patients when a rogue employee at their billing company (Medical Management LLC) stole their names, birthdates, and Social Security numbers.
- Two months ago, Gallant Risk & Insurance Services notified its group health plan customers when several laptops were stolen by two thieves who broke into their administrative offices.
- Xerox is being sued for unauthorized access when it failed to return the state computer equipment and paper records containing health information for two million people when the administrative services contract with Texas Health and Human Services Commission was terminated.
According to the HIPAA Omnibus Final Rule, health-care providers and their business associates are equally responsible for protecting health information, but covered entities (hospitals, health plans, providers, etc.) are still responsible for ensuring the notification of patients whose records have been compromised — and that can be costly.
Strengthening Service Provider Security
Here are some practical ways for organizations — not just those in healthcare — to improve data security efforts by service providers:
Conduct a comprehensive inventory of all service providers — This will likely be a long list because it should include not just electronic transaction firms but outside attorneys, IT contractors, auditors, etc.
Determine which ones pose the greatest risk – Some service providers have access to information so sensitive that its compromise could cripple your organization. Keep a watchful eye on these service providers, but don’t assume that certain types of companies are risk-free. For example, investigators now think it’s possible that the huge Target breach in 2013 started with a “phishing” expedition into a Target HVAC service provider’s website, which was connected to the retailer’s supplier portal. Some investigators surmise that the hackers gained access to the portal, then were able to burrow into Target’s payment systems.
Vet all service providers and be ready to switch if problems arise — Ask prospective partners to provide specifics on any previous breaches they’ve experienced and the remediation steps they took to prevent subsequent ones. Find out where information will be stored (overseas or U.S.) and how data will be returned or destroyed if the contract gets terminated. And it’s always wise to have a Plan B — a pre-screened service provider that can step in quickly to replace a problem-plagued one.
Carefully review all contracts — There should be language in every contract that details the service provider’s responsibilities and liabilities in the event of a breach (e.g., background checks before hire, return or disposal of heath records upon contract termination, encryption of data at rest or transmission, and notification within five working days of a suspected or confirmed breach).
Demand an annual risk analysis — Every service provider should provide annual attestation that it has performed a bona fide information risk analysis.
Thoroughly document all the above activities — This provides evidence of a good-faith effort to bolster data security, which can help reduce penalties, fines, or lawsuits arising from a breach by the service provider.
In our increasingly networked world, companies with spotless records in data security can get burned if one of their service providers gets careless. Taking these proactive measures can help ensure that every link in the security chain stays strong.
Mary A. Chaput is CFO and chief compliance officer at Clearwater Compliance in Nashville, Tennessee.