A new study conducted by the Ponemon Institute indicates that many business associates don’t notify their organizations of a data breach during the investigation or after determining the cause of the incident. In fact, 47 percent of those polled either have no timeframe for notification or they do not notify the organization at all.
These facts alone are alarming but can be especially detrimental to an organization in the health care industry, where the new HIPAA Omnibus Final Rule broadens the definition of a data breach and calls for stricter enforcement and greater penalties. The Omnibus Rule took effect in March 2013, although organizations have until September to comply.
Under the omnibus, most incidents in which protected health information (PHI) is lost or stolen will now be considered a breach unless the organization can prove otherwise. In the past, an incident wasn’t considered a breach unless the disclosure of the PHI violated privacy rules and posed significant risks to the affected individuals. The bottom line, according to privacy attorneys, is that this will cause an enormous spike in the number of reported data breaches, meaning organizations will have to notify individuals, police, the Department of Health and Human Services and other agencies more often.
This regulation will not only affect health care organizations but will also impact third-party vendors and their subcontractors. In other words, any company hired by a healthcare organization to handle PHI will be responsible for protecting that information just the same as the main organization. This could include third-party vendors who handle marketing, payment processing or cloud services.
So the good news is that vendors may start to be more careful with PHI and that may result in a decline in the number of breaches caused by third parties, but the bad news is that it could take years before these results come to fruition. But there are mechanisms that can be put into place now to make the transition smoother. Here are five tips to help organizations work with third-party vendors.
1) Be specific in your business associate agreements
Although business associate agreements have always been required under HIPAA, they now need to be more specific. You need to spell out exactly how the business associate can use your patients’ PHI and what disclosures should be incorporated.
2) Provide guidance and training
Write policies to explain your data handling practices and provide training to your vendor on how to comply with these policies. Your policies should also include strict enforcement procedures. It’s important to enforce your policies because negligence and lost or stolen devices are the top reasons for data breaches caused by third parties, according to Ponemon. The study found that 55 percent of the breaches were caused by negligence and 39 percent were caused by lost or stolen devices.
3) Lead by example
You may want to improve your own IT security and control procedures to show third-party vendors that you’re not requiring them to do anything that you don’t do yourself. By improving your own security, you may be able to prevent more breaches or at the very least, detect them at an earlier stage.
4) No more double standards
Third-party associates should be held to the same standards as your in-house security team. Unfortunately, according to the Ponemon study, this is not always the case. The study found that organizations tend to require more of their in-house team than of their vendors.
5) Evaluate third-party vendors before hiring them
Many organizations hire business associates without completing a thorough analysis. For instance, less than half of the organizations in the Ponemon study obtained evidence of a security certification, such as ISO 27001, before hiring them. And only 9 percent conducted an audit of the vendor’s security and privacy practices before sharing sensitive information with them.
Following these tips can help you create a more collaborative atmosphere between your organization and business associates, while helping to reduce data breaches at the same time.
For more information, download the Ponemon Institute’s “Securing Outsourced Consumer Data” study.
Michael Bruemmer is Vice President of Experian® Data Breach Resolution at Experian Consumer Direct, the leading provider of online consumer credit reports, credit scores, credit monitoring, other credit-related information, and protection products.
With more than 25 years in the industry, Michael brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services.
Michael maintains a practical and cooperative approach to partnering with some of the largest and most complex organizations to address their data breach preparation and resolution needs.
By applying his experience as a general manager in the manufacturing industry as well as in global operations, he has a keen insight into the complexities and regulatory standards many organizations face when it comes to data privacy and security.
He is a Certified Information Privacy Professional, a contributor to the Experian Data Breach blog and a speaker on various privacy and security panels for industry associations, including Health Care Compliance Association (HCCA) and International Association of Privacy Professionals (IAPP).
In addition to his current role, Michael is actively involved in the community as a board member of the Girl Scout’s Development Board and has formerly served on the Board of Trustees for the Trinity Episcopal School in Austin, Texas. He holds a Bachelor of Arts in Labor Economics from the University of Wisconsin-Madison.
Michael can be contacted via email at Michael.Bruemmer@Experian.com.
For more information about Experian Data Breach Resolution, please visit our website www.Experian.com/DataBreach.