Last October, a stolen company-issued desktop computer exposed 3.3 million patients’ names, addresses, phone numbers, dates of birth, emails, medical record numbers and health insurance plan names. Nearly 1 million patients’ medical diagnoses and/or procedures were also compromised. Two lawsuits have been filed against Sutter Health, including a $1 billion class action lawsuit.
A month earlier, computer backup tapes were stolen from a car, exposing protected health information of patients from military hospitals and clinics. A class action lawsuit of $4.9 billion was filed against TRICARE.
Though these breaches occurred at out-of-state companies, the danger to New North companies is real. And despite the potential for such devastating data breaches, businesses aren’t likely to stop hiring third-party vendors for key business functions. Companies now regularly share critical information assets – including protected health information (PHI) – with cloud providers, consultants, business process outsourcers, third-party transaction processors and other business associates.
As organizations transfer data from their protected infrastructure, they relinquish a certain degree of control – so it becomes even more important for them to remain vigilant in assessing risks to data.
Often, any anticipated cost efficiencies and other benefits to using third-party vendors evaporate as a result of costly breaches and enforcement actions. Intellectual property breaches can cost organizations dearly in terms of lost investment and reputation. Vendor data breaches may result in fines, civil penalties and loss of the public’s trust.
By law, health care insurers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) must post a potential data breach on the U.S. Department of Health and Human Services (HHS) website. The negative publicity of this action is painful enough, but the impact of a lawsuit brought under the Health Information Technology for Economic and Clinical Health (HITECH) Act can be devastating. In spite of that, breaches of PHI occur daily and many are caused by third-party vendors.
The HHS will soon rule to eliminate or amend the “harm threshold” provision that currently allows covered entities to refrain from reporting data breaches if it does not pose a significant risk to the affected individual. Theoretically, this ruling will make business associates and subcontractors equally liable as covered entities for data breaches. Health care insurers, however, can’t afford to wait for federal regulators to conduct audits on business associates – they must take action themselves to protect their information assets. Due diligence is critical when selecting and managing relationships with vendors. Data security, privacy and compliance considerations must be top of mind (see sidebar).
Simply put, users must take a more proactive approach to ensure that their data is adequately protected. Attestation reports, if vendors have them, offer a useful perspective about a vendor’s security and privacy control environment. The AICPA’s Service Organization Control (SOC) reports provide service auditors and service organizations with tools to assess and address vendor control risk related to security, availability, processing integrity, confidentiality and privacy.
Ultimately, health care providers must have a process that continually evaluates, monitors and manages risks related to vendor operations. Even though many organizations execute vendor agreements with service providers, too few include an ongoing program to monitor and assess vendor control risks.
Health care insurers and other entities that consider using third-party vendors need to ask themselves, “Will we still be in compliance once we share our information assets with third-party vendors?” Those who hope to say “yes” must thoroughly vet their vendors and continuously monitor their security and privacy control environments.
Amy Henselin is an audit partner in Grant Thornton’s Appleton office with more than 12 years of experience in public accounting. She heads up the Wisconsin Not-for-Profit practice and serves a number of privately-held companies, including those in the manufacturing and distribution, insurance and health care industries.
What can you do to protect yourself?
Ask your third-party vendor a number of key questions about data security and privacy considerations. Questions might include:
» How will data be protected?
» What controls does the vendor have in place for intrusion detection, perimeter security, physical security, timely application of security patches and data leak prevention, among other safety measures?
» Who will have access to our data, and how can we confirm this?
» Does the vendor have the right security controls to protect our data?
» How will the provider ensure that others are not able to view our data?
» What policies and procedures are in place to detect, prevent and mitigate incidences of identity theft?
» Have there been any instances of identity theft experienced by the third-party vendor within the last two years?
» How are incidents and breaches reported?
» Will we receive notification if a breach to our data occurs?
» Does the third party have a disaster recovery plan?
» In the event of a disaster, how will the vendor protect our information assets?
» Can we get our data back if the vendor goes out of business?