The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just released a brief on how to manage security incidents involving business associates, from ensuring policies and safeguards are adequate to being notified and responding effectively to a data breach. As the recent Ponemon survey revealed, many healthcare organizations and their business associates (BAs) are currently negligent in their handling of patient information, with insider threats and cyberattacks topping the list, with an unnecessary amount of “finger pointing” going on between healthcare organizations and BAs who should be doing more to protect data.
According to the OCR brief, covered entities believe they will not be notified of security breaches or cyberattacks by their BAs, another point of miscommunication that introduces additional risk to data security in healthcare. With the current level of infighting and lack of communication, it is difficult for covered entities to determine if the data safeguards and security policies of their BAs are adequate. The new guidance puts greater pressure on BAs to keep covered entities in the loop of any potential cyber attacks or other security breaches.
The OCR recommends that covered entities:
- Within the service-level or business associate agreement, define how PHI is used with reporting mechanisms that cover instances where PHI is disclosed or a security incident takes places
- Make clear the HIPAA definition of a security incident as an attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations (with even more specificity for cybersecurity incidents)
- Make clear the HIPAA definition of a data breach as the impermissible acquisition, access, use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information
- Specify a time frame for reporting a breach, security incident or cyberattack (applies to both BAs and covered entities, respective of each other). HIPAA-breach reporting must be timely, so negative repercussions could ensue for delays.
- Identify what kind of information should be reported in a breach or security incident report (details listed in the guide)
- Specify how employees will be trained on incident reporting (with additional suggestions to run security audits and assessments of BA security and privacy practices)
The new guide re-iterates the importance of visibility and a persistent connection to both the devices and the healthcare data they contain, no matter their location. In order to prove compliance, covered entities and BAs must be able to describe the kinds of data involved in a data incident and how that data was protected.
Absolute DDS for Healthcare provides valuable inside into all of your endpoints, so you can have accurate information on your fleet of devices, as well as the information they contain, with alerts for events and activities that could be precursors to a security incident. With Absolute DDS, you can help shine a light on dark data on the endpoint, helping you address the ever-prevalent insider threat, prevent or respond to data breaches, and prove compliance if needed. Absolute DDS for Healthcare is a comprehensive on boarding program which pairs our highest level of endpoint security with expert forensic support to respond to and contain security incidents. Learn more at Absolute.com