5 ways IT vendors put customers’ PHI at risk
May 5, 2015 in Medical Technology
Warning to technology vendors that service the healthcare industry: nearly half of serious data breaches occur in the healthcare sector and the majority are caused by a third party.
There are five common ways technology vendors set themselves up – and their healthcare customers – for a data breach that could be catastrophic to patients’ privacy and the vendor’s reputation.
1. Failure to assess risk. The HIPAA Security Rule requires that certain organizations, known as covered entities and business associates, regularly perform risk assessments. Yet 33 percent never have, increasing the rate of healthcare data breaches.
Businesses that skip this assessment typically struggle to find enough staff time to take it on. And no doubt, it’s intensive work. But not having enough staff on hand to perform it won’t spare your organization from litigation, fines, remediation and restitution which can reach into the millions of dollars in the event a data breach is traced back to you.
Action: Implement and stick to a risk assessment policy that includes a periodic review of data inventories and critical assets; administrative, physical and technical safeguards; and regular re-evaluations of risk to protected health information.
2. Lack of awareness of system activity. Given that many breaches aren’t discovered until months later, too many organizations are in the dark about threat attempts. In one of the most notorious examples, while the Anthem breach of 80 million records wasn’t announced to the public until February 2015, subsequent forensics traced the beginning of the breach to April 2014. That’s 11 months of covert activity. Such delays are actually more common than not, with research showing that only 5 percent of breaches are discovered within three months of entry.
Action: Enable continuous logging; keep these logs protected; and perform regular system activity reviews – an essential component of risk management.
3. Patching fail. Failure to keep up-to-date with patches and firmware has led to previous breaches, including one at ACMHS that resulted in a $150,000 fine. Although security patches should be applied as soon as they are released, they frequently aren’t. Of course, patches are sometimes faulty. For example, while ACMHS was found to be negligent, the resulting fine that was issued happened on the heels of a year of patching woes for most Microsoft customers. It’s a balancing act to decide whether to deal with the fallout of a botched patch, or wait to receive one that’s error-free.
Action: Document your decisions of what and when to patch, but don’t stop progress for what could be a long wait for perfection.