According to the 2010 HIMSS Analytics Report: Security of Patient Data, even though providers continue to update their security infrastructure, patient data remains at serious risk. And, despite new statutory requirements for healthcare privacy and security, these critical gaps remain. The study’s conclusion is not that surprising given new healthcare breaches are being reported on a daily basis.
One improvement that can be immediately implemented with little cost outlay is the initiation of a vendor risk management program. Recent changes to how HHS views business associates and new data security laws in states such as Massachusetts actually now make it imperative that hospitals affirmatively manage the risks inherent in having third-party companies handle sensitive data. There are certainly enough incidents to justify the attention. For example, a company hired by South Shore Hospital to dispose of patient records simply outsourced the work to a second company. It was this second company – a company that did not directly contract with the hospital – that lost 800,000 patients’ files.
Lost or stolen laptops used by the contractors of business associates litter the data breach landscape. Incidents such as the one that impacted New Mexico’s Medicaid Salud! Plan is fairly common. The Plan members were hit with a breach not arising out of the direct negligence of DentaQuest, a company that processes claims and provides dental benefits for the Plan; but instead, from the negligence of an employee of West Monroe Partners – a company hired by DentaQuest. A West Monroe employee had an unencrypted laptop with protected information in the trunk of a car when the vehicle was stolen. Although it may not always be convenient, most employees should know by now not to leave a laptop in a car – especially if it is unencrypted. It’s not easy, however, for a hospital to enforce a policy on a company it does not even know exists.
There are two basic risk management suggestions to be gleaned from these incidents. Not only should the obvious indemnifications be negotiated in all business associate agreements, hospitals need to require business associates vet subcontractors to ensure they also have proper security controls in place. In fact, this is actually dictated by the recent statutory changes referenced above. And, if a hospital purchases insurance to cover the costs of a breach, it should confirm that the insuring agreement broadly covers third-party incidents. Given that network security and privacy insurance remains a nascent market – albeit one that is now rapidly growing – not all insurance contracts are the same when it comes to how far the third-party coverage net reaches. NSAP insurance should also be included in every insurance clause requirement – with a provision requiring that subcontractors also procure the necessary minimum coverages.
Hospitals should never forget that their data security is only as strong as their weakest link – which given cost-cutting measures undertaken by business associates may sometimes be an unknown company with weak security controls.