Healthcare providers share patient data with many types of suppliers and subcontractors and this extended access is increasing the risk of data breach, according to a study by the Brookings Institution. A recent example of this is in this month's industry news: software vendor EqualizeRCM Services has acknowledged they were the root of a data breach that impacted 8 healthcare providers when a laptop containing patient data was stolen.
Third-party vendor security is a key part of HIPAA compliance following changes to the regulations, and in this edition of SecureNews we’re focusing on what it means for healthcare providers. Below we suggest some steps that organizations can take to manage vendor risk, and there's a link to the Alertsec website for more detail about compliance. Your Alertsec service provides a solid foundation for building your compliance program.
Our website is a useful starting point for background information, and use the link below to find out about our Encryption for Third Party Suppliers service.
The HIPAA security rule applies to all health plan or health care providers but did you know that your suppliers and subcontractors also need to comply? Health care is often provided through multiple entities and changes to the HIPAA privacy and security rules in 2013 put an emphasis on vendor security. Vendors are now directly responsible for compliance with certain parts of the HIPAA regulations, and healthcare providers have a responsibility for doing due diligence in managing the risk of a data breach.
Most organizations that deal with medical information use systems that are generally designed for compliance. To provide the ePHI technical protection needed for HIPAA compliance, any systems where patient data could be accessed or stored must be protected. This includes computers and removable media such as USB sticks and this is where your Alertsec service plays a critical role.
There are other steps you can take to manage information security including:
Identify third party suppliers handling PHI. They can include brokers, lawyers, accountants and even companies hired to securely dispose of paper and electronic data;
Do regular HIPAA-focused vendor assessments eg. a security questionnaire to check existing safeguards;
Share information about security technologies with vendors so they know how to protect themselves and your company.
If you have any questions, contact Alertsec to find out how we can help you: email us at firstname.lastname@example.org or call +1 888 473 7022.
23% of all data breaches occur in health care, according to a recent Brookings Institution study. The total number of breach victims tripled in the last two years alone and the per-record cost for healthcare data breaches is $363, the highest of any industry.
Healthcare organizations are now sharing digitized personal health data more widely with insurers, third party vendors and other providers and this is contributing to the likelihood of breaches, according to the study. Health care data contain valuable information such as social security numbers and home addresses and criminals are focusing on attacking the health care sector as they can charge premium prices on the black market for this information.
EqualizeRCM Systems, a billing and collection services vendor in Texas has reported a data breach after an employee’s laptop containing patient information was stolen. A company statement lists eight healthcare providers whose patient data was contained on the stolen laptop. The laptop contained personal information for patients at specific facilities including names, addresses, insurance information, billing information, and other administrative data.