The HITRUST report notes that data breaches involving HIPAA business associates-which, as noted, HIPAA-covered entities are responsible for-have accounted for 21% of breaches in the last three years and 58% of the records lost. This points to a need for "proactive due diligence," Hourihan says. It's been a problem, and it will continue to be a problem, because businesses sign a contract and then don't do anything else."
To combat this issue, healthcare organizations should first ask for a business associate's most recent security audit and risk analysis and then work with the BA to fill the gaps that could result in a data breach. Since some providers have hundreds, if not thousands, of BAs, Hourihan suggests giving the most attention to electronic health record vendors, vendors that support critical business functions and other companies that interact with customer data.
Healthcare organizations also need to be aware of hackers. While hacks account for only 8% of reported data breaches, Hourihan thinks the actual number is higher, as HITRUST has seen PHI for sale on underground message boards that often can't be tied to a reported breach. With PHI worth up to 50 times more to hackers than credit card or Social Security numbers, Hourihan and HITRUST expect to see a "pretty significant rise" in hacks in years to come.
David Harlow, principal of The Harlow Group LLC, acknowledges that the industry "collectively need[s] to do a better job cracking down on those exploits."
Doing so requires a mix of technology, education and leadership. For Rodriquez, it's that final point that matters most-not just for preventing hacks but also for preventing data breaches and doing the sort of due diligence that MAeHC did in order to avoid an OCR fine. "It comes down to leadership owning compliance issues and doing so consistently. It's that leadership that makes all the difference," he says.
Read more about health care in CIO's Health care Drilldown.