By The Institute at MagMutual™

Healthcare is one of the most vulnerable industries to cyberattacks, and third-party service companies are a frequent source of exposure to providers. A third-party vendor is an entity contracted with the healthcare organization to provide items or services, such as electronic health record (EHR) systems and IT security systems. As healthcare organizations continue to rely on services from third-party vendors, it’s important that providers understand what steps to take when one of their vendors incurs a data breach.

The recent breach targeting Change Healthcare, the largest clearinghouse for insurance billing and payments in the U.S., serves as an unfortunate example of a catastrophic data breach. This cyberattack has severely impacted providers who are waiting for their payments but, more importantly, demonstrates the vulnerability of the healthcare sector in general.

Failure to appropriately safeguard your patients’ protected health information from cybersecurity attacks and data breaches could be a HIPAA violation, resulting in financial penalties and fines to your practice. Further, delays in notifying patients of any data breaches could also result in a HIPAA violation. With cyberattacks becoming more prevalent, it’s important that an organization have a plan in place to respond to notification of a data breach from a third party.

Action to Take When Receiving Notice of a Third-Party Data Breach

Healthcare organizations typically receive notice of a data breach days, or even months, after it actually occurred. The third-party vendor usually sends a letter or email notifying the organization of a data breach. If your organization receives a data breach notice, it should be considered as an important document and maintained in an administrative file after the following steps are taken. 

Healthcare organizations should read the notice carefully and assess what information, and to what extent their information, was compromised. It is also important to reach out to the third party that sent the notice if more information about the breach is required, including whether the third party has remedied the breach on its end.

After reading the notice, if the data breach is still ongoing, healthcare organizations should activate their incident response plan to mitigate the damage. If you haven’t created an incident response plan for data breaches, consider hiring outside counsel to guide the response efforts.

Data Breach Planning and Reporting Requirements

1. Implement a Data Breach Response Plan - Implementing an incident response plan effectively requires running routine practice drills so medical staff can act immediately upon notification of a data breach. The healthcare organization’s data breach incident response plan should already have a point of contact assigned for communication purposes. This person can gather statements from the third party about the data breach, update internal staff on the breach and handle pre-planned statements to update patients whose information may be compromised. If the data breach affects the healthcare organization, implementing the incident response plan involves containing the data breach from your end as set out in the data breach incident response plan. Once the third party or healthcare organization has contained the data breach, then follow the next steps in your incident response plan. 
2. Preserve Evidence of a Data Breach- Keep the notification of the data breach and follow the procedures in your incident response plan for how to preserve and document evidence. Work with the affected third-party vendors on isolating malware. Having evidence of the malware will facilitate reporting the data breach to authorities. Forensic investigators can use this evidence to determine when and how the alleged breach took place and recommend steps for restoring the network or data. Documenting this evidence will help healthcare organizations cooperate with authorities and may help defend themselves in a potential lawsuit.
3. Notify Appropriate Authorities about the Data Breach - Once a breach occurs, notify authorities of the breach. Which authorities to notify and what healthcare organizations can disclose depends on many factors.

4. Obtain a Root-Cause Analysis of the Data Breach from the Third-Party Vendor- After the third-party vendor or IT system provider has contained the data breach, organizations should obtain a root-cause analysis from the affected third party. 

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule and the HIPAA Privacy Rule govern federal disclosure requirements about an alleged breach for most healthcare organizations. Even if third parties were the subject of a data breach, healthcare organizations and third parties still must demonstrate that the use or disclosure of protected health information (PHI) did not result in a breach as defined in HIPAA regulations. To determine whether a breach occurred, organizations must consider the following factors:     

1. What was the nature and extent of PHI data involved?
2. Who was the unauthorized person who used PHI?   
3. To whom was the disclosure made? 
4. Was PHI actually acquired or viewed?
5. What was the extent to which the risk to PHI has been mitigated?

Under HIPAA, business associates (third parties) must notify covered entities (healthcare organizations) of a HIPAA data breach within 60 days of discovering the breach. Organizations must notify individuals whose information was affected by the data breach. Disclosure requirements to the media and HHS also depend on the nature and extent of the breach.

The HIPAA Security Rule requires healthcare organizations to conduct risk assessments to security systems and report their findings. The Security Rule also requires organizations to have a contingency plan in place for responding to disruptions to EHR.

Healthcare organizations may also have to consider state and local laws in the event of a HIPAA data breach caused by a third party. State and local laws may have shorter reporting times than federal laws.

Assessing Relationships with Third-Party Vendors

Healthcare organizations should treat third-party risk as their own risk. Therefore, organizations should require third parties to maintain compliance with security requirements under applicable privacy and security laws. Compliance with security requirements should include assurance from third parties that their security systems comply with applicable federal, state and local privacy and security laws.

Healthcare organizations should also review their Business Associate Agreements (BAAs) with third parties. BAAs should include provisions about how third parties will identify and notify organizations of a data breach. BAAs should define a data breach and include exact timeframes in hours or days about when third-party vendors must notify healthcare organizations of a breach. BAAs should also include provisions about data storage and disposal, descriptions of vendor’s privacy and security programs, right-to-audit clauses, and protocols for disclosing when deficiencies in security systems have been identified.

As demonstrated by the recent Change Healthcare incident, cyberattacks affect healthcare organizations of all sizes, and no one is immune, whether from direct threats or through third-party vendors. MagMutual, a leading provider of medical malpractice insurance as well as regulatory and cyber protection for healthcare organizations, recommends ensuring that your healthcare practice has a comprehensive incident response plan for dealing with data breaches. Preparation and response plans to cyber incidents should be dynamic processes that are continuously reviewed, refined and adapted to address the evolving landscape of cyber threats.