January 26, 2021//Ellen Neveux
Though most are very familiar with the Health Insurance Portability and Accountability Act (HIPAA) and its relation to third parties and remote access, we’re going to break it down a bit. HIPAA carries with it data privacy requirements for individuals, organizations, and entities working with patient information.
HIPAA compliance requires best practices online and off for those who work with protected health information (PHI). When hospital systems provide remote access to third-party vendors without comprehensive controls, this compliance – and their overall network security – can be jeopardized. A HIPAA compliant remote access policy isn’t just essential in the healthcare industry, but it’s necessary.
It’s important to remember that you can’t be in compliance if your vendors (or anyone external who has access to your “stuff”) aren’t compliant, too. The best place to start with that is to ensure that you know exactly who your vendors are, what they have access to, and that the access they have is only to exactly what they need and never more than just that.
In early 2018, Best Medical Transcription, a third-party transcription vendor updated software used to transfer files to practices within the Virtua Medical Group (VMG). During the update, the vendor mistakenly left its remote access site without password protection. The error potentially exposed patient names, prescriptions, and medical diagnoses of approximately 1,654 patients. After discovering their error, Best Medical removed the records from the open site and restored password protection to their server. The vendor, apparently hoping for the best, did not notify VMG of the problem. And, if you can imagine, it got worse– VMG was not aware of the data exposure until a patient who found her medical records on Google contacted them.
Things since then (and before then, too) haven’t really changed. Remember LabCorp and Quest Diagnostics? In June of 2019, both LabCorp and Quest Diagnostics experienced third-party data breaches that exposed 7.7 million and 11.9 million records, respectively. Included in the exposed records were names, date of birth, address, phone number, date of service, and more, according to TechCrunch, and ranged from August of 2018 until March of 2019. Both data breaches were caused by a hacker that gained access to American Medical Collection Agency’s (AMCA) system, which is a third-party vendor that the two companies have in common.
The healthcare industry is still heavily targeted for hackers because of the wealth of information they can get. As someone that (I assume) has been to a doctor’s office of any sort, you know how many forms you have to fill out– all the information you have to give, all the releases you have to sign because of HIPAA/HITECH. When we, as patients, sign those papers and agree to hand over this information, we don’t think of all the vendors that might be also accessing that information. It’s imperative that healthcare systems that work with vendors ensure the security of PHI not only for HIPAA compliance, but for the patients, too.
Network managers should always know who has access to patient information, the extent of that access, and how long it’s available. Third-party vendor access should have tight restrictions that limit time, scope and job function. In addition, every remote access session should begin with multi-factor authentication – then all activity must be logged, capturing a unique username and password tied to the individual.
A lot of what you need in order to be secure, efficient, and compliant revolves around what tool you use to allow vendors to access anything within your network. If you’re using the wrong tool for the job (like a VPN), it’s not if an audit or cybersecurity event will happen, it’s when.
The point of access is often the weak link in data security, and regularly the weakest point is vendors’ access to a larger hospital system network. A secure remote access platform eliminates many common gaps and poor third-party vendor practices that lead to data exposure and regulatory breach and can help you identify vulnerable vendors.
Interested to see if you’re HIPAA compliant in relation to third parties accessing your network? Check out our helpful, interactive checklist that will pinpoint any areas in which you aren’t HIPAA compliant so that you can quickly fix any issues before it’s too late.