April 19, 2018//Ellen NeveuxLast Updated: November 18, 2020
The Health Insurance Portability and Accountability Act (HIPAA) carries with it data privacy requirements for individuals, organizations, and entities working with patient information.
HIPAA compliance requires best practices online and off for those who work with protected health information (PHI). When hospital systems provide remote access to third-party vendors without comprehensive controls, this compliance – and their overall network security – can be jeopardized. A HIPAA compliant remote access policy is essential in the healthcare industry.
This April, a New Jersey medical practice group agreed to pay more than $400,000 for PHI exposed due to the lax practices of a third-party vendor.
In early 2018, Best Medical Transcription, a third-party transcription vendor based in Georgia updated software used to transfer files to practices within the Virtua Medical Group (VMG). During the update, the vendor mistakenly left its remote access site without password protection. The error potentially exposed patient names, prescriptions, and medical diagnoses of approximately 1,654 patients.
After discovering their error, Best Medical removed the records from the open site and restored password protection to their server. The vendor, apparently hoping for the best, did not notify VMG of the problem. VMG was not aware of the data exposure until a patient who found her medical records on Google contacted them.
VMG conducted an internal review and then contacted the FBI and the New Jersey State Police to report the event. VMG discovered the records of 462 patients had been cached online. The group worked with Google to remove the exposed data.
The Acting Director of the Division of Consumer Affairs noted, “Although it was a third-party vendor that caused this data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it. This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough. You must fully vet your vendors for their security as well.”
Network managers should always know who has access to patient information, the extent of that access, and how long it’s available. Third-party vendor access should have tight restrictions that limit time, scope and job function. In addition, every remote access session should begin with multi-factor authentication – then all activity must be logged, capturing a unique username and password tied to the individual.
The point of access is often the weak link in data security. A secure remote access platform eliminates many common gaps and poor third-party vendor practices that lead to data exposure and regulatory breach.
Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and limits liability when supporting customers. SecureLink also serves many of the nation’s top hospitals and technology providers by delivering standardized, secure remote support that mitigates risk and helps you maintain compliance.