There’s a guy that hangs out at a street corner downtown. All night long he’s out there “vigilantly protecting his turf”. He’s not in a gang. Rather, he has self-appointed himself to watch over people’s cars—tourists and locals, alike—to protect them from damage while the car owners are away.
The charge for his service? 5 bucks.
I’ve only ever seen a couple of folks take him up for the service, but every time, I’m wondering whether they should be just as worried something would happen to their car regardless of paying the guy. Is this guy really going to expertly protect their car on a public street downtown for 5 bucks?
How the heck does downtown parking relate to your business associates?
The downtown parking vigilante, in many respects, mirrors what several business associates do with your organization’s sensitive information.
If you are in healthcare or are concerned about your team’s medical records or personal identities—even the basic stuff like Social Security Numbers or insurance information—you probably interact with some sort of business associate—a business that uses, handles, is exposed to, or processes that data in some way, shape or form. You might not even have a second thought about them keeping your sensitive data secure, unlike relying on a vigilante to protect your car.
But have you ever thought about all of those organizations that might touch, view, or interact with your sensitive data.
In healthcare, these organizations that work with protected health information are called business associates. HIPAA legislation defines a business associate as:
A person or entity (including subcontractors)—other than a member of your workforce—who performs functions or activities that involved access to personal health information (PHI). They may create, receive, maintain or transmit PHI on behalf of your organization OR on behalf of other associates of yours.
To boil this down, if you work with any type of health-related data, or deal with sensitive information that can specifically identify an individual (Social Security Numbers, for instance), you probably are dealing with some sort of business associate.
Why worry about those business associates?
Going back to that vigilante on the street protecting your car, if you were entrust your vehicle under his care, what specifically would he be doing to keep your car from getting scratched, dinged, or damaged?
He’s not a cop. He didn’t explain how he’d protect the vehicle. He simply said that he’d keep it safe.
When thinking about business associates, many do exactly the same thing. They say something in their marketing materials about sticking to security standards, they may simply say that they are “HIPAA certified”, but the fact of the matter is they are really no better in backing up their claims on security (at least for a big proportion of business associates) than that guy on the street protecting your car.
My big concern for your organization: business associates experience data breaches.
The main reason business associates experiences breaches is because they either (1) say they are securing your data, but end up not or (2) think they’re keeping your data secure, but their own IT support teams are neglecting your data’s security.
In either event, your patient records or your team’s sensitive information is at risk!
One recent case sounding alarms was from an IT consultant service that ended up contracting dozens of health offices’ support to a team in India that had no idea how to keep data compliant to standards demanded by HIPAA (Note: even if you aren’t working in healthcare, your organization may be expected to abide by security standards that are as strict as those outlined in HIPAA standards). Tens of thousands of records had been mistakenly released by the outsourced IT company, leading to a lawsuit that settled out of court for several millions of dollars in damages.
My concern with your organization entrusting your data to others: be careful who you entrust.
While there are many very responsible associates that practice what they preach, that are good stewards of your data security policies, there are many that are irresponsibly handling your data (a recent study found that business associates lead to nearly 20% of data breaches each year).
Before you consider a contract, security experts advise you make sure your associates are above board with their network security. Many suggest you require your associates obtain a network security assessment to make sure you know how they’ll handle your information.