In January 2020, a healthcare consultancy experienced an increasingly common event - a successful phishing attack. The firm’s Security Officer became aware of the attack when clients reported a barrage of ‘spam’ emails from one consultant’s email account. The consultant’s email account was immediately disabled, password changed, and all active sessions logged out, thus ending the active attack.
That’s when the race to investigate, perform a risk assessment and determine if the consulting firm had experienced a security incident or a breach began.
The HIPAA Security Rule(45 CFR 164.304) defines a Security Incident as “an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.” Conversely, the HIPAA Breach Notification Rule (45 CFR 164.400-414) defines a Breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information”.
An impermissible use or disclosure of protected health information (PHI) is presumed to be a breach unless the covered entity (CE) or business associate (BA), as applicable, demonstrates there is a low probability that PHI has been compromised based on a risk assessment. By these definitions, from a HIPAA standpoint, all breache sare security incidents, but not all security incidents are breaches.
Most Business Associate Agreements (BAAs) require the BA to notify the CE in the event of either a security incident or a breach. For the BA, making the right determination and notifying the CE per the terms of the BAA requires preparation in order to take immediate action.
Ultimately, the Security Officer determined the attacker created an inbox rule to direct all new email messages to the consultant’s deleted items folder and triggered new phishing emails to be sent to the consultant’s contact list. There was no indication any data, including personal information (PI) or PHI, was accessed or exfiltrated during the time the unauthorized party had access to the consultant’s email account; therefore, the Privacy Officer determined a security incident, rather than a breach, had occurred.
Surprisingly, notifying twelve impacted clients of the security incident turned out to be a significant manual work effort. The consultancy’s inventory of BAAs was not centralized, rather, they were dispersed throughout the organization among several separate client folders. The Privacy Officer spent hours searching for the most recent executed BAAs and found they lacked fully executed BAAs for half of the impacted clients. Why? Because the signatory to the agreement had not saved the final versions to the appropriate client folder.
Despite a fire drill-like effort to locate all the BAAs, two out of twelve remained outstanding, the Privacy Officer made the decision to proceed with notifications to all twelve impacted clients.
From the most aggressive security incident notification requirements, “immediately” and “promptly”, plus the varying methods for delivering the notifications including fax, courier service and certified mail, complying with the terms of the BAAs were made more difficult by expending hours to locate the BAAs and the need to read each BAA in detail due to the lack of an automated and centralized BAA repository.
The security incident was a critical illustration of the value of taking proactive measures to minimize and stabilize internal responses to security incidents and breaches. The first step taken was implementing PHIflow’s BAA Analytics Platform in order to rapidly establish a central BAA repository; remediate any uncovered issues, discrepancies, gaps; and maintain an ongoing, up-to-date repository of existing and future BAAs.
The consultancy is now practicing what they have been preaching to their clients for years – “get your BAA house in order".
Part II of Phishing for BAAs will be released on April 21, 2020. Stay tuned!