You Can’t Outsource Accountability!
By Ben Hunter, III, CPA, CITP, CISA, CRISC, CFE
Many smaller companies outsource their IT function. There is nothing inherently wrong with outsourcing. It allows the outsourcing company to save money and allows many smaller IT firms to create jobs and contribute to the economy. However, I have often found that there are no contracts with the IT firm. Many companies operate with the assumption that as long as they get their email and can access their data, the IT firm is doing its job and all is well. There is a lot more to being compliant with regulations and even more to operating securely. As the owner of the data, you are accountable to your customers and the regulators to manage your IT vendors.
Compliance is essential when it comes to HIPAA, as the Health and Human Services (HHS) Office for Civil Rights (OCR) and state attorneys general have the power to shut down your business and impose fines and punitive measures if you don’t comply. Business associates and their subcontractors have the same compliance requirements as covered entities.
When you are looking for an outside IT vendor, verify that the vendor is HIPAA compliant. The vendor can provide encryption for your electronic Personal Health Information (ePHI) while the data is at rest and in transit. The vendor has its physical security at the data center, with high tech locks, cameras, man-trap doors, access logs, etc. The IT vendor is managing your access control, making sure your employees only have access to the data necessary to do their jobs.
But who is managing the IT vendor? Are you performing an audit on the IT vendor? You perform background checks on your employees. Does your IT vendor, and have you verified it? If your IT vendor is managing your servers, it has administrative access to all of your data. It is important to know who, specifically, has access to the administrator passwords to your systems.
To comply with the HIPAA Security Rule, a vulnerability scan is usually performed as part of the periodic evaluation of the effectiveness of the security measures in place. Is a vulnerability scan part of your contract with your IT vendor? Do you have a patch management policy in place with your IT vendor? Performing a vulnerability scan periodically is a good idea, but those vulnerabilities need to be fixed. The primary way vulnerabilities are fixed is through vendor patches – patches that need to be installed. We have all heard about the Equifax breach, but did you know the threat agents were able to breach Equifax because Equifax failed to install a patch months after the patch was available? In my opinion, losing ePHI because a patch was not installed would fail the “reasonable and appropriate safeguards” required by the Security Rule. You might expect that your IT vendor is on top of the patches, but have you double checked? You can do a Google search for the latest patches available for the software you are using and then ask for screenshots of the software versions installed on your systems. That process is simple, easy and takes less than an hour for all involved.
I have talked to various covered entities (health care clearinghouses, health care providers who transmit ePHI, and their business associates) and I hear a common practice that “periodically evaluating the effectiveness of the security measures in place” means having a HIPAA assessment by a 3rd party every 2 years. I am not sure where the 2-year timetable originated. For your business, it may be an acceptable timetable. If you don’t have high employee turnover, your business processes don’t change very often, and you do perform an ongoing risk analysis, then every 2 years may be acceptable. If those attributes don’t apply to your business, then I suspect that OCR will have some questions.
Outsourcing responsibility for the “reasonable and appropriate administrative, technical and physical safeguards” of your ePHI is a valid business practice. However, you cannot outsource the accountability for the safeguards of that ePHI. Your IT vendors need to be managed too.
HIPAA was enacted in 1996, and the security regulation, known as the Security Rule, was published on Feb 20, 2003. You can Google the text of the regulation using “45 CFR Part 160 and Part 164, Subparts A and C.” The HHS has a good summary of the Security Rule located here:
Ben Hunter, III CISO, Advisory Services Principal, CPA/CITP, CISA, CRISC, CDPSE, CISM
Ben is the Chief Information Security Officer for BRC and is a Senior Manager in our firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit […]