Abstract
Of all the ways to apply risk-based cybersecurity principles, analyzing risks to ePHI related to engaging third parties is very important. Failing to evaluate cyber risk at service providers is dangerous, and recent examples, such as the breach reported by Anthem in August of 2017, and risks to ePHI resulting from these relationships must be included on the risk register as well. In terms of patient data, business associates (BAs) are entities that perform services on behalf of covered entities and have access to ePHI. Business associates also engage third parties, establishing downstream BA arrangements. Regulations require that business associate agreements (BAAs) be executed for all such arrangements, establishing requirements for BAs to operate under. Included are permissible uses and disclosures of PHI and the expectation to protect PHI by adhering to safeguards required under the HIPAA Security Rule. BAAs also include provisions for notification when breaches occur. BAAs, however, should not be relied on for due diligence and information protection assurance. Managing third-party risk is not the sexiest aspect of cybersecurity; however, mismanaging third-party risk can be very damaging and lead to headlines. It is understood that BAAs are obtained any time a third party has access to, or is in possession of, ePHI. The focus of this chapter is to analyze and either accept or address the cyber risks to ePHI, prior to executing a business agreement and in addition to obtaining the signed BAA.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
International Organization for Standardization, www.iso.org/isoiec-27001-information-security.html .
- 2.
NIST, “Guide for Conducting Risk Assessments,” NIST Special Publication 800-30, Revision 1, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf , September 2012.
- 3.
Exploit Database, www.exploit-db.com/ .
- 4.
Metasploit, www.metasploit.com/ .
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2017 Eric C. Thompson
About this chapter
Cite this chapter
Thompson, E.C. (2017). Third-Party Risk: Beyond the BAA. In: Building a HIPAA-Compliant Cybersecurity Program. Apress, Berkeley, CA. https://doi.org/10.1007/978-1-4842-3060-2_14
Download citation
DOI: https://doi.org/10.1007/978-1-4842-3060-2_14
Published:
Publisher Name: Apress, Berkeley, CA
Print ISBN: 978-1-4842-3059-6
Online ISBN: 978-1-4842-3060-2
eBook Packages: Professional and Applied ComputingProfessional and Applied Computing (R0)Apress Access Books