Lessons from Netflix

Who was hacked?

It wasn’t Netflix that was hacked, but a vendor, Larson Studios, performing audio finishing on the series Orange is the New Black. Like the rest of the business world, not just entertainment, work is completed in collaboration with other companies who specialize in one task or another. After the hack of Sony Pictures in 2014, big studios became savvier about cybersecurity, but smaller entities, the thousands of vendors who support the industry have not, leaving the studios vulnerable to hacking, extortion, and ransomware. At the time of this writing no extortion was paid. Kudos to the victim, the hacker didn’t win this round.

What does this have to do with healthcare?

The situation is analogous to healthcare, with Netflix in the position of a covered entity, and Larson Studios in the role of a business associate. Covered entities outsource tasks like coding and billing, collections, medical transcription, file storage and data backup, among others. When the data a vendor manages contains protected health information (PHI) that vendor’s vulnerabilities put the covered entity at risk. But unlike the entertainment industry, business associates are separately responsible and subject to audits, investigations and fines by the Office for Civil Rights (OCR). And when PHI is breached, both the covered entity and the business associate are responsible.

Yes, it’s real.

In June 2016, a fine of $650,000 was imposed on the Catholic Health Care Services of the Archdiocese of Philadelphia (CHSC), a business associate which provided management and IT services to six skilled nursing facilities. CHSC lost a cellphone containing protected health information of 412 nursing home residents. An avoidable loss if they had been aware of HIPAA requirements and put protections in place.

What to do?

Covered entities need business associate agreements with their business associates. The agreement should specifically describe what the business associate has been engaged to do, and should require the business associate to comply with HIPAA.

Every entity in healthcare which handles PHI needs to understand their responsibility in protecting patient privacy. Inventory your business relationships and have the right agreements in place. Educate yourself about your responsibilities and establish policies backed by a culture of compliance.