Healthcare Organizations: Assessing Business Associates' Risk

By law, the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules) apply to covered entities– health plans, healthcare clearinghouses, and certain healthcare providers. However, it’s important to note that most healthcare providers and plans don’t carry out all their healthcare functions and activities alone. They often use the services of other individuals or businesses, often referred to as "business associates."

Overview of the HIPAA Rule in Healthcare

The HIPAA Rule permits covered providers and health plans to share protected health information (PHI) with these business associates. However, sharing protected data is only allowable if health providers or plans obtain satisfactory assurances that the business associate will safeguard the information from misuse and only use the information for the purposes and duties covered under the Privacy Rule.

The Privacy Rule requirements compel health organizations to conduct rigorous assessments of their business associates' risk profiles and security assurances. And, beyond business associates, there may be other third-party types that should also be risk assessed.
Healthcare organizations have several options when it comes to assessing a third party's risk associate's posture. But, what should a healthcare organization review and confirm regarding business associate security risk?

If a third party has a security certification, providing a copy of that certification for review may be all that is needed. In the absence of security certification, a questionnaire should be completed by the third party. For instances in which other information is required, a review of business associate-provided information security policies and related documentation may be sufficient. A combination of these options may be used, especially if a healthcare organization begins by conducting a questionnaire and reviewing third-party policies and documents.

What does each of these options entail? What security assurances can be requested? What type of questionnaire should be used? And what types of information security policies should be requested? In other words, what needs to be assessed? Let’s cover more of that.

Requesting Compliance Reports in Addition to Security Assurances

Security assurances, such as ISO 27001 certification and SOC 2 reports, aren't healthcare specific. So, in addition to ISO 27001 or SOC 2, your organization may need to request that a third party also provide specific compliance reports if they're a business associate or a third party touching PHI or payment card industry (PCI) data. Imagine, for instance, that a third party will store your organization's PHI within their system, but they can only provide a current SOC 2 Type II report. In that case, you'll need to request additional documentation. To ensure a third party meets your health organization's requirements for storing your PHI and cardholder data (CHD), you'll need to request two additional types of documentation. Among these, a HIPAA Compliance Report and PCI Attestation of Compliance (AoC) should suffice.

Sample Security Assurances include:

• Certifications (ISO 27001: 2013, HITRUST r2)
• Independent audit reports (SOC 2 Type I and SOC 2 Type II)
• Compliance reports (HIPAA Compliance Report, PCI DSS AoC, PCI DSS RoC)

Third-Party Assessments Using Third-Party Questionnaires

It's quite routine for a healthcare organization to conduct a third-party risk assessment using a questionnaire. In other cases, you may wish to ask for a security certification or third-party audit. To assess the third-party, you should use a cybersecurity or an information security control framework, which serves as the basis for the third-party questionnaire.

Cybersecurity Framework vs Compliance Framework

A third-party questionnaire should be based on a standard cybersecurity framework. There are several frameworks from which a healthcare organization can choose and use as the basis of a third-party questionnaire. It should be noted, however, that, depending on your healthcare organization’s budget and capabilities, a compliance framework such as HIPAA or PCI DSS may not be as comprehensive as a cybersecurity framework, such as NIST 800-53 rev 5 or CIS Controls. For many, a compliance framework is a good starting point, but your third-party risk assessment should hold your third parties accountable for security risks, and you should choose the framework that is best for your organization’s security posture.

HITRUST CSF

The HITRUST Cybersecurity Framework (CSF) is specific to healthcare. It’s a security framework that could be used for third-party questionnaires. However, the HITRUST CSF is a proprietary framework that only HITRUST Qualified Organizations and HITRUST Qualified Individuals can utilize. That means your healthcare organization may or may not be able to base your questionnaires on this framework. It depends on your affiliation with HITRUST. To learn more about the HITRUST CSF License Agreement and view the Terms and Conditions, visit the HITRUST CSF v9.6.0 License Agreement webpage.

NIST CSF

The National Institute of Standards and Technology (NIST) provides frameworks which can be used to create third-party questionnaires. The NIST Cybersecurity Framework (CSF) groups technical controls into the following control functions: Identity, Protect, Detect, Respond, and Recover. Using this framework will help you better understand a third party's security posture in general security terms. However, this framework is more applicable for assessing an organization's risk management program and cybersecurity practices in general. Therefore, questionnaires based on the NIST CSF may not provide detailed visibility into a third party's security practices in privacy and supply chain or those required by HIPAA, PCI DSS, and GDPR.

NIST 800-53 rev 5

Security and Privacy Controls for Information Systems and Organizations, Revision 5, is one possible set of security controls that provides complete visibility into a third party's security posture. Using NIST 800-53 as the basis of third-party questionnaires will ensure that all key security controls and compliance regulations essential to healthcare will be covered. In fact, NIST 800-53 is the framework upon which the HITRUST CSF, NIST CSF, and CIS Controls were created. NIST 800-53 is a comprehensive collection of security and privacy controls that provide full-spectrum coverage of an organization's security posture.

Revision 5 also includes three new control families:

• Privacy risk management
• Supply chain protections
• Cybersecurity program management

At the time of this publication, neither the HITRUST CSF nor the NIST CSF incorporates these new control families. For a detailed look at NIST 800-53 and the specific updates with Revision 5, visit the NIST website.

CIS Critical Security Controls v8

In cases where a questionnaire simply needs to assess if a business associate has basic security hygiene in place, CIS Critical Security Controls makes the perfect control framework. Originally known as the SANS Top 20, the CIS Controls are now in version 8 and have been reduced to 18 controls from 20. The Center for Internet Security (CIS) developed these 18 Controls (and their corresponding sub-controls called "Safeguards") to be used by any organization to implement a basic cybersecurity program. Frameworks such as the HITRUST CSF and NIST 800-53 rev 5 may be too detailed for a healthcare organization to assess a third party who isn’t a business associate, or doesn’t have any access to sensitive data, but still needs to demonstrate an acceptable security posture. A third-party questionnaire based on the CIS Controls can do just that. For more information on CIS Controls, the Center for Internet Security provides an informative poster for quick reference.

One Third-Party Questionnaire or Several?

Some healthcare organizations will decide to use one questionnaire that all third parties and business associates are asked to complete as part of a risk assessment. In other organizations, two or three questionnaires are developed. Each type of assessment is applied depending on the scope, extent, and nature of the access, transmission, or storage of PHI by the third party or business associate. You can create several questionnaires based on different frameworks, such as one based on NIST 800-53 rev 5 and another on CIS Controls. It's up to your third-party risk assessment team as to "what" is best to use for assessing your third parties with your questionnaires.

Knowing what to assess during a third-party risk assessment is key to gaining insight into your third party's security and privacy posture. Using that insight, you can determine whether the third party or business associate presents risks to your organization due to their security practices (or lack thereof). Whether you accept security certifications, third-party audits, or require every third party to complete a questionnaire and provide a list of documents for due diligence, your third-party risk assessment team should understand which information and elements should be assessed and how best to apply them to meet your third-party risk management needs.