But “BAs” are to data breaches what gasoline is to fire—an accelerant.
If you want a big, honking, flaming breach, hire a BA, because they've managed to expose just over 12.2 million patients' records in those 129 breaches. That's a disproportionate, 56% share of the nearly 21.8 million individuals' records subjected to breaches on the OCR's list.
Of those 12.2 million individuals' records that went bye-bye, business associates have let thieves steal 34% of them; lost another 16%; allowed unauthorized persons access to 14%; mailed 12% to the wrong people; exposed 10% to hackers and otherwise bungled away the remaining 14%, according to a report by the data security consortium Health Information Trust Alliance, known as HITrust.
There have been 101 different business associates implicated in those 129 breaches, the OCR data shows. Yes, that's right; that means there have been frequent fliers—17 BAs, in fact, that have helped more than one of their clients make headlines.
Less than half of healthcare data handlers, including BAs, are compliant with the HIPAA security rule, according to Daniel Nutkis, CEO of HITrust, which only recently, in its sixth year, scored a coup in that several of its largest members have committed to requiring their business associates undergo and pass a standardized, third-party security review.
“We know that more than 50% of organizations don't use two-factor authentication for remote access” to protected health information,” Nutkis said in a recent telephone interview. “We also know that 50% of computers” that are used to access patient information “have malware on them; and there is a significant amount of password sharing.”
“When they submit stuff to us,” for security rule compliance verification, “they just come up with every cockamamie excuse you could think of” for noncompliance, Nutkis said.
It shows—eventually—on the wall of shame.
Follow Joseph Conn on Twitter: @MHJConn