Once upon a time, news of PHI disclosures or healthcare data breaches only caught the interest of security and privacy nerds. Now they grab headlines and prompt worries and distress among practice owners, privacy officers, CFOs, and patients alike.
The disastrous data breach of the collection firm American Medical Collection Agency (AMCA) is the latest to cause sleepless nights, particularly since, after the count of US citizens affected by the breach exceeded 20 million, actions by AMCA clients left AMCA no choice but to file for bankruptcy protection.
What made this breach especially scary to providers is that their patients’ data was exposed due to the actions or inactions of a vendor they assumed they could trust.
Since the AMCA breach, some Quadax clients have contacted us to learn whether or not we have been impacted by this event. In this article, we’d like to assure our audience that 1) we have no relationship with AMCA, and 2) we do have strong controls in place to protect our clients’ data both for our systems and for the third parties with which we contract for ancillary services.
As much as we’d like to tell you that you will never experience this kind of failure when you trust Quadax, we must admit that there is nothing in the world that will ever be completely hack-proof. As soon as something is ‘hacker-proof,’ the universe builds a more devious hacker. For that reason, Quadax never stops working at security and privacy; it’s never a box to be checked ‘finished’ so that we can move on to other matters.
Security is a full-time, never-ending endeavor. Three of the facets of the Quadax security efforts germane to this discussion are:
- Our SOC 2 Report
- Our extensive (exhaustive) vendor vetting program
- Our perpetual security monitoring program, including penetration testing, resource utilization monitoring, and routine vulnerability assessments
Quadax submits annually to audit processes to produce the System and Organization Controls (SOC) for Service Organizations Report Relevant to Security, Availability, Processing Integrity, and Confidentiality Principles. Each year, our external auditor conducts an examination of Quadax controls in accordance with attestation standards established by the American Institute of Certified Public Accountants. Their determination affirms that our controls were suitably designed and are operating effectively to meet the Applicable Trust Services Criteria throughout the specified period of time.
Among the controls and processes examined by our auditor is Sub-Server and Vendor Management. Quadax maintains a stringent Vendor Management program that begins with initial vetting and carries through to annual assessments to ensure ongoing reliability and integrity. The Quadax Compliance and Legal departments collaborate on the process, with input from the Security Officer.
The vetting methodology proceeds through stages of assessment as data is collected, attestations are reviewed, and a number along a scale is assigned to indicate the “critical level,” reflecting the degree of risk the engagement represents to security and privacy.
Baseline verifications include:
- General Service Administration (GSA) System for Award Management (SAM) database: Is the vendor in good standing, or has the vendor for any reason been excluded, sanctioned, or debarred by a Federal agency?
- Office of Inspector General (OIG) List of Excluded Individuals and Entities (LEIE): Is the vendor in good standing, or has the vendor for any reason been excluded from participation in Medicare, Medicaid, and other Federal health care programs?
- Has the vendor been placed under a Corporate Integrity Agreement?
- Does the vendor appear on the Health & Human Services (HHS) “wall of shame”?
From there, collection of key data points helps Quadax to establish the critical level of the potential vendor through a thorough understanding of how the vendor will be operating: precisely what access is required; whether or not PHI will be stored, transmitted, processed, or accessed; whether or not there would be any offshore components; and several other important factors.
Third-party attestations to the compliance and operating standards of the vendor are also examined. Quadax requires that vendors provide either SOC 2, ISO 27001, or EHNAC, and potentially also PCI compliance, as applicable.
Legal documents governing the relationship between Quadax and the vendors with which it chooses to engage, each carefully stipulating services, requirements, and penalties for nonconformance, will include some or all of these, depending on the nature of the services and the critical level assigned:
- Business Associate Agreement
- Non-Disclosure Agreement
- Vendor Insurance Standards Agreement
- Vendor Security Standards Agreement
- The Master Service Agreement (MSA) Agreement
Quadax leaves no stone unturned when it comes to safeguarding data and reputations – our own, and our clients’.
On a continual, ongoing basis, Quadax uses logging and monitoring software to collect data from system infrastructure components and systems to monitor system performance, potential security threats and vulnerabilities, to evaluate resource utilization, and to detect unusual system activity. Key indicator reports, along with other tools, serve to alert management of deviations from expected activity which may signal unauthorized access attempts. Quadax separately conducts routine vulnerability assessments on the corporate infrastructure, searching for any potential weaknesses that could be exploited so they may be mitigated before it’s too late. It’s important for vulnerability testing to be part of standard, regular routines since weaknesses may arise in any number of circumstances: through the installation of a new patch that corrects a different problem; through the implementation of a new application or an upgrade to an existing one; or through the introduction of a new client or vendor access channel, to name just a few.
It’s expensive and resource-intensive to maintain this degree of vigilance, but as a company entrusted with protected health information (PHI), personally identifiable information (PII), and confidential business information, we make security and privacy a top priority. You can read more examples of the serious commitment Quadax makes to compliance here.
If you’re not currently working with Quadax, but you’d like to learn more about our compliant revenue cycle solutions for hospitals, laboratories, or physicians and other professional providers, please get in touch. We’re always pleased to demonstrate how our services can help healthcare providers thrive despite today’s complex reimbursement environment.