Must a BAA require the Business Associate to report unsuccessful Security Incidents? Yes.
I bring this up because it's a recurring issue for me. When negotiating BAAs, the BA often says, "We don't need to report unsuccessful Security Incidents; 'Pings' happen all the time and never cause any problem because they never get anywhere. Asking us to report every ping is burden we can't possible take on." You know what? I agree. HOWEVER, the rules don't. Look at 45 CFR § 164.314(a)2)(i)(C):
“The [business associate agreement ] must provide that the business associate will . . . report to the covered entity any
security incident of which it becomes aware, including breaches . . . . “
(Emphasis mine.) Security incident is defined in 45 CFR § 164.304 as
follows: “Security Incident means the attempted
successful unauthorized access, use, disclosure, modification, or destruction
or information or interference with system operations in an information
system.” (Emphasis mine.) A “ping” is clearly an attempted
unauthorized access, which means it is a “security incident;” and the BAA
provisions say that the BAA must provide that the BA will report all
incidents.” The language clearly states that the BAA (or subcontractor
BAA, which must meet the same requirements) must require the business associate (or subcontractor) to report “pings.” In fact, stating that you need NOT report pings is
directly contrary with the clear language of the regulations.
This is, obviously, a ridiculous
requirement: pings are way too numerous and innocuous to make their reporting
anything but a nuisance. However, reporting them is explicitly called for
in the HIPAA regulations. Since reporting pings is required, I now include it
in my BAAs, but minimize the reporting to the barest minimum to still comply
with the regulations: a minimal number of reports (no more often than quarterly),
with minimal information (a summary statement that “our network system
regularly experiences 'pings,' port scans, and similar exploratory contacts,
none of which result in a successful access to our system” would be
sufficient), and only when requested (which likely will be never).
This complies with the requirements of the regulations but does not
unnecessarily burden anyone.
You can also look at the OCR Frequently Asked Questions page. Go here
and search "Security Incident Procedures," and you'll get the answer to this question:
What does the Security Rule require a covered entity to do to comply with the Security Incidents Procedures standard?
The answer mainly deals with what a covered entity must do to respond or react to pings, but the final sentence is telling: "However, § 164.314(a)(2)(i)(C) and (b)(2)(iv) require contracts between a covered entity and a business associate, and plan documents of a group health plan, respectively, to include provisions that require business associates and plan sponsors to report to the covered entity any security incidents of which they become aware." There's that word "any" again. . . .
Blogger: HIPAA Blog - Edit your Template