If you are a B2B software company that works in healthcare IT, this may be pertinent to you. The giant sucking sound of healthcare data breaches may be from one of your systems.\u00a0\nThis month, two major health systems reported massive healthcare data breaches.\nArizona-based Banner Health discovered that personal information of around 3.7 million patients might have been compromised in a cyberattack through unauthorized access to payment card data at food and beverage outlets at some Banner Health locations. The attackers targeted the data as it was being routed through payment processing systems.\u00a0\nBon Secours Health System, based in Richmond, Va., announced that personal information on more than 650,000 patients might have been compromised due to data being exposed from a vendor\u2019s information systems.\nWhat connects these two incidents is that the data breaches are the results of attacks on business associates (BA), not the health systems themselves.\nWhat's equally important about these data breaches is that the hackers were not necessarily looking for patient medical records \u2014 they seem to have been looking for any personal information they could steal.\nBA, BAA, HIPAA \u2013 who is it, what is it, and why should you care?\nUnder HIPAA rules, covered entities such as hospitals, health insurance companies, clinics, nursing homes and pharmacies must comply with requirements to protect the privacy and security of health information. If a covered entity engages a vendor \u2014 referred to as a business associate (BA) \u2014 the covered entity needs to have a written business associate agreement (BAA) in place. The vendor is also directly liable for compliance with certain provisions of the HIPAA rules.\nThe U.S. Department of Health and Human Services (HHS) defines a business associate as a \u201csubcontractor that creates, receives, maintains or transmits protected health information on behalf of another business associate.\u201d\nBAAs lay out all the responsibilities of the vendor as it relates to the handling of personal information; they also lay out the obligations in the event of breaches.\nThe bottom line is that technology companies that are BAs are liable for any data breach attributed to a failure at their end. Many BAAs have no limits on liabilities, hence a BAA can create significant financial risks for a BA.\nFor covered entities, these recent data breaches indicate that an ongoing review of their business partner relationships is becoming critically important, because the ultimate liability for these breaches falls on the covered entities.\nWhy is this important for B2B \u00a0healthcare technology companies?\nEnterprises in sectors such as financial services have been deploying sophisticated information security systems for years, therefore the effort and cost of trying to penetrate information systems of\u00a0financial services companies have become prohibitive for hackers. Healthcare, with its vulnerable legacy systems, has been a lucrative target (with some estimates putting the black market value of a stolen health record at $60). Some hospitals have been victims of ransomware as well.\u00a0 However, health systems have been tightening up IT security in the wake of unprecedented data breaches in 2015 and 2016, prompting hackers to focus on the next layer of vulnerability \u2014 BAs.\nHealthcare IT companies that have been in the medical market for a while understand HIPAA and their obligations under a BAA. They have compliance training programs in place for employees and documented processes for dealing with HIPAA violations and data breaches.\nHowever, the healthcare B2B vendor landscape has changed significantly in the past few years.\nThe new landscape of healthcare IT \nNew technology companies are trying to get in on the opportunities opening up due to healthcare consumerism and digital transformation in the sector. The need for cost control is also driving healthcare enterprises to use cloud-based services and turn to offshore-based operations to support critical IT systems.\u00a0\nHere are examples of trends that might impact IT security and expose healthcare enterprises to data breaches:\nDigital health: The era of healthcare consumerism and digital transformation is upon us. Hundreds of digital health startups have sprung up, fueled by billions of dollars in venture capital. These startups are focused primarily on growth, and compliance is not a high priority for them.\nCloud migration: With the rapid movement of IT to the cloud, covered healthcare entities are finding themselves contracting with emerging technology companies that operate with cloud-based models, such as Amazon Web Services (AWS) or Microsoft Azure. In many cases, covered entities may not be dealing directly with cloud providers, but\u00a0through\u00a0a BA who delivers a cloud-based service.\nOutsourcing and offshoring: Covered entities such as health plans and health systems have large offshore-based operations teams supporting their IT environments. These teams could be vendor organizations, or even captive centers that are extensions of the parent entity. While no data ever leaves the United States, as per regulatory requirements, offshore teams have access to production systems and databases that expose them to consumers\u2019 personal information.\nHealth systems are under pressure today to innovate and tap into partnerships to deliver bottom-line value to the enterprise. However, they need to protect their IT systems from vulnerabilities arising from these partnerships.\nMany health systems are doing just that, as I discussed in one of my earlier blogs on this topic.\u00a0\nHealthcare technology companies, for their part, need to be aware of their obligations under HIPAA and understand that compliance is not just about IT security but also about physical and administrative safeguards. If technology companies fail to protect their systems, there can be a serious financial impact, not to mention reputational consequences as well, for themselves as well as the covered entities they work for.\nThe chain is only as strong as its weakest link, as the saying goes.