There is no quick and easy way to select a vendor to trust with HIPAA-sensitive data. It requires some legwork to determine what kind of security they have in place and possibly identify any shortcomings.
Organizations using hybrid systems (where some data are hosted in the cloud and some within the organization on a server) open more avenues for data breaches due to the complexities of the system’s landscape, says Sunil Konda, vice president of product at SYNERGEN Health, a company in Dallas that provides software and consulting services for healthcare organizations. So far in 2019, 79 healthcare privacy incidents have been reported, including at companies such as OXO, BlackRock, Ascension, Rubrik, Advent Health, UConn Health, EmCare, and Quest Diagnostics, Konda notes.
“Pre-emptive and proactive cybersecurity crisis plans are important. As the use of digital healthcare services such as telemedicine, electronic health records, and wearables become the new normal in the industry, there has been an increase of cybersecurity threats due to the growing number of points of entry for hackers looking to capitalize on highly sensitive and valuable information,” Konda says. “The question isn’t if but when there will be a breach, as there is a high chance that every organization across industries and sectors will encounter some level of cyberattack at some point.”
To reduce the chances of a security breach, Konda says there are eight essential items that healthcare entities should look for when selecting a vendor to meet the challenges of keeping patient information safe:
• Information Security, Quality, and Compliance Framework. A cybersecurity compliance framework provides steps and recommendations on implementing and managing various aspects of the vendor relationship. Putting committees in place with coordinators ready to address compliance, information security, and quality and knowledge management creates a strong approach that spans the width of the organization to show how trustworthy the vendor is, Konda says.
• Policies and Attestations. When entering into an agreement, the policies and attestation standards should be clearly developed and presented. Key areas include HIPAA compliance audits, quality policy, and information security policy.
• Administrative Safeguards. Administrative policies and procedures should be in place to address security with agreements, business associates, and supplier management. Periodic audits of processes, documentation, and compliance protocol along with annual assets, risk assessments, and technical compliance reviews will further strengthen a vendor’s security measures, Konda says.
• Physical Security. Ensuring the server room is monitored and nonessential areas are restricted to unauthorized employees or guest access will assist with physical barriers. Additional physical security measures include 24/7 closed-circuit television monitoring and biometric access control.
• Technical Infrastructure Security (Cybersecurity). The investment of a cyber infrastructure with multiple levels of security will assist vendors in preventing external and internal threats. Using encryption, secure backups, and additional network security, hackers’ attempts to gain access can be prevented.
In addition, vendors need to show proof that a third-party organization is contracted to conduct penetration tests on the network on an annual basis to identify any vulnerabilities, Konda says. Proper action then can be taken to correct any detected risks.
• Human Resource Security. Steps vendors can take to mitigate internal personnel security risks include a robust screening and background check prior to the applicant’s employment, continuously updating access control during employment, changing of roles within the company, and proper termination procedures to safeguard access throughout an employee’s tenure with a company, Konda says. Scheduling monthly and quarterly reviews and compliance refreshers can assist with creating a company culture rooted in security and compliance.
• Incidence Response. The vendor should have a comprehensive incident response framework in place in case of a breach. Konda says this framework should be made up of essential personnel including but not limited to an interactive response technology team lead, an IT expert, legal representative, and management. It also should include steps to review and assess the incident and impact of the breach on the business, the response, implementing temporary and permanent fixes, and reporting to law enforcement officials.
• Applicable Regulations. Ensure vendors are up to date with major U.S. laws and regulations. This includes the Health Information Technology for Economic and Clinical Health Act Omnibus Rule, HIPAA, and the Fair Debt Collection Practices Act.