As healthcare organizations know well, you can do everything possible to keep data secure—invest in tighter security controls, adhere to the highest standards, diligently train staff—and yet you can still be vulnerable to breaches because of the security practices of your third-party vendors.
Or as security experts often put it, “You’re only as strong as your weakest link.”
In an increasingly fraught security landscape, managing third-party risk is no easy task. Vendors vary widely in how vigilantly they safeguard electronic protected health information (ePHI) from unauthorized access and use. And although many companies claim to be “HIPAA-compliant,” there is no such shorthand that guarantees an organization complies with HIPAA standards.
In a 2017 survey of companies across multiple industries, conducted by the Ponemon Institute, only 17% said they felt their organizations were effectively managing security risks related to their third-party vendors. And a 2017 report found that 30% of breaches reported to HHS could be attributed to vendors or business associates.
The good news is there are best practices you can follow to help you assess your vendors’ security processes and their willingness to comply with your expectations. Here are six tips that can help guide your third-party risk strategy.
- Ensure your vendors conduct regular security assessments
Verifying that a vendor has conducted an information security risk assessment should be an imperative first step when healthcare organizations review a vendor’s security program. Risk assessments should be conducted on a regular, ongoing basis and reviewed and updated in response to changes in technology and the operating environment. At a minimum, security risk assessments should: 1) evaluate the likelihood and potential impact of risks to ePHI, 2) institute measures to protect against those risks, and 3) document the security measures taken.
Vendors must also regularly review the findings of risk assessments to determine the likelihood and impact of the risk that they identify, as well as remediate any deficiencies.
- Make sure vendors have written information security policies and procedures in place
Those written security policies and procedures should clearly outline the steps and tasks needed to ensure compliance deliver expected outcomes. Without a reference point, policies and procedures can become open to individual interpretation, leading to misalignment and mistakes. Verify not only that companies have these written policies, but that they align with your organization’s standards.
- Verify that your vendors encrypt data in transit, including data stored on laptops, external hard drives and application databases
Encryption, a process that protects data by making it unreadable without the use of a key or password, is one of the easiest methods of protecting data against theft. When a vendor tells you their data is encrypted, don’t stop there. Delve deeper and ask for details about different in-transit scenarios, such as encryption of backup tapes. It’s also imperative that the keys used to encrypt the data are very well-protected. Understanding how encryption keys are protected is as vital as encryption itself.
- Check that vendors enforce role-based access for information systems that contain ePHI
Role-based access gives users access only to the level of ePHI they need to perform their job, basing the level of access to data on the position each user holds within an organization. For instance, a chief financial officer in most organizations would have little or no access to ePHI in his or her day-to-day role, while a database technician might need limited access to troubleshoot an issue. Healthcare organizations should also ask their vendors if they enforce two-factor authentication for high-risk users and remote access.
- Ensure vendors have a disaster recovery program in place
In order to be compliant with the HIPAA Security Rule, vendors must have a detailed disaster recovery program that includes analysis on how a natural disaster—fire, flood or even a rodent chewing through cables—could affect systems containing ePHI. The plan should also include policies and procedures for operating after a disaster, delineating employees’ roles and responsibilities. Finally, the plan should clearly state a plan for restoring ePHI.
- Look for vendors that have industry-leading security certifications or attestations
Nothing can substitute for a rigorous assessment and regular auditing of third-party security risk, but selecting companies that have received certifications or attestations of compliance against industry-recognized security standards, such as Service Organization Controls (SOC) 2 criteria, Health Information Trust Alliance (HITRUST) CSF Certification and the Payment card Industry Data Security Standard (PCI-DSS), can help provide assurance.
For more tips, check out our white paper, “Managing Third-Party Security and Privacy Risk: A Framework for Success.”