Privacy and Security Best Practices: Guidelines for Vendor Accountability

Privacy and Security Best Practices: Guidelines for Vendor Accountability

The explosion of mobile health technologies and connected devices has revolutionized healthcare, making patient data easier to collect, analyze and share. However, it has also heightened security and privacy risks for hospitals, providing even more access points for cybercriminals to infiltrate hospital networks.

Some of the biggest data breaches in recent years have stemmed from cyberattacks waged against third-party vendors that provide technologies and tech-based services to hospitals. More than half of hospitals (56%) have experienced a data breach introduced by one or more third-party vendors over the past two years, according to a 2019 report by Censinet and the Ponemon Institute. Hospitals often fail to proactively assess the security risks of vendors before contracting with them or using their services—and the results can be costly, especially if they don’t share the same standards for data security and privacy. With many hospitals using thousands of vendors, the annual cost of managing vendor risks reaches about $3.8 million per provider, the report shows.

Whether hospitals hire vendors to process customer payments, store data in the Cloud or supply connected medical devices, they must be vigilant about holding them accountable for keeping systems and devices secure and protecting patient data. What should hospitals routinely ask or expect from partners to prevent a vendor-related breach?

Here are some key accountability questions to pose:

Are you compliant with HIPAA and other data privacy regulations? First and foremost, you must ensure vendors are compliant with HIPAA and can provide paperwork from an independent auditor to prove it. Beyond that, you need a clear understanding of how vendors will use your data. How much of it includes PHI, and who has access to it? Vendors also need to explain the measures they will take to protect data, whether that includes installing firewalls and anti-virus software, segmenting network servers, or creating a virtual private network for remote access.

How often do you update infrastructure and perform risk assessments? Vendors must be able to explain and verify their security practices, as well as what they are doing to keep their systems and devices updated, patched and configured properly so they can minimize vulnerabilities and cyberthreats. You should ensure that all vendors, especially those with access to PHI, are performing risk assessments annually and working to fix any security gaps that are detected. Vendors also need to demonstrate how they are protecting their routers and networks and the precautions they are taking to prevent unauthorized parties or devices from tapping into them.

Do you have documented policies and procedures in place to handle a data breach or another disaster? Despite all the safeguards a vendor may have to protect data security and privacy, a breach can still happen. If and when it does, it helps to have policies and procedures in writing that specify when and how impacted parties will be notified and how the incident will be handled so you can both avoid costly fines and lawsuits. Along with this documentation, you need to have a business associate agreement in place with vendors that spells out your requirements for data security and privacy compliance and what will happen to your data should that agreement be terminated.