What Hospitals Expect From Companies During Security Assessment
Digital health companies, startups, and software vendors that sell to enterprise healthcare and hospitals typically go through a security vetting process, when going through the procurement process.
Most regulated industries including healthcare are taking third-party risk more seriously, since a single vendor with improper security standards can expose the organization to a potential security breach and major fines (Consider the recent Quest Diagnostic breach of 11.9 M patient records).
Considering that 63% of all cyber attacks could be traced either directly or indirectly to third parties. it is no wonder, organizations are placing vendors under greater scrutiny during procurement. Healthcare organizations typically vet new vendors by having requiring vendor teams to complete a security risk assessment (SRA) and answer a series of security questions.
Download our free Guide to Preparing for Security Risk Assessments (SRAs)
Healthcare vendors will generally deal with the following requirements when working with healthcare organizations:
Vendors Will Typically Have To Sign A BAA
Most hospitals will require vendors to sign a Business Associates Agreement (BAA) with them, even if protected health information (PHI) is not used or processed by the vendor. This agreement, outlines how security responsibilities and HIPAA requirements are shared between the healthcare organization and the vendor. Vendors should be prepared to execute this agreement and abide by the security and notification requirements defined in the document.
Vendors Must have Administrative Policies in Place
Healthcare organizations are looking to work with vendors that have established administrative policies and standard operating procedures (SOPs) for managing security standards. These policies should address security topics including system access, audit logging, risk management, disaster recovery, and employee training.
With protected health information (PHI) and sensitive information often being accessed by third-parties, vendors should address how relevant regulatory standards such as HIPAA/HITECH, FDA, and PCI DSS are managed in with security administrative policies.
Vendors Must Share How Their Solution Fits Into Hospital Infrastructure
Healthcare organizations will want to see infrastructure requirements for how vendor solutions will be deployed and utilized. Organizations want to know whether solutions will run on-premise or in the cloud, are built to run as a web application, run on mobile devices, or as an API based solution.
Vendors will want to be able to show how solutions are connected into existing infrastructure and applications and may prepare to share documentation around:
- Solution architecture diagrams
- Solution requirements
- Dataflow diagrams (and explanations for types of data used by the solution)
- Compatibility with EHRs or relevant systems
Vendors Security Programs Must Be Realistic
Enterprise healthcare organizations want to know their vendors have a realistic security program they will be able to execute and follow-through on. Vendors that are unprepared or appear to be exaggerating on hospital security risk assessments often deal with more intense scrutiny during assessment.
For Example — A small company of five employees may not be able to conduct a third-party penetration test on a semi-annual basis. In this case it is much better for the company to set a longer time-frame rather then to set a security objective that the company will never meet.
Organizations that are unprepared or appear to be exaggerating on hospital security risk assessments often deal with more intense scrutiny during assessment. Being prepared and able to answer security questions will make the process a lot easier.
Learn how a solution like Dash ComplyOps can help your team create administrative policies, and enforce policy standards with continuous compliance monitoring. Explore Dash ComplyOps today.
