Granting vendors network access is a common necessity for most healthcare organizations. But, as a spate of recent data breaches — the Maryland Developmental Disabilities Administration among them —has demonstrated, security concerns are compounded when external partners are granted access.
Properly assessing the security risks a third-party vendor can present is crucial to ensuring that healthcare companies' sensitive data remains safe. Fortunately, four straightforward steps can help to maintain appropriate protection levels and manage vendor access to even with the most confidential patient and employee data.
To craft a truly effective security strategy, we encourage providers and other healthcare organizations to prioritize their efforts and begin with the vendors with access to the most important information, with persistent access and/or with broad access. Then, assess the security posture of the priority vendors first before working toward the lower priority providers. Finally, include some specific requirements related to information security in every contract. With the following four measures, healthcare providers will extend their security protection outward to their trusted service providers.
1. Triage. Start with the information asset inventory. If you don't have one, then before even beginning this first step you must inventory your environment to understand what sensitive, protected or confidential information is entering, residing and exiting. If you don't know what you have, you can't possibly design a program to protect it. Companies in the healthcare sector should first focus on patient and employee data then consider which vendors have access. Both types of information are critical.
Patient health information, financial and payment data, Social Security numbers and similar data points should be protected with the most robust measures. Once healthcare companies know where their top-tier assets exist, they should consider who has access and what type of access is permitted. Start with the vendor that has the greatest potential for impact and examine where along each of the access pathways exposure points may lurk. Consider employees, contractors and business associates, and look at account IDs, websites, USB drives, mobile devices, physical access, etc. Look beyond the immediately visible. Determine which vendors have or will need access to these high-value information assets. Once providers know who will be touching their data, it's time to understand exactly what data they will be accessing. This is a good time to note any vendors who only need access to a less sensitive area but which have full access. Their access should be scaled back to only what is necessary. The vendors who don't need to access the most sensitive data will thank the healthcare organization for containing their access and their exposure. The exercise of evaluation and prioritization helps providers then know where to start and how quickly to work. If they have 100 vendors, all of those vendors aren't equal in priority. Leaving the vendor with the deepest access for last or next-to-last is inefficient at best and to outright negligence at worst.
2. Act. Once your team knows which vendors represent the greatest exposure points, confirm the security measures that each of those vendors has in place for your information. The assessment may range from detailed for vendors with access to critical systems or information to a high-level assessment for vendors with occasional or access to only limited information. Look to see that patient information is protected with encryption during receipt, transfer and storage. Have the vendor verify this, and have it formally agreed to in the contract with the vendor for services. This will be important if a data breach occurs.
In addition, the vendors with access to critical information should have monitoring, logging and alerting in place to watch for any unusual or potentially suspicious activity. The logs should be retained on read-only media and stored for at least a year. Most data breach events are not discovered for months. If log files are deleted in a few weeks or a few months, the ability to ascertain what was accessed and, sometimes more importantly, what was not accessed, is gone.
Make sure that you assess which networks are connected and can become pivot points into a more secure area. For example, some data breaches happen when vendors have access to a system — or a network location that connects to a system — that holds an organization's important information. Network segmentation is crucial to a robust security plan; the various data stores within an organization should never all be kept in one space. The security layers a healthcare entity should consider implementing are very similar to those financial institutions use with more tangible items. When customers walk into a bank, there isn't a pile of money sitting behind the teller or even a single locked door. Cash, a bank's most valuable physical asset, is protected by many layers of security. It's necessary to get through multiple doors, sometimes with secondary authorization, before reaching the vault. Sensitive data must be segregated from information that requires a lower degree of security, and vendors should only be able to access the specific data stores required to carry out their duties. The vendors with access and possession of sensitive data must assure, in specific detail, the measures of security they are providing for the data.
Another fundamental piece of any vendor's data protection strategy should be strong employee security and privacy awareness training programs. The vendor's individual employees are the people with day-to-day control over protecting your organization's network and data, so it is important to verify with the vendor that they have a carefully developed, well-communicated and effective program to guide their employees. The online, once-a-year, click-through-the-webpage training is not enough by itself.
3.Verify. The third step is to make sure all vendors with access to the healthcare organization's network or sensitive information have an objective third-party conduct a security and privacy assessment at least annually. It's unlikely your organization will be able to review the full results of those assessments — they typically contain confidential information — but you should be able to see a "sanitized" version and to know what vulnerabilities were found and how the vendor remediated the issues.
As a healthcare leader's team reviews these independent assessments, they should remember that a perfect score, especially on an initial assessment, is nearly unheard of. However, the first score isn't the portion of the assessment that should be of primary interest. Most will have a host of low priority, a few medium and even fewer critical items noted. What should capture healthcare leaders' interest is how closely the vendor responded to the results and what remediation was performed. Ideally, providers and other organizations want to see three distinct steps:
Acceptance. The person leading a proactive security program will be appreciative of being alerted to a vulnerability so that it can be addressed before becoming "a CNN moment." Some organizations look for ways to explain away negative findings, and while a few may be explainable, more than a few "excuses" offered for the findings should be a red flag. A vendor isn't planning to address the findings if the vendor offers excuses rather than a plan to address vulnerability.
Planning. The vendor should have a prioritized plan to address the most critical vulnerabilities early and save the lower priority items for later. "We will get to that sometime" or "That's been a point of discussion" are not responses that indicate the vulnerability will be addressed. Instead, look for confirmation that budget has been allocated and the work is scheduled.
Testing. The vendor should review the effectiveness of changes after they were implemented to confirm the change adequately addressed the problems identified in the assessment.
It's far more important that vendors undergo robust assessments conducted by an experienced third party and that they take the results seriously than it is for them to score well on an initial assessment.
4. The paperwork. A handful of foundational elements should be included in the contract of every vendor who may have access to a healthcare organization's network, to sensitive data, or to access points that could expose protected information.
Institute baseline requirements for the vendor to follow. To maintain the best security posture, vendors need basic security measures across every system and device in their own network. That includes the use of garden-variety tools such as antivirus software, spam filters and encryption, all of which provide a first-level defense against many of even the most sophisticated threats. Unfortunately, not all companies follow best practices. Rather than assume a vendor has implemented the expected security measures, healthcare providers should specify baseline procedures to be followed. The first essential security measure to require in a contract is encryption. This tool is relatively easy to use and can provide a tremendous level of protection. Its use also is a good indicator of an organization's wider commitment to effective security. Vendor contracts also should provide firm direction on the need to limit network or data access to only those people who need it. That access should only be for purposes of the contract, and it's often a good idea to stipulate that regular audits be conducted to ensure these requirements are being followed.
Data retention is another item to include in vendor contracts. Outline requirements not only for how long data is retained, but also for how it should be stored and how and when disposal will be managed. Sensitive information should typically be disposed of right after the work is completed, to minimize ongoing liability or breach risks.
Provisions should be included for notification in the event the vendor has a breach. Along the same lines, require vendors to carry both first- and third-party insurance coverage. The vendor should have coverage for data breach as well as for cyber liability.
To streamline the contract negotiation and renewal process, healthcare organizations are often advised to maintain a clean business associate agreement and put all other provisions into the master contract. If network access or other data protection needs change, this arrangement will allow for a far smoother revision process.
Deena Coffman is CEO of IDT911 Consulting.
More Articles on Data Security:
4 Steps to Mitigate Data Security Risks, Maintain HIPAA Compliance
University Urology Notifies 1,144 Patients Their PHI Was Provided to a Competing Provider
Physicians Using Android Smartphones Are Vulnerable to Heartbleed Security Breach, Warn Experts