'We have taken an approach to risk that's a little bit different'
There's a right way to manage third-party risks and vendor contracting, and there's the wrong way. And, too often, it's the latter. But it doesn't have to be.
As healthcare organizations continue to increase their number of business associates and cloud vendors, it has become more and more essential to ensure that these vendors are in fact adequately protecting your organization's data.
Mitchell Parker, the chief information security officer at Temple University Health System, knows a little something about managing this risk the right way. Parker, who will be speaking at the Healthcare IT News Privacy & Security Forum in San Diego next month on vendor contracting best practices, says when it comes to risk management with vendors, there's often a lot overlooked.
[See also: Want security? Focus on risk management.]
Sure, a well-negotiated contract is crucial, particularly in regards to HIPAA breach liability, but your work doesn't end there – far from it, in fact. You also need to make sure you manage risk, what due diligence should be performed and how often a vendor’s security performance should be monitored and audited.
"There's a lot more considerations you have to follow when taking a look at what your third-party vendors are doing," he said. "One of the big issues obviously with breaches has been how well is the data secured," with not only technical controls but also, just as important, procedural controls.
As the head of information security at the four-hospital health system based in Philadelphia, Parker says you also need to consider procedural controls with custom code, custom programming and ensuring that custom code and programming are from the same standards you might have.
"That's a big consideration you have to take a look at especially when you're securing PHI," he added. "And especially when considering a very large amount of electronic medical record data in the United States is actually now stored on the cloud."
Another big piece of this all, as Parker explained, is Temple University Health System's approach to risk. "We have taken an approach to risk that's a little bit different," he said. "We actually have taken it from a complete organizational risk as opposed to just IT risk." So for instance, when they evaluate a product, his team takes a look at it not only along IT lines but also along the lines of how it affects the business side of things.
"Say, for example, you want to purchase a product to do third-party reviews. Well, how is it going to interplay with the system that currently does third-party reviews?" he added. They ask those questions from an entire system point of view. "We take a very holistic approach."
He will discuss that approach in more depth at the Privacy and Security Forum this March, alongside Dave Peterson, of Kaiser Permanente's vendor and third-party assurance; Stephanie Musso-Mantione, chief information privacy and security officer at Stony Brook Medicine; and Mike Gentile, EVP of innovation and security at Auxilio.
