Technology vendors and business associates are a point of failure that hospital executives and information security specialists cannot control but must manage on several fronts.
Inspira Health Network created a vendor-monitoring program to more effectively lockdown HIPAA compliance among its vendors.
The first step was to clean house, according to Inspira’s information security officer Francois Bodhuin.
“We had to get an inventory of business associates and check that they all had business associates agreements in place,” Bodhuin said.
BAAs are a great start, he said. The key is to establish the relationship with a vendor before any contract of BAA is signed.
[Also: Healthcare IT News names Inspira a Best Hospital IT Department 2016 winner]
Inspira also came up with a proprietary questionnaire to use when querying vendors about their security and compliance practices. Answers are then normalized and rated accordingly.
Bodhuin added that not all the questions are disqualifying, such as whether or not a vendor carries cyber-insurance.
“The risk of a breach is lower and the vendors are better prepared to react,” Bodhuin said. “It also gives us legal recourse if a BA is breached because they did not follow the practices they described during our survey.”
Bodhuin’s advice to other executives and infosec pros considering new ways to monitor their technology vendors?
Keep it simple but thorough because such a program can be very taxing on resources. In certain instances it can be easier to work with new BAs than existing ones — but also know that some contracts can be very difficult to terminate.
Perhaps most important: Don’t just think about compliance and security in terms of the omnibus HIPAA Final Rule on Privacy & Security but, instead, consider what having better security practices in place enables the healthcare organization to do.
“We set up better ways to share data,” Bodhuin said.
“So in the end, our data is better protected wherever it is. Less risk to our data means less risk of breaches, penalties, reputational damage.”
Bodhuin is scheduled to present at HIMSS17 during the session “How to create compliant security relationships with vendors,” on Thursday, Feb. 23, 2017 at 12:00 p.m. to 1:00 p.m. EST in Tangerine Ballroom F4.
HIMSS17 runs from Feb. 19-23, 2017 at the Orange County Convention Center.
This article is part of our ongoing coverage of HIMSS17. Visit Destination HIMSS17 for previews, reporting live from the show floor and after the conference.
