Assess your cloud-based vendors to ensure security and privacy

Cloud computing has been around for a couple of decades, but some healthcare agencies are reluctant to surrender the certainty of their server room. After all, if we aren’t holding the data, how can we ensure it is safe? Can we really protect our data if we store it in the cloud?

The answer is yes, provided that specific criteria are fulfilled. Because security, like compliance, is both technological and behavioral – and both of those vectors must be satisfied when using a cloud-based service provider.

Unlike the on-premise racks of their predecessors, cloud-based EHRs store PHI data in cloud servers. And while there are still good reasons to manage all that data on-site, for most organizations, a cloud strategy is more affordable and sustainable.

So how can you ensure your data is safe? It is your responsibility — and privilege — to insist that your vendors prove their security and compliance controls to your satisfaction. This diligence is crucial while selecting products and vendors, and it is essential after services have been implemented. Your vendors must demonstrate that they are attentive to security and protect PHI per your organizational requirements.

When choosing a vendor for your organization, ask these questions. Then ask them to re-verify the information annually. Because with judicious vendor selection and attentive management of their capabilities, your organizational data can be secure and compliant.

Will they sign a Business Associate Agreement?

  • A BAA contractually requires vendors to comply with HIPAA requirements for storing and transmitting your organizational PHI. Get one from anyone who handles your data. Business Associates have skin in the game, since the agreement ensures they assume responsibility for their own risk. If a partner stores, creates or handles PHI, the BAA is a requirement. If they won’t sign, that’s a deal-breaker.

Do they have any current certifications (HITRUST, SOC2, etc.)?

  • You are responsible for assessing the capabilities of your vendors, and certification is the most certain and manageable way. Increasingly, organizations insist that third-party associates and vendors demonstrate their security with a SOC 2 or HITRUST certification.

Do they have other customers who require compliance with HIPAA and 42 CFR Part 2?

  • The responsibilities of a Business Associate are complex. If the vendor doesn’t already serve healthcare clients, it’s unlikely they’ll be positioned to address your organizational needs.

What cybersecurity standards and frameworks have they implemented?

  • HIPAA does not prescribe solutions. Instead, it identifies risk factors and requires that administrative, physical and technical safeguards be implemented to mitigate those risks. We turn to relevant frameworks to provide prescriptive guidance to mitigate the risks identified in regulations. NIST 800-53, NIST 800-171 and NIST Cybersecurity Framework are all relevant standards that can be tailored to the organization’s specific needs.

Is PHI encrypted at rest and in transit? If so, how is the data encrypted?

  • A high level of encryption is crucial to ensure that data is sufficiently protected. No compromises should be made in this area. Be certain this provision is specified in your agreement and any contracts.

Does their information security and privacy program cover all operations, services and systems that process sensitive data? This includes:

  • The appointment of a qualified individual to oversee the program
  • Creation and updating of policies and procedures for ensuring security and privacy
  • Assurance of regulatory compliance
  • Monitoring physical and environmental risks
  • Implementation of controls to mitigate privacy and security risks
  • Ensuring their workforce members have been trained in accordance with HIPAA requirements
  • Assessing and monitoring subcontractors

Do they have policies and procedures in place for network security, physical security and business continuity?

  • HIPAA Policies and Procedures are the blueprints of how your vendors have agreed to protect patient information. They will show one dimension of a vendor’s compliance diligence.

How is their network equipment physically secured?

  • Ask them to explain and demonstrate the security of their network equipment in the facilities where they reside. This applies to vendors who employ cloud data centers as well as those who store their data on-site.

What data center providers do they use, if any?

  • If the vendor utilizes a data center provider (AWS, Google Cloud, Azure, etc.), they are using subcontractors. It is the vendor’s responsibility to manage their vendors, just as you manage yours. Ask them to demonstrate their requirements for data centers and other subcontractors. 

Do they provide a web application? If yes: 

  • What does the application do?
  • Do they maintain a valid SSL certificate?
  • How is the web environment secured?
  • How is user input validated?
  • How do they avoid third-party scripts and CSS?
  • Does the application use encryption?
  • How are requests authorized?
  • Do they offer multi-factor authentication (MFA)?
  • Do they offer single sign-on (SSO)?
  • How can users recover their credentials?

Do they employ penetration testing?

  • Penetration testing can be performed internally or by an external partner. Learn how they perform pen testing, and at what frequency.

How do they keep their server operating systems patched?

  • The vendor should have a patching strategy and a strict cadence for reviewing needed patches. This applies to vendors who employ cloud data centers as well as those who store their data on-site.

Do they back up your data?

  • How and where are your organization’s backup files stored? It is crucial to ensure that data is available to authorized individuals when needed, so a complete and accurate backup is crucial to disaster recovery and business continuity efforts.

Secure your organization’s data with confidence by asking the right questions when selecting a cloud-based EHR vendor. Your due diligence in verifying their security measures and compliance is crucial for protecting sensitive information. Ready to enhance your data security strategy? Contact us today for a consultation and ensure your data is in safe hands.

#CloudSecurity #EHR #PeopleFirst #HealthcareIT #DataProtection #Compliance #PHI #HIPAA #VendorManagement #XpioHealth