Most hospitals don’t realize that their IT vendors are NOT HIPAA compliant and do not take proper precautions to protect and keep patient data safe.
In some of my most recent interactions with vendors, I’ve found many that leave data unencrypted, leak data unintentionally, or even transmit ransomware viruses across their networks to connected hospital networks, leaving some hospitals completely infected with ransomware.
As you are reviewing and renewing your contracts with vendors, there are 8 essential points you need to be diligently monitoring to ensure your patient data is actually being kept safe and that you are up and running quickly in the event of an outage:
Expect a Guaranteed Response Time—when evaluating your service level agreement (SLA) make sure to see what their response times are. More and more, hospitals overlook the fine details on their vendor contracts and end up with long wait times simply because the agreement outlined unreasonable expectations. Alternatively, many vendors fail to live up to their agreements and may not be providing a service level you are paying for. In the event your hospital has an outage—critical functions: ER, Radiology, medical billing—may go offline. When you call in with an issue, you on a Friday, you may not hear back until 9 am Monday. For some issues, that might be okay, but for many, a weekend’s worth of time could mean the difference between life and death. Are you willing or able to accommodate to long outages?
Your data is not encrypted—while you’d expect that healthcare-centric vendors understand how to keep data safe, the reality is that most don’t evaluate their own systems for HIPAA compliance or security. In case of HIPAA’s Security Rule, you are only responsible for making sure data is secure in transit to your vendors, but because your patients are entrusting you to ensure their identities are safe.
Also note that not all encryption is created equal. At minimum, expect a guarantee that your data has AES-256 encryption, a level enforced by federal agencies. You’d be surprised how many vendors fail to provide even basic security around protected health data.
Data not destroyed—when their equipment is decommissioned, many vendors fail to remove and erase data from hard drives. This includes fax machines and copiers. If there is a hard drive and the device is being taken out of a secure location, the hard drive should be erased (if the device is being destroyed or recycled, the hard drive should be destroyed as well).
Maintain credentials—let’s be clear, HHS gives no seals of approval for vendors that say they cater to healthcare or HIPAA compliance. If someone presents you with a certificate, it’s just another marketing gimmick. What you need to do to evaluate a vendor’s credentials is to ask for a record of their audit history.
Any reputable healthcare-serving vendor should be able to provide you with results from past audits—specifically, audits focused on HIPAA compliance, as outlined by the HHS. If they have no records of compliance or assure you that they’re certified by XYZ, but not necessarily HIPAA standards, how can you be sure your PHI is safe in their hands?
They use offshore outsourcing—even though HIPAA does not explicitly prohibit offshore outsourcing, it is a huge burden to ensure that employees or teams working in foreign countries are abiding by as strict of security standards as those in the US. That is because these outsourced offshore teams are not explicitly required to abide by US laws, including HIPAA standards.
Secure physical access to your servers—if a vendor is storing data on a server or hosting your data, they need to ensure that they are following security standards. To be HIPAA compliant, servers storing data need to be locked down in a data center at all times. We’ve frequently seen situations where hospital backup data is stored “offsite” in an unlocked garage.
Services complex healthcare environments—while you might think your hospital’s network is not complex, it might be the most complex environment some of your vendors are servicing. And probably before taking you on as a client, you might be the first experience in the healthcare arena or with hospitals. Understanding where a vendor’s expertise lies is important to figure out if they will adequately serve you well.
Worried that your vendors might be charging you for un-rendered services? Not sure if they have your data secure? Contact Us Today for a free assessment.
