Let’s face it. Hospitals depend on outside contractors for specific projects because you’re not able to find or cannot afford having someone on staff full time to do a job you only need part of the time. That sounds completely reasonable to me.
But while it’s reasonable to have contractors come in and work with you on projects—many of which allow them access to your sensitive data (PHI or employee files), it’s important to note that these contractors are NOT necessarily obligated to your operating policies and procedures, especially when it comes to HIPAA and data security.
Contractors often are using their own equipment—phones and laptops—and may, during the course of a project, have access to your patient lists and databases. How in the heck are you going to protect your sensitive data with contractors working on your team?
Today I want to walk through a check list evaluating steps to ensure your data is secure with those contracted by your hospital.
Is it in writing?
This may be a no-brainer to many of us, but when we evaluate prospective clients, you’d be surprised how many do not have written agreements documenting what security standards are expected of those vendors when they are hired. Make sure to explicitly outline any security and privacy policies and procedures (and cite them in your agreement) to ensure they understand the standards you expect of them.
Are you in control?
When a contractor starts working with you, you may be thinking about simply giving them the bare minimum access to your systems. That means when you have something to email them, you’re emailing outside of your network. You might want to reconsider the amount of control you have on them. That includes being able to control their email (they have an email account issued by your hospital) and preventing for data to be leaked outside of your organization because your standards are being met.
BYOD or Bring Your Own Device may also be popular with contractors. But if your organization has a strict policy or specifics on devices in the work place, you might reconsider allowing that external device on your network. Consider furnishing your contractors with the same types of equipment you would if they were internal employees so that they grow accustomed to follow your terms (you’d be surprised how hard it is to lose bad habits, especially if given privileges to use equipment reinforcing those habits!).
Are you limiting their access?
Many vendors actually ask for more privileges and access than they actually need. Your eyes would bulge if you saw the types of access vendors had on some of the hospital networks we’ve assessed. Vendors are given carte blanche access to data systems—sometimes with administrator rights (which means they can manipulate or change your system at their leisure)—and never having a legitimate reason for having that type of access.
Consider limiting access to data by creating permissions to access only specific data necessary for the contractor to fulfill his or her assignment. Never give them keys to the castle! Exclude permitting them access to any confidential data, such as social security or account numbers, for example, and limit the amount of patient information they are able to access.
Have they gone through your security training?
Most hospitals overlook critical areas, such as security awareness training, when they hire contractors. Make sure your contractors are going through the same onboarding routines as your normal staff. That includes expecting them to satisfactorily take your HIPAA security training course (and satisfactorily pass the exam). If they have no idea about your security expectations and aren’t aware of the risks around them, they may unknowingly risk your hospital’s data security.
These suggestions are only the tip of the iceberg when it comes to making sure your vendors and contractors are secure and keeping to standards in line with your own. For a closer look at vendors or even your own security, security experts recommend getting a network security assessment aimed at detecting vulnerabilities and security risks on your network.
