Digital Health organizations and healthcare innovators often must complete a security risk assessment (SRA) during procurement. Typically, healthcare providers will provide your company with a series of security questions designed to vet your security and compliance programs. Security risk assessments are generally structured as questionnaires inquiring about your company’s policies, system architecture, interoperability, and overall security practices.
Healthcare providers then use this information to measure the overall security risk profile of a vendor to determine if they’re suitable to partner with. As vendors account for more than 40% of security breaches, vendor security cannot be taken lightly. If your organization can’t prove that its security is in line with the regulations and best security practices, then your solution may be considered a security risk. Evaluating your organization against the vendor risk assessment checklist is a great way to ensure you’re fully prepared to tackle any security assessments and land new clients.
When being evaluated, healthcare organizations tend to examine a potential vendor’s security programs and efforts relating to:
- Network Configuration
- User Roles
- Security Plan
- Attack Surface
- Application Architecture
- BAA Requirements
- Disaster Recovery
- Support Structure
Make Sure your Security Policies are in Place
Before approaching health providers, be sure that your team has administrative policies in place. Your administrative policies should include standard operating and organizational procedures regarding security roles, risk analysis and assessment, backup and disaster recovery, system access, and data management. Essentially, your policy should be built around all applicable regulatory compliance standards. For instance, your policy should address applicable safeguards for HIPAA/HITECH. It should not simply consist of legal documents, but a concrete set of practices implemented and followed across your organization. Administrative policies enable your team to prove that your organization is prepared and has a valid and functional security program in place.
The following policies are an essential component for answering any vendor risk assessment. Your policies should reflect your employee structure, technology, and everyday workflow. These are not legal documents — simplify them as much as possible. Write them in plain English so all staff members can easily read and understand them.
Outline how your security controls are implemented across your applications and infrastructure. Make certain you have highlighted and defined all of the necessary steps for managing security. Be sure to include the following topics in your risk assessment checklist.
System Access: How user access to sensitive data is both granted and revoked.
Disaster Recovery: How both backup and DR standards are implemented, tested, and managed.
Incident Response: How security incidents are reported, investigated and resolved.
Risk Assessment and Analysis: How your organization assesses, manages, and resolves security issues and security risks.
Security Roles: How security staff roles and responsibilities are delegated within your organization.
Security Training: How security awareness training is implemented throughout your organization.
Since these policies can be presented to auditors as proof that safeguards are in place,
once your administrative policies are up to date — review, assess, and continually update them using your cybersecurity risk assessment checklist.
Make Sure All Security Safeguards are Implemented
Administrative policies are only a small part of a security program and vendor security assessment checklist. Digital health companies and software vendors must ensure all technical safeguards are in place and are current. Your company should have security protections in place regarding the following:
Security: network/application firewalls — two-factor authentication — intrusion detection
Privacy: access control — two-factor authentication — encryption
Confidentiality: confidentiality agreements — access controls — encryption
Processing Integrity: quality assurance — processing monitoring
Availability: performance monitoring — disaster recovery — security incident handling
Although cloud platforms typically provide tools for configuring these technical controls, essentially, it’s up to your organization to ensure that all resources are configured securely.
Health providers manage a complicated internal infrastructure consisting of electronic health record (EHR) systems, clinical data, and software solutions. As such, they need to ensure that new vendors will fit into their security programs and systems.
Vendors should have a defined set of all solution requirements and dependencies, on hand, that can be shared with potential health providers. Providers need to know what data and level of access is required for your solution to operate. They’ll want to know exactly how your solution works as some hospitals require specific implementation/integration into existing systems.
Gather All Relevant Documentation
Often, a health provider will want to review all evidence relating to your compliance efforts, including privacy and security policies, risk assessments, remediation plans, and staff training efforts. Be sure to keep track of everything and have a copy ready to hand over.
Have a signed and executed business associates’ agreement (BAA) with your cloud provider and a copy of your latest SOC 2 security report on hand. You should always have a signed BAA with any software vendors that store, process, or transmit protected health information (PHI). Be prepared to prove how your security policies are applied and followed by remote development firms and other stakeholders in business with your company.
Vendor Security Risk Assessment Checklist
The following is a list of documentation and information that your team should have ready to provide during the vendor risk assessment process. Having these documents and best practices ready to go will streamline the security assessment process.
- Solution Requirements & Specifications: Information regarding the technical requirements, installation, and specifications of your solution.
- Support Capabilities: Information regarding your company’s support offerings and service level agreements (SLAs).
- Administrative Policies and Procedures: Any information regarding the operating procedures relating to your security and compliance programs.
- Reports and Documentation for Technical Security Controls: Information regarding how your team manages its security and compliance controls, including encryption, disaster recovery, audit logging, etc.
- Data-flow Information and/or Diagrams: Information regarding how your solution utilizes, accesses, and connects with health provider data and systems.
- All Executed Business Associates Agreements (BAA): A list containing all documents executed with partners relating to the management of protected health information (PHI).
- SOC 2 Type II Report (or equivalent): Any security reports and/or certifications from your cloud provider.
- Any 3rd Party Documentation: A list of any third-party audits, penetration tests, and certifications you may have.
Typically, digital health companies are vetted by completing a third-party vendor security assessment before they can do business with hospitals and enterprise healthcare companies.
That’s where Dash comes in. We specialize in providing healthcare companies with the foundation required to build and validate your cloud security program and maintain regulatory compliance. Consider working with Dash to create security policies, generate compliance reports and provide internal controls and security information with hospitals and enterprise partners.
Organizations that have worked closely with Dash have reported an increased understanding of their overall security program, allowing them to quickly complete security risk assessments and, in turn, get through the procurement process with hospitals and health systems much faster.
Dash ComplyOps streamlines the implementation of all necessary technical safeguards, including disaster recovery (DR), encryption, vulnerability scanning, and intrusion detection — everything needed to monitor compliance configuration in the cloud.