5 Things to Look for When Evaluating the Security of Your Health IT Vendors

By Patrick Yee, Chief Technology Officer,  Ensocare
Twitter: @EnsocareCircle

One of the biggest trending topics within the healthcare sphere is something that, if all goes well, can be completely invisible. And if something goes wrong, it has the potential to create a crisis-level situation for your organization.

I’m talking, of course, about cybersecurity. As healthcare continues to evolve, leaders find themselves tangling with topics far afield from the clinical topics they may be used to. Security is one such topic, and while it’s been at the top of mind of IT experts around the country, we’ve noticed in our customer installations that even clinicians are now asking questions about what can be done to enhance their security protocols.

We’re thrilled that so many people are paying attention to issues we’ve been wrestling with for years. To clear up some of the confusion, I’m providing advice on how those in a clinical setting can be better equipped to evaluate the security of their health IT vendors.

If you’re in the IT field, you very well may be nodding your head in agreement or want to add on to what we discuss (and please, feel free to do so in the comments). And if you’re a physician, case manager, nurse or clinician of any kind, having a basic understanding of the following topics will enable you to make a smart, well-researched decision when it comes time to make a department or enterprise-wide tech investment.

HIPAA as a Minimum
There’s not a single person within healthcare who hasn’t lived in HIPAA’s influence since its inception. Protecting patient privacy is at the center of everything we do in health IT, and strict adherence to the guidelines laid out by the Health Insurance Portability and Accountability Act is essential.

Back when the law was passed in 1996, even the smartest health IT prognosticators wouldn’t have been able to foresee how far we’d evolve in these 20+ years. Instant access to the internet has made the threat of cyber-incursions far more serious than at any time in history, and things like social media have only fueled the potential risk of patient data leaking out through human or technological error and cause a costly catastrophe.

You need an IT solution attuned to the modern challenges of protecting PHI. After you’ve put out your technology RFP and have identified potential vendors, ask them about security practices and the protocols they’ve put in place to protect PHI, and ensure that they have attestations of their compliance authored by third-party auditors. Ask about any security incidents in their past and what they did to contain the damage if any incidents ever popped up.

One more vital question: ask them if in the course of product usage they’ll be pulling any nonessential data in that could be a breach of patient privacy, whether disclosed or not (for example, if the application requires access to a webcam or microphone even when the application is not actively in use).

Third Party Interaction
This leads right into my next point, which is that of third-party interaction. Ask your prospective IT vendors to identify if any third parties will come into contact with PHI during the life of the product and, if so, who. If they share any patient or provider data with other vendors, that’s something you’ll want to identify. It doesn’t necessarily disqualify your organization from working with them (depending on your policies), but it should warrant a closer examination from your health system’s leaders. At a minimum, the given prospect should have Business Associate Agreements (BAAs) in place with all third parties, and ideally, they have attestations of compliance for the same protocols they are abiding by from all third parties.

This is particularly important when considering CMS’s recent push to make all patient data the property of the patients themselves.

Another big factor to consider is interoperability.

CMS wants all systems within healthcare to work together with one another. The days of every potential IT solution acting as its own ecosystem are over. Everyone in health IT has been pushing their developers to come up with interoperable solutions. No one is completely there yet, but at the very least, your prospective IT vendor should have answers when you ask about it.

Let’s be frank: we’re years away from healthcare being a “plug-and-play” environment where data can be easily transmitted between departments, systems and organizations. But this is the main focus of health IT experts now and for the foreseeable future. Any tool you consider for implementation within your organization should, at the very least, have a roadmap for interoperability in the future and a list of systems they’re currently interoperable with.

If you receive veiled or vague promises about where a vendor stands with interoperability, looking elsewhere may be the right call so that you don’t have to start from scratch in a couple of years.

Cloud Vs. Server-Side Hosting
More and more healthcare IT companies (Ensocare among them) are evolving to cloud hosting. And with good reason.

We recently featured a conversation with Paul Hanson, Manager of Product Operations at our organization and our in-house expert on cloud hosting (among many other topics). He spoke about the benefits of moving to such a hosting solution. For us, that was Amazon Web Services. It gives us limitless capacity to securely store and process data and continue expanding as we take on new healthcare organizations. It also comes with a set of security standards that are among the best in the world.

On-premise hosting certainly doesn’t disqualify a vendor from being your preferred solution, but it does put the onus for security squarely on that vendor. As Paul hinted in that same interview, a company who relies on on-site hardware will have to continue to invest in upgraded equipment as they expand, and they’ll have to constantly re-evaluate and upgrade their security processes. If the company is up to the task, this can be its own benefit, but you definitely want to get a sense of how the company is storing and processing data, whether in the cloud or on site, the security they have in place to protect that data and if any third parties will be brought into contact with the data. Either way, you should look beyond HIPAA for SOC-2 or SSAE 18 compliance at a minimum for on-premise hosted solutions.

Support Processes
Finally, your IT vendor should be able to speak to the level of support they offer.

There are two types of support to inquire about. The first is the day-to-day calls that come up in the course of doing business. If someone has a question about using the system in question, is your prospective vendor there from 8-5 to answer those inquiries? Are they a 24/7 operation? Will there be live chat, the opportunity to get someone on the line at all times of day, or are all communications done via email? Ensure your vendor meets the level of support you expect when things go wrong or when a user needs help.

The other type of support to consider is that which occurs when a potential breach is detected. In these situations, time is of the essence. If the breach occurs on your side of the digital ecosystem, ask how they can step in to help you triage the damage and secure what’s possible on their end.

Also ask what kinds of parameters they have in place when a breach occurs on their end. Hackers progress in their sophistication at the same rate as the cybersecurity experts deployed to stop them, and even the very best within health IT could have unknown vulnerabilities exploited.

The questions you should ask include not just what kinds of systems they have in place to prevent a breach, but what they do should a breach occur. After all, it’s your data on the line, and having assurances about the recovery and protection of that data is essential.

Clinicians are in a position that’s unique within the broad history of healthcare. They’re being tasked with overseeing information technology and engineering well outside the scope of what they trained for. This puts a lot of organizations in a tough spot when it comes to negotiations and successful adoption of IT solutions.

By leading any future implementation discussions with the topics mentioned above, you can be confident you’re leaving no stone unturned when it comes to the deployment of IT solutions within your facility.

This article was originally published on Ensocare and is republished here with permission.