Security and privacy requirements are specified in a variety of federal regulations that apply to healthcare organizations (HIPAA), financial services firms (GLBA), payment card merchants and processors (PCI DSS), and defense contractors (CMMC). Security frameworks developed by NIST, ISO, and similar associations offer security measures and data protections that are widely accepted in most other industries.
Many of these regulations and frameworks suggest that similar security and privacy maintenance measures be adopted by vendors who do business with regulated organizations. In the case of healthcare, HIPAA law requires it.
What is a Vendor or Business Associate?
A vendor is any supplier, whether of services or goods, who works on behalf of an organization. The security issue comes into play when the vendor handles sensitive data for the organization or personally identifiable information (PII) for customers, employees, patients, or other stakeholders the organization is obliged to safeguard.
In the healthcare industry, vendors are referred to as Business Associates (BA), but the concept is the same. Any and every BA who handles protected health information (PHI) or PII on behalf of the healthcare organization is required by HIPAA law—specifically the HIPAA Omnibus Rule of 2013—to meet the same security and privacy standards as the organization itself. This holistic approach is the best way to ensure that an organization’s data is protected throughout its lifecycle.
In healthcare specifically, BAs may be healthcare plans or health insurance firms, medical billing companies, accounting, and legal firms, transcription services, cloud, and physical storage services, data processing firms, information technology companies, document destruction services, or any other service or equipment provider who manages PHI or PII on behalf of the healthcare provider.
It is important to note that the requirements for vendor security or BA security may also extend to their sub-contractors.
Vendor / BA Responsibilities
For our purposes here, we’ll talk about BAs, with the understanding that there is similar applicability to vendors in other industries.
A BA is responsible for the security and privacy of the data it manages on behalf of a healthcare organization. Therefore, in the event the data is lost, stolen, ransomed, or otherwise disclosed without permission while the BA was handling it, the BA is directly liable for the data breach.
Blurred Lines. However, as with all data processes, the lines can become blurred between the organization and the BA. Who was actually handling the data when it was breached? Were both the BA and the provider culpable? These questions may arise, and generally, no company wants to accept full responsibility if it can be shared.
OCR Fines. The Office for Civil Rights (OCR) is the HIPAA enforcement arm of the U.S. Department of Health and Human Services, and routinely investigates complaints against BAs as well as healthcare providers. Depending on OCR findings, the BA may be fined, the organization may be fined, or both may be fined.
Since the enactment of the 2013 HIPAA Omnibus Rule, OCR financial penalties have spotlighted the importance of executing, reviewing, and updating Business Associate Agreements to better ensure data security.
To avoid unwelcome experiences, a vendor security review or BA security review is a valuable tool for organizations to reassure themselves that their vendor or BA is safeguarding PII or PHI as required by prevailing regulations.
Vendor Review Basics
A vendor security review (or business associate review in the healthcare industry) is essentially a security risk assessment. It is the same evaluation process the healthcare provider must undergo on a regular basis in order to meet HIPAA compliance requirements, for example. It is also the same process that a financial institution must undergo to meet GLBA or FFIEC requirements, for another.
Security risk assessments include internal and external reviews. An external security review looks from the outside into the vendor’s network. This is done by scanning (as a hacker would) all of the vendor’s IP Addresses to identify security vulnerabilities that a hacker could exploit. An internal review evaluates the security of a vendor’s laptops, desktops, servers, and other devices where PHI or PII may reside. Vulnerabilities in devices may result from misconfiguration, outdated patches, unsupported software, and hardware, or other issues.
In sum, a vendor security review identifies the assets (laptops, desktops, servers, networks, and other security devices); risks associated with the assets; mechanisms the vendor has in place to manage those risks; and how those mechanisms are documented and managed. The review provides a complete picture of the overall risks, and recommendations for addressing them, at the vendor level.
A BA review will also assess the security around various smart medical devices that collect, transmit, store, or otherwise manage PHI. Ultrasound machines and other online or digital testing equipment are just two examples of smart medical devices.
Three Advantages of a Vendor Security Review
A vendor (or BA) security review gives your vendor, and your organization, three valuable advantages in terms of security, compliance, and risk.
- More Complete Data Security. A review confirms the adequacy of your vendor’s security and privacy safeguards and data protection measures. By discovering missing security elements, the review enables the vendor to address vulnerabilities and make their security more complete.
- Improved Regulatory Compliance. A vendor review facilitates and improves compliance with security regulations governing the protection of PII and PHI, as well as best practices for securing other sensitive or proprietary data. For healthcare providers’ business associates, compliance with the HIPAA Security and Privacy Rules can be significantly improved.
- Reduced Data Breach Risk. By resolving vulnerabilities found in the review, the vendor can reduce opportunities for unauthorized intrusion, exploitation, data theft by criminal hackers, data ransom, and other costly data breaches. As a result, the vendor’s return on their security investment (ROI) is clear and real.
Summary
Vendor security reviews are security risk assessments that are conducted periodically and documented for findings and remediation activities. They are required by the leading security frameworks, including NIST and ISO/IEC 27001, and a variety of industry regulations governing financial services and healthcare, to name two. Penalties for failure to comply are common, and in the healthcare industry findings of non-compliance and financial settlements are publicized by the Office for Civil Rights.
A qualified Virtual Chief Information Security Officer, or VCISO, has the experience and expertise to assist you with your vendor or BA security review. He or she will assess the risks, document and prioritize them based on severity, and provide actionable recommendations for risk remediation. To learn more, reach out to the 24By7Security VCISO team at 844.552.9237 or click the link below.