To satisfy the Health Insurance Portability and Accountability Act (HIPAA) healthcare vendor management must be implemented. Healthcare data breaches are on the rise, and many of the incidents of late were the result of poor vendor management. With the increase in vendor breaches and widespread confusion surrounding vendor management, the Department of Health and Human Services (HHS) recently released new guidance to clarify healthcare organizations’ obligation to ensure that their vendors are HIPAA compliant. The following are steps healthcare organizations can take to mitigate their risk of a vendor related data breach.
- Vet Vendors
Healthcare vendor management requires organizations to vet their vendors before transmission of PHI is permitted. To vet vendors, they must complete a HIPAA security risk assessment (SRA). Completing an SRA allows the vendor to identify gaps in their security practices. Before an organization can work with a vendor, the vendor must fix any gaps identified by the SRA with remediation plans. Additionally, the SRA must be repeated annually to account for any changes in business operations.
Having a signed business associate agreement (BAA) is not enough. The Department of Health and Human Services (HHS) mandates that healthcare organizations do their “technical due diligence” when choosing a vendor to work with. If an organization fails to send out an SRA to their vendors, they are not satisfying the law. In the event of a vendor breach, both parties would be considered liable without an annual SRA.
- Create Unique Accounts for Vendor Support Reps
Access management is required by HIPAA. Access management controls who can view what information. This requires providing each user with unique login credentials. Assigning unique login credentials allows an organization to attribute certain activities with specific individuals. This way if an employee is accessing data with malicious intent, it will be easy to identify which user did so.
- Stick to the “Minimum Necessary Rule”
Many organizations give vendors full network access since it can be difficult to isolate networks to create adequate access controls. However, vendors should only be given access to servers or databases they need to perform their job functions. The HIPAA “minimum necessary rule” states that individuals are given access to only the PHI they need, specific to their job roles. Organizations can implement tools such as Vendor Privileged Access Management (VPAM) to accomplish this. VPAM allows organizations to delegate different levels of access for vendors depending on what information they need to view. This mitigates the risk of breaches as vendors are not given full access across an organization’s entire network. Without VPAM, a vendor that experiences a malware attack would compromise all of an organization’s data.
- Healthcare Vendor Management Requires Vendor Auditing
Organizations must also audit vendors to track activity. Keeping logs of activity allows organizations to determine the accepted level of activity for different users. Logging facilitates detection of unusual activity, preventing data breaches.
Good healthcare vendor management can make a big difference in an organization’s cybersecurity. Healthcare organizations must be aware of their cybersecurity practices as well as their vendors’ cybersecurity. Healthcare vendor management is not only required by law, it also limits the risk of experiencing a vendor related breach.
Do You Need Help with Healthcare Vendor Management?
Compliancy Group can help! Our cloud-based compliance software the Guard™ has everything you need to vet your vendors, document your due diligence, and provide you with business associate agreements. Find out how Compliancy Group can help you Achieve, Illustrate, and Maintain™ HIPAA compliance!
