Ever feel like your efforts to avoid compliance liability just turned into a game of hot potato? Is it a vendor responsibility (business associate or other third party) or yours? Consider cloud service providers (CSPs) as an example. Maintaining HIPAA compliance brings unique challenges to anyone working in or with the cloud. Don’t assume your vendor – aka BA – knows what’s needed.
I have a friend who is developing an app for the hospitality market. His initial idea seems to be a good one – he’s got investor backing, and he’s working with a reputable development company. The app is being developed in a cloud environment. He’s been presented with design specifications by his developers and approved them.
And – he wants to accept credit cards, so naturally, I asked him what he’s doing about PCI compliance. He told me he has no idea – but that since the developers know that he wants to meet the standards, he’s sure that it’s built-in.
No, no, a thousand times no! It’s not the developers’ job to ensure that the business owner’s app does what’s required for credit card processing. It’s not the cloud service provider’s (CSP) job to make sure that you can comply with the HIPAA Security Rule.
Compliance liability is your organization’s job.
So – you, not the developers, not the CSP, need to make sure that HIPAA Security Rule requirements are met. You need to understand:
- How does the CSP handle encryption and data backup?
- How does the CSP secure its environments – both physical and virtual?
- How does the CSP restrict its employees’ access to your data and machines?
That last is important because most, if not all, CSPs log transactions and retain that information somewhere. So – do you know:
- Are they reviewing it?
- Can you get access to the logs?
- Is there an additional cost?
There’s nothing wrong with CSPs in and of themselves. I’ve seen organizations move from in-house IT shops to CSPs “for greater efficiency.” Some organizations replace managed service providers with CSPs for the same reasons. That’s all good – but there still needs to be someone in your organization who manages your relationship with the CSP, understands how they provide your services, and what those services are. Remember – compliance liability!
In fact, you may want to look into how you can build service levels into your Business Associate Agreements that help ensure HIPAA compliance when working with vendors.
Those are not just for HIPAA. SOC 2, HITRUST, and most cyber liability insurance policies call out vendors as key players in your organization’s risk profile. Their reliability, the need to assess external threats, and the ongoing relationship.
How do you begin to manage the risk vendors bring to your organization?
Vet them at the outset as part of due diligence prior to the contract. Vet them again and again, at timely intervals.
Here are a few ideas to help you manage vendor compliance liability:
- Vet vendors early and often.Make due diligence a repetitive activity. Regular reassessment of your vendor’s privacy and security practices could be the action that saves your organization from an embarrassing and costly breach.
- Make your vendors prove that they train their workforce on issues you think are important.Isn’t your third-party partner part of your operations? Don’t they affect your ability to conduct business successfully? Think about how you can identify your most important training issues and push them to include them in their training. That speaks to assuring competency, by the way.
- Mitigate risks immediately.You’ll inevitably identify privacy and security risks during everyday business oversight. When they’re to do with a vendor, take action immediately. The more quickly you address any vulnerability, the less likely it can grow from a manageable security incident to a major security breach.
The risk to you, your customers, your information, and your ongoing business from third-party vendors is real. Just a moment ago, I took a look at the OCR’s Wall of Shame to find that business associates were held responsible for a full 33% of the 895 breaches of 500 or more that the OCR is currently investigating. Wouldn’t you say that it’s in your best interest to be careful in how you manage any potential vendor compliance liability?
