Transcription

1 TOP 10 Security Questions

2 Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information (PHI) handling. Security is the most essential component for the storage of PHI and handling release of information (ROI). Vendors responsible for safeguarding information must make significant investments to ensure the highest level of security. As a healthcare facility, it is important to know whether a vendor s security measures are stringent and to what degree. Here is an overview of the top 10 security questions to ask.

3 1 What steps does your company take to maintain a high level of security? An aggressive approach should be implemented to secure the transfer of PHI. Security programs should include three main components: 1) End user awareness and security training 2) Internal validation 3) Third-party systems and controls validation Helpful Resource: ONC s Guide to Privacy and Security of Electronic Health Information

4 2 How does your security team ensure security is exceptional? Risk management relies heavily on the education and training of employees. A workforce should be properly trained on: HIPAA rules and regulations Breach notification Implementation and enforcement of security policies and procedures Understanding the ROI process protects facilities from financial and reputational harm.

5 3 What certifications or experience have members of your security team achieved? Security certifications are ideal for an in-depth understanding of the systems utilized and how to best safeguard PHI against internal and external threats. Additionally, best practices are taught within certification programs. Examples of certifications that can be achieved: CISSP CBCP CISA Lean Six Sigma

6 4 How is your team constructed to make security and protocols work? Having both executive support and cross-functional teams ensures that the various department-specific security requirements are taken into account. Utilizing legal counsel to stay abreast of all state and federal regulations ensures security efforts align with all requirements.

7 5 What types of internal security audits are performed? Engaging in internal security audits throughout the year on all controls and systems is taking a proactive approach to combat vulnerabilities. Performing internal security audits is a way to measure the performance of a security and compliance platform. Examples of internal security audits: Regularly scheduled vulnerability scans of all systems Rule sets and scans that correlate security alerts and events Diagnosis and recommendations of security fixes

8 6 What types of thirdparty security audits are performed, if any? Third-party auditing tests and reviews all controls and validates that they are adequate, helps identify areas that need improvement, and provides information that assists with developing remediation plans to make the environment more secure. Examples of third-party security audits: SSAE No. 16 Type 2 SOC 1 Penetration Testing

9 7 Were deviations in your controls and objectives found in your third-party audit report? Deviations could negatively affect the opinion letter and a vendor s internal systems and controls. Typically, there are four types of audit objectives in any type of audit: Define and test controls Verify proper procedure was followed Determine risk of audit error Write audit opinion Nothing can offer a stronger validation than the validation received by a third-party auditor.

10 8 What are your financial security standards? The Payment Card Industry Data Security Standard (PCI DSS) is for organizations that handle branded credit cards from the major card brands. Compliance with the PCI DSS means that systems are secure, and medical record requesters can trust the vendor with their sensitive credit card information.

11 9 Do you have a Disaster Recovery Plan? You should! A disaster recovery plan guarantees the recovery of PHI. It outlines, in detail, the business continuity and should include contingency operations in the event of a complete shutdown of the primary data processing center. The disaster recovery plan and results should be audited by a reputable independent third party.

12 10 How do you monitor your systems? The vendor s data center operations team should conduct monitoring 24 hours a day 365 days per year to ensure the health, capacity and availability of the systems, and provide fast and reliable delivery of medical record requests.

13 Compliant, Engaged and On the Forefront of Security Ultimately, your vendor should have state-of-the-art technology and layers of security to achieve the highest level of security for PHI. They should ensure they remain compliant, engaged and on the forefront of security rules and regulations. The HIPAA Security Rule has safeguards in place to protect the people, information, technology, and facilities that providers rely on to achieve your primary mission of helping patients. For information on HealthPort s state-of-the-art technology or any of our innovative health information management tools, please visit

14 Did you enjoy this ebook? Share it with your friends: