Posted: April 4, 2019
The Consequences of Choosing the Wrong Vendor
To stand out in today’s hyper competitive environment, a company must set itself apart from its competition by providing the most value to its customers in the most efficient way possible. To do this, most, if not all, companies today use vendors to perform various functions, such as assisting the company in processing, storing, or transmitting sensitive data. While utilizing vendors is necessary in today’s environment, companies should be wise to select the right vendor. A recent incident in the healthcare space exemplifies the risks a company undertakes when choosing to work with the wrong third party.
Recently, it was discovered by a cybersecurity firm that Meditab, a vendor that processes faxes that contain electronic protected health information (“ePHI”) for other healthcare organizations, failed to secure a server that stored and transmitted the faxes. This server, which didn’t require a password to access, stored 6 million unencrypted ePHI records. Since the server was left unprotected and because the ePHI was unencrypted, anyone could read the faxes – and the ePHI contained within the faxes – in real time.
It goes without saying that requiring a strong password to access such sensitive data, as well as encrypting this data, are two of the most basic information security controls that companies should be utilizing. These fundamental errors could result in significant fines and penalties for both Meditab and the healthcare organizations to which the data belonged, depending on the extent to which the healthcare organizations knew of Meditab’s lackluster security controls. It’s important that businesses learn from this case by performing their due diligence prior to engaging its vendors as well as actively monitoring the vendors once the relationships are in place.
Recommended Due Diligence Practices for Vendors
To ensure that the right partner is selected, companies need to perform their due diligence before entering into a relationship with a vendor. However, before performing its due diligence, companies must document, through their own internal policies and procedures, the baseline requirements that future vendors must have in place before being allowed to act on behalf of the company. These requirements should address both the information security-related roles and responsibilities as it relates the vendor’s workforce as well as the controls the vendor utilizes in protecting the data with which it interacts.
The process of documenting these requirements is critical because it enables the company to receive input and buy-in from key stakeholders within the company about the types of security controls the company requires from its vendors. The company should not deviate from these baseline standards, and it should require the vendor, through a written contract, to always comply with these standards and controls. Doing so will ensure that no matter what changes the vendor makes to its business practices, the vendor will continue to adhere to the mandatory controls that are set forth in the written agreement with the company.
Once the company identifies a potential vendor, the company should then perform a risk assessment to determine what sorts of risks that vendor will pose to the company’s information systems and data. To minimize any risks that may be present, the company should require the vendor to identify the information system’s functions, ports, and other protocols necessary for the vendor to perform the contracted-for service(s). All unnecessary system ports, processes, and protocols should be disabled so as not allow the vendor to have more access than that is required for the vendor to perform the agreed-upon service(s).
As the relationship between the company and the vendor progresses, it’s important to monitor the services and security practices that are being performed by the vendor. To that end, the company should conduct regular progress meeting to review various reports, audit trails, security events, operational issues, as well as any failures or disruptions to the service(s) being delivered by the vendor. If during its review the company discovers any red flags, the company should investigate those issues to determine why they occurred and how to best resolve those issues.
Obviously, no company is perfect, and it’s not possible to prevent every bad or negligent act from a vendor. That being said, enacting these practices will establish both a baseline expectation regarding information security as well a process that allows for regular monitoring of a vendor to make sure they live up to their contractual obligations with the company.
Dan Kiehl obtained his Juris Doctor degree from Valparaiso Law School in 2012, and practiced law for three years before transitioning to a compliance-based consulting role allowing him to help a wide variety of healthcare organizations remain compliant with multiple healthcare laws and standards. In addition, he has been instrumental in helping his clients streamline their operations to maximize reimbursement potential with federal and third-party payors.
Dan also has experience auditing various organizations to ensure they remain complaint with both domestic and international marketing laws. In his current role as a CompliancePoint Policy Analyst, he consults with a wide variety of organizations to ensure their privacy and information security policies are compliant with the various regulatory and third-party frameworks (e.g., GDPR, HIPAA, HITRUST, PIC, SOC 2, NIST and ISO).
When not consulting, he provides information security policy insights at http://infosecenforcementpolicy.com. I’ve also authored the following published articles:
• “The Uncertainty of the Implied Certification Theory.” Compliance Today (March 2017).
• Co-authored with Sandra Champion. “Guidelines and Strategies for Navigating Stark’s Physician Recruitment Exception.” Coker Group (November 2016).
• “Remaining Stark-Compliant with the ‘Practice Losses’ and Ancillary Services.” Coker Group (November 2016).
• “Completely Unreasonable: ‘Practice Losses’ as a Basis for Stark Violations in the Era of Value-Based Reimbursement.” Journal of Health Care Finance (Sept. 2016).
Dan has received the JD (Juris Doctor) and LLM (Masters in Health Law) law degrees, as well as attained CHC (Certified in Health Care Compliance), CIPP/US (US-based privacy), and the CECP (Customer Engagement Compliance Professional) certifications.
He is also a veteran of the Iraq war.