Vendors Surprised By Vetting – Ep 451 

In an increasingly interconnected and data-driven world, the importance of rigorous vendor vetting cannot be overstressed. Vendors ticking a box saying that they use a framework for data security and compliance isn’t enough anymore. It is a critical due diligence process that helps clients build secure, compliant, and mutually beneficial business relationships, minimizing risks and enhancing overall business performance. And with the recent Change Healthcare attack, vendors can expect to receive more rigorous questionnaires from their clients and the heightened expectations for transparency and accountability in handling sensitive information.

In this episode:

Vendors Surprised By Vetting – Ep 451

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

The HIPAA Privacy and Security Boot Camp

3.5 day In Person Event

April 9, 10, 11 and 12, 2024

PriSecBootCamp.com

Emails

March 18 – Ben – Long-time(ish?) listener to the pod here. Can you speak to the inclusion of SAFER Guides attestations in the Medicare Promoting Interoperability Program requirements beginning last year – and whether this might be affected by the arrival of the HPH CPGs?

SAFER Guides are the current evolution of the original Meaningful Use requiring SRAs. They are set by the ONC which falls under HHS. That means those CPGs will definitely come into play in some way if/when they are mandated. However, the only way they will matter now would be if they update the self-assessments. But, the fact that nothing in there has been updated since, I think, 2016 could mean it will get reviewed and updated soon.

March 11 – Tom – Long time listener and you guys have such creative ways to teach and share the information….awesome podcast.

My question is for Donna,

On numerous occasions you mentioned showing your license but not for copying.

Do you have a list of “patients rights” and please provide link to prove (got to prove it, prove it)

There is a patient bill of rights that has been around since the 90s. Clinical Center Patients’ Bill of Rights is just one publication of it which does not say anything about requirements to allow copying of identification. I understand there are a lot of good reasons to have a copy to confirm my face is indeed me. But, if you want that you can take a picture for your records.

Tom, you are asking me to prove the negative. My question is always where can they prove I should give them a copy of it? There isn’t a regulation that requires it nor my social security number.

March 8 – Jennifer – In regards to Minimum necessary – when we refer a patient we typically only send what is related for the reason of referral. What do we do with specialists that want 6 months of notes that may not be related to the reason for referral? Is this a violation of minimum necessary?

When sharing between providers the provider requesting information can ask for what they think they need to treat the patient. If they think they need it, you are meeting the minimum necessary standard.

HIPAA Say What!?!

AHA Survey Change Healthcare Cyberattack Having Significant Disruptions on Patient Care, Hospitals’ Finances

There are some interesting numbers in there, but the most important one is 74% of hospitals report direct patient care impact. Impacts to patient care makes this thing the impetus for major changes in the sector across several issues it has brought up.

Change Healthcare Cyberattack Prompts Breach Notification Questions

Get your BAAs in line for any BA that leads you down the path to where Change Healthcare is in your BA downstream. It will become a thing you will want at some point in your future. The bulletin has some good points and advice.

Vendors Surprised By Vetting

Again, 4 years ago we did another episode on vendors being prepared for increased vetting HIC SCRiM Should Wake Up Vendors – Ep 247. That one we suggested you complete the recommendations and vetting tools in the new published in the Health Industry Cybersecurity Supply Chain Risk Management Guide.

Once again, we discussed the importance of vendor vetting and that vendors need to be getting their ducks in a row in August 2021: 6 Steps for Vendor Management – Ep 317. In that episode we discussed how to use the updated version of HIC-SCRiM to vet vendors. Health Industry Cybersecurity Supply Chain Risk Management Guide 2.0 takes you through an even more detailed explanation of the importance of vendor vetting along with exactly the kinds of things you should be asking all of your vendors.

These weren’t the only episodes that discussed the concept and that vendors need to be prepared to answer specific questions AND provide proof. Last year we shared that it was now beyond just being prepared to prove your own program but also to show you are vetting your own downstream vendors – Vendors In Your Breaches – Ep 391.

Over the years we have talked with vendors that we meet through conferences or through referrals. They are not the ones we are vetting directly, but we are the ones that we do our best to explain that you don’t know what you don’t know. We may hear from them from time to time or run into them at another conference or trade show. We always remind them they should be listening to the podcast, if nothing else. Things are changing and you need to be prepared. We know this kind of stuff isn’t something you pull out of a hat in a few days or even weeks. This takes real work and commitment.

Lately, we have seen a rash of all those folks who didn’t heed our advice calling us up with some pretty extensive vetting questionnaires. Not only are they asking if you follow these standards but they want proof of it! Of course, it is always “our biggest customer” who is asking these questions. They want help to deal with it.

Yes, there is a part of us that wants to live in the “I told you so” moment and gloat but that helps no one. I will, though, stand firm that we will not drop everything to make this happen nor will we be able to make it go away easily. The adage that “failure to plan on your part does not constitute an emergency on my part” does get some time in the sun. What we do is give them the plan we would have given them a year ago or even 2 years ago. They get to decide how quickly they work the plan, but they have to do the work. Once they agree to that contract, I will write a letter stating they have engaged us to help them get their house in order, more or less. We make it very clear that the letter will not be updated further if they don’t do the work.

We do the same thing with groups who come to us when they learn they are under investigation by HHS OCR. We write a similar letter and when we give it to them we make it clear that there will be a follow up to confirm you are actually doing the work. We will not provide further letters if you haven’t made reasonable progress on the plan.

Here’s one thing all vendors need to understand. This new vetting process is no joke. It is well beyond what we started talking about years ago. You need to be prepared for some very specific questions that require proof. It is no longer simply “do you follow the HIPAA security law, mark yes or no”. It is also not something your company is too small to worry about. Nor, is it something that your services don’t really require that much PHI. The stats and the news make it clear to all of these entities that the supply chain can make your own privacy and security efforts be all for naught where your patient data and reputation are concerned.

Oh, and btw, the Change Healthcare attack will only increase the likelihood that you will be seeing more of these type questions. So you wonder what we are seeing? Happy to share some of the recent examples. These come from small companies that provide very narrow services with very little PHI all the way up to ones who need entire database access in order to do their jobs.

Examples of some recent vetting questions

Provide evidence of the last completed Risk Analysis (summary page or other evidence, do not need detailed report)

Do you evaluate risk after major changes, identification of new risks, serious incidents or at least annually?

Provide evidence that employees, including management, receive security and awareness training including periodic updates. This is separate from annual HIPAA training.

Provide a list of all of the Business Associate’s Subcontractors that create, receive, maintain or transmit our PHI in order to fulfill its obligations under the Service Agreement.

Provide a description of how you are prepared to respond to a privacy and/or security incident.

Include the following:

• Details around your ability to notify impacted patients and regulatory agencies.
• Names of any third parties you are contracted with or will leverage to assist in your response effort.
• Names of any third parties you are contracted with or will leverage to assist in your patient and regulatory notifications.

Do you perform security assessments of your vendors?

Do you use a commercially viable OS? Please advise the OS or database backend that is used.

Do you utilize patches on your network? Please advise how often they are used and the patch management process used.

Do you provide vulnerability scanning within your environment? Please indicate the frequency and provide evidence that they are completed on that schedule.

Does your company have an access control system which records who accesses your facilities using all entrances, including the main or front door, side or alternate entrance doors, loading docks or freight elevators, etc.?

Are badge access logs monitored for access activity? Please provide a sanitized report.

Have you tested your Business Continuity and Disaster Recovery plans in the last 12 months? In the notes, indicate the date of the last test

Have you ever completed a Security Risk Assessment? Was it done internally or by a 3rd party? When was the last one completed? Was a remediation plan put in place for any areas of risk noted? Is there a plan to have a follow-up Assessment completed to validate the plan is working as intended? At what frequency are Security Risk assessments completed? Please provide evidence for at least the last 3 years that this has been completed.

Do your policies and procedures include a process for audit/quality assurance checks? Please provide a copy of the QA template/audit tool.

Do you have a fully executed BAA on file with all clients and vendors with access to PHI or PII?

Can you demonstrate administrative/physical/technical security controls are in place in the work environment? This will be validated on site.

Are audit logs of the scans maintained for at least 90 days online and 1 year offline?

Do you have a BYOD Policy? (If so please share, or provide location within other requested documentation.)

Is Teleworking only approved upon assurance of the secure configuration of the home network including secure wireless, a firewall, anti-malware and use of encrypted remote access sessions?

Do you have an annual compliance review in place, including review by management and subsequent remediation, to demonstrate your configuration management policy and procedure is followed?

Are policy and procedures documenting user responsibilities and acceptable behavior including at a minimum email, social media, Internet, mobile devices, telecommuting, and facility usage documented, reviewed and updated annually? Are these policies shared with employees, contractors and other users as appropriate?

Do you perform due diligence, including a security review, prior to granting access to your systems and/or sharing PHI with an external provider? If this provider is a cloud service, do they have a current SSAE SOC 2?

Do you have a documented process for notifying customers of potential compromise to data or services, including timelines for response?

Does your business have an Incident Response Plan to take responsive actions after a security incident or breach occurs including forensic investigation, securing of evidence, notification of authorities, etc.?

Is production Business Critical, Financial and or PII / PHI data and related systems never stored, accessed from or transmitted to location(s) outside of the United States?

This was listed before all the questions were listed:

Documentation Request: Please include standards and procedures as relevant and available to demonstrate your security program. Where your policy/process structure differs please indicate in our detailed questionnaire where subject matter may be found. It is understood that some policies may be embedded in a broader one. If so, for specific questions, please annotate the appropriate reference.

(Below is the requested ones)

• Data Classification and Security Policy
• Data Flow / Network Diagram
• Third Party Connectivity Agreement(s)
• Repair and Maintenance Policy
• Patching / Upgrade Policy
• Risk Management Policy
• Information Security Policy
• Breach Response & Notification Policy
• Information Incident Policy
• Business Continuity Policy
• 3rd Party Audit Reports / Attestations
• Privacy Policy
• Acceptable Use Policy
• Encryption Policy
• Password Policy
• Logging Policy
• Network Management Policy
• Anti Virus / Anti Malware Policy
• Staff Security/HIPAA Awareness Policy
• Teleworking/Remote Access Policy

(These were not selected in the request)

• Software Development Policy
• Secure Build/Hardening Policy
• Change Management Policy
• Clean Desk and Clear Screen Policy
• Asset Secure Disposal Policy
• Asset Secure Reallocation Policy
• Physical Access Policy
• Mobile Device Policy
• Access Control Policy
• Access Review Policy

The journey through the maze of vendor vetting underscores a pivotal shift in how businesses approach their external partnerships. No longer can businesses be complacent regarding diligence. They need and are beginning to embrace a proactive stance on vetting. The challenge of vendor vetting is not insurmountable. With the right mindset and tools, businesses can fortify their defenses, build trust, and sustain growth in an ecosystem where data integrity and security are paramount.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.