Often, the use of service providers and IT suppliers creates an unacceptable potential for operational disruption and puts ePHI security at risk. 

Thus, it is worth carrying out a vendor security assessment to ensure healthcare cybersecurity. 

Questionnaire for selecting ‘secure’ vendor: Vendor security assessment checklist

Dear IT vendors, this is important to you because healthcare entities would ask the following questions before purchasing your service or product.

1) Risk Assessment and Treatment 

❏ Does your organization have any risk assessment program? If yes, would you please describe it? 

2) Security Policy 

❏ Do you have an information security policy and procedure? If yes, are you making it available to your clients and employees? 

❏ Do you notify the clients when you make any material changes to it? 

❏ Do you have a physical security program?  

3) Organization of Information Security

❏ Do you have a Chief Privacy Officer (CPO) in your organization? 

❏ Do you have an information security function responsible for security initiatives within the organization?

❏ Do you define and document security roles and responsibilities for employees in accordance with the organization’s information security policy?

❏ Do you provide clients with documentation on how you maintain segregation of duties within your environment?

❏ Do you have established policies and procedures and implemented measures to strictly limit access to sensitive data from portable and mobile devices, such as laptops, cell phones, tablets, and personal digital assistants (PDAs)? 

4) Human Resources Security 

❏ Do you carry out background checks on applicants? If yes, do background checks include criminal, credit, professional/academic, references, and drug screening?

❏ Do you provide an information security awareness training program to employees? 

❏ Do you have a disciplinary process for non-compliance with information security policy, and are employees aware of the consequences for non-compliance?

❏ Do you have an employee termination or change of status process?

5) Asset Management

❏ Do you have an asset management program? 

❏ Do you have a fair use policy that restricts the way employees are using the network, website, and system?

❏ Do you classify all information assets according to their level of confidentiality, sensitivity, value, and criticality? 

❏ Do you prohibit the use of removable media such as disk drives, USB devices? 

6) Access Control 

❏ Do you restrict access to systems with shared network infrastructure in accordance with security policies, procedures, and standards? 

❏ Do networks shared with external entities have a documented plan detailing the compensating controls used to separate network traffic between organizations? (e.g., VLAN)

❏ Do you follow the process to make sure the accountability for generic/shared IDs?

❏ Do you have information security management systems such as hypervisors, firewalls, vulnerability scanners, network sniffers, APIs? If yes, do you restrict, log, and monitor access to these systems? 

❏ Do you require strong passwords to interact with systems?

❏ Do you require multi-factor authentication for all remote access?

❏ Do you review the access regularly to ensure that access is only granted to authorized users? 

❏ Do you record all remediation and certification actions when users are found to have inappropriate entitlements?

❏ Will you share user entitlement remediation and certification reports with us if inappropriate access may have been allowed to our data?

❏ Do you support identity federation standards (SAML, SPML, WS-Federation, etc.)? 

❏ Do you have a mechanism to prevent unauthorized access? 

7) Cryptography 

❏ Do you manage and maintain encryption tools?

❏ Do you encrypt client data on disk/storage within your environment?

❏ Do you use encryption to protect data and virtual machine images during transport across and between networks and hypervisor instances?

❏ Do you have the capability to manage encryption keys on behalf of clients?

8) Physical and Environmental Security 

❏ Do you have a security mechanism to keep data safe in data centers? If yes, would you please describe? 

9) Operation Security 

❏ Do you have a set of basic security objectives that must be met by every component of your infrastructure (server, firewalls, operating systems, routers, DNS servers, etc.)?

❏ Do you document and maintain operating procedures or SOP? If yes, do you make users aware of it? 

❏ Do you have a formal operational change management/change control process?

❏ Do you review system resources to ensure sufficient capacity is maintained?

❏ Do you isolate sensitive data by logically separating system and network environments? 

❏ Do you use antivirus and anti-malware products?  

❏ Do you perform system backups? 

❏ Do your security information and event management (SIEM) system merge data sources (app logs, firewall logs, IDS logs, physical access logs, etc.) for granular analysis and alerting?

❏ Do you restrict physical and logical user access to audit logs?

❏ Do you conduct regular external audits as prescribed by industry best practices and guidance? 

❏ Do you perform periodic assessments of your environment (SSAE 16, ISO27001, Third Party audits)?

❏ Do you patch all systems and applications? 

❏ Do you update the signatures, lists, or behavioural patterns of the security threat systems? 

❏ Do you perform regular vulnerability tests (internal/external) on all applications, networks, operating systems?

10) Communication Security 

❏ Does your wireless network use secure authentication? 

❏ Do you have a mechanism to restrict unauthorized traffic? 

❏ Do you have established controls in place to protect client data stored via cloud services?

❏ Do you require non-disclosure agreements?

11) Systems Acquisition, Development, and Maintenance  

❏ Do you provide open encryption methodologies (3DES, AES, etc.) to clients in order for them to protect their data if it is required to traverse public networks (e.g., the Internet) or if your infrastructure components need to communicate to each other over public networks?

❏ Do you implement data input and output integrity routines (i.e., reconciliation and edit checks) for application interfaces and databases to prevent manual or systematic processing errors or data corruption?

❏ Do you use an automated source-code analysis tool to discover code security defects before production?

❏ Do you and your software suppliers adhere to industry standards for Systems/Software Development Lifecycle (SDLC) security?

❏ Do you have established criteria for accepting new information systems, upgrades, and new versions? 

12) Supplier Relationships 

❏ Do you monitor and track third-parties who access our data? 

❏ Do you restrict third-party vendors such as backup vendors, service providers, equipment support vendors from accessing our data? 

❏ Do your sign agreements with service providers and third-parties that require them to adhere to your information security and privacy policies? 

❏ Does legal counsel review all Third Party agreements?

❏ Do you have a vendor selection process to evaluate vendor security controls regarding data security, reliability, and performance? 

❏ Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed, stored, and transmitted?

13) Information Security Incident Management

❏ Do you have an incident management program? If yes, would you please describe? 

❏ Do you document roles and responsibilities, specifying what you and your clients are responsible for during security incidents?

❏ Do you implement file integrity (host) and network intrusion detection (IDS) tools to help facilitate timely detection, the investigation by root cause analysis, and response to incidents?  

14) Information Security Aspects of Business Continuity Management

❏ Do you have a Business Continuity/Disaster Recovery (BC/DR) program? If yes, is it tested? 

15) Compliance 

❏ Do you conduct regular internal audits as prescribed by applicable federal and state laws? 

❏ Do you have regulatory bodies that supervise the company? 

❏ Do your information security and privacy policies align with particular industry standards (ISO27001, CoBIT, ITIL, etc.)?

❏ Do you have a records retention policy?

❏ Do you have documented policies or procedures to ensure that our data is only collected, stored, and used for the purposes it was collected?

❏ Do you have written procedures to process our questions, complaints, and requests to access, correct, and delete data?

❏ Do you have appropriate administrative, physical, and technical safeguards to protect privacy data in accordance with all privacy applicable laws?

❏ Do you have documented procedures to notify us if there is any data breach incident?

❏ Do you have internal or third-party review procedures to verify compliance with privacy applicable law, policy, and practice prior to establishing a business relationship?

❏ Do you instruct employees and third-parties to immediately notify the appropriate individual in the organization if our data has been lost, accessed by, used by, or disclosed to unauthorized third-parties? 

❏ Do you provide formal privacy training to employees and third-party service providers who may access and use our private data?  

❏ Do you have documented breach notification procedures? If yes, does it ensure that we get notified immediately when a data breach occurs? 

❏ Do you review your policies and procedures at least every 12 months?

❏ Do you have an independent audit function within the organization? 

Yes, the assessment for healthcare entities and policy-making for IT vendors are tedious tasks. Thus, we helped both.

• If you're a healthcare entity, we help you save time and efforts by executing vendor risk management on behalf of your team and deploy an entire ecosystem to ensure ePHI security. 
• If you’re IT vendors including healthcare app owners, we help you document policies and procedures within a month. (Following is the real project timeline we’re currently working on.)