Tips to Selecting a Vendor—Don’t Compromise on Security


TriageLogic

By Ravi K. Raheja, MD

The average cost of a data breach in the United States has hit an all-time high of 7.35 million dollars. Just this year, there have been more than one hundred hacker attacks on healthcare organizations, according to the U.S. Department of Health and Human Services. Despite better awareness among healthcare organizations, data breach costs average 408 dollars per record. Cybercriminals use weaponized ransomware, misconfigured cloud storage buckets, and phishing emails to attack.

Hidden costs in data breaches are difficult and expensive to manage, resulting in customer turnover, reputation damage, and increased operational costs. Knowing where the costs lie, and how to reduce them, can help companies invest their resources more strategically and lower the huge financial risks at stake.

While looking for cost saving solutions is important for any business, it is critical to make sure your vendor partners also meet the same stringent criteria on data security. This extends to your outsourced, after-hours services as well. Not doing the proper due diligence, can lead to a significant risk in terms of data loss and security.

Here are a few critical questions you should consider when selecting your partners in healthcare:

  1. Do you have a chief information officer (CIO) who oversees the security program?
  2. Do you have a formal security compliance program in place with yearly audits?
  3. Is the vendor URAC accredited so there is a third party auditing the triage call center policies and procedures to ensure they are followed?
  4. Does the vendor sub-contract services? If they do, are the proper BAAs (business associate agreements) and contracts in place?
  5. What is their data breach insurance policy limits?
  6. Is the data center infrastructure set up to maximize data protection along with regular scanning of the software and servers?
  7. Does the vendor have an intrusion detection system to alert potential threats?
  8. Does the vendor have adequate IT resources to monitor all systems and to respond quickly to any potential threats?
  9. Do the products meet HIPAA, HITECH, and other security requirements?
  10. Do the security reports meet all auditing and HIPAA reporting needs?
  11. Do you have a formal HIPAA training program for all staff members?
  12. Does the data center where the data is stored have proper security certifications?
  13. Is the patient data secured at all times and in all modules of the product? (This must include strong password protection or other user authentication, data encrypted at rest, and data encrypted in motion.)
  14. Is the patient’s data secured when accessed via handheld devices, such as through secured through SSL web sites, iPhone apps, and so forth?

If the answer is no to any of the above questions, then it may be an indication that you should look deeper and compare vendors before selecting one that will protect your patient data properly. Don’t be afraid to dig deeper and ask vendors questions if you have any concerns. Remember, it is a lot harder to change vendors once you implement a program than to ask questions and make sure that you have the best system in place for your needs.

TriageLogic

Ravi K. Raheja, MD is the COO and medical director of the TriageLogic Group. Founded in 2005, TriageLogic is a URAC accredited, physician-lea provider of high-quality telehealth services, nurse triage, triage education, and software for telephone medicine. Their comprehensive triage solution includes integrated mobile access and two-way video capability. The TriageLogic group serves over 7,000 physicians and covers over 18 million lives nationwide. For more information visit www.triagelogic.com and www.continuwell.com.  

For feedback and questions, please feel free to contact Ravi at ravi.raheja@triagelogic.com.