Healthcare solutions and software vendors spend a lot of time completing vendor security assessments. It can be tough answering and explaining the same security questions for multiple healthcare providers.
One of the objectives of the OpenVRA is to provide one standard set of questions for assessing security and compliance. We believe that by asking concise questions mapped to regulatory standards we can improve the vetting process and make it easier for vendors to complete security assessments.
See how your security profile looks to healthcare providers. Take our free initial assessment today to and learn about your largest security concerns.
Most hospitals and health systems rely on hundreds of vendors. These vendors provide a wide array of solutions to hospitals, from marketing tools and billing, to patient engagement and medical imaging. Since sensitive data is often shared, these relationships can create additional risk for the hospital.
When selecting a new vendor/software solution most healthcare providers provide a Vendor Risk Assessment. Assessments typically includes many questions for vendors to answer regarding organizational structure, policies and procedures, and technical architecture that may affect security and regulatory requirements such as HIPAA. Healthcare vendors must typically prove that they have a robust security program and are not a risk to the hospital’s security and are often assessed on an annual basis.
Vendors should have a robust security program in place that addresses security and regulatory standards. Security teams should address all required safeguards of HIPAA/HITECH and FDA (if applicable). This means that administrative policies should be in place, Business Associates Agreements (BAA) should be signed, and technical safeguards should be implemented.
When answering Vendor Risk Assessments, vendors should be honest with their answers. Healthcare providers are looking to work with vendors that will follow through on security processes. Vendors should also be prepared to clarify any answers and share any requested documentation on policies, audits, etc.
Organizations must create and review administrative policies for their security program. Policies should be built around the organization’s structure and technologies, and detail safeguards such as employee training, risk assessments, and periodic reviews of compliance standards.
Organizations must have set technical controls and implement all safeguards necessary for complying with applicable regulatory standards such as HIPAA and FDA Part 11. Solutions should be implemented for standards such as encryption, disaster recovery, and intrusion detection.
Organizations should evaluate business relationships and have a business associates’ agreement (BAA) in-place with all applicable software vendors. Teams should limit access to production data and protected health information (PHI) only necessary staff.
Healthcare organizations typically provide vendors with a vendor risk assessment or security questionnaire to be completed during any potential procurement and adoption of new solutions. Navigating these questionnaires can be difficult, but doesn’t need to be impossible. Take our free vendor assessment to see where there are gaps in your security program, and prepare for procurement with healthcare providers.
OpenVRA is a framework for healthcare providers and healthcare vendors to share security information. By providing a standard set of security questions, we believe we can make vendor risk assessments easier for vendors and help organizations improve their security programs.
See issues related to administrative policies.
See issues related to HIPAA compliance.
See issues with security safeguards and controls.
See issues related to contingency plans.