8 Critical Data Security Questions to Ask ACP Solution Vendors
Right now, healthcare payers and providers are searching for an advance care planning (ACP) solution that checks all the compliance boxes. Many think complying with the Health Insurance Portability Accountability Act of 1996 (HIPAA) is enough to pass the litmus test for choosing a third-party ACP vendor. But they are mistaken.
“‘Are you HITRUST® certified?’ That’s the very first question I would ask a potential advance care planning solution vendor.”
– Scott Brown
Keeping your patient's and member’s data and privacy safe from today’s ever-emerging cyber threats makes choosing the right ACP partner even more critical.
HIPAA compliance isn’t enough.
HIPAA establishes national standards to protect individuals' protected health information (PHI), but it lacks critical validation requirements relating to the policies and procedures necessary to measure and improve data and privacy protection. That’s why many third-party vendor management professionals, and their organizations, are turning to the gold standard in evaluating healthcare data security – HITRUST Certification.
Vendor risk management, data security and privacy, and quality audits are key factors to consider when choosing a digital ACP solution partner. Understanding the full extent of their commitment to being fully vested in doing what it takes to meet the healthcare industry’s highest data security, privacy, and compliance requirements is crucial.
HITRUST Assessment and Certification can be a daunting and expensive investment of time, manpower, and resources for vendors of all sizes. That’s why few are willing to make the commitment. But when they do, you can be confident those vendors offer tremendous value.
So, how do you know if a third-party ACP solutions vendor is HITRUST certified?
Ask for proof. Once an organization completes the rigorous HITRUST validation process, they are issued physical certification. Requesting proof of any level of HITRUST certification is standard practice, and seriously advised. If the vendor you select cannot produce proof their organization and systems meet these criteria, you are putting both your company and customers at risk.
“No healthcare company should go without HITRUST certification.”
Jim Farrell for MedCity News.
If a third-party vendor is not HITRUST certified, then do your due diligence before taking any further steps. Grill them on the eight data privacy and security capabilities criteria of dire concern. If their organization and systems don’t meet these standards, you could be making a risky decision.
What are the eight privacy and security questions to ask a potential ACP solution partner?
Question 1: Configuration Management
Question to ask: Is your ACP system designed to always meet performance expectations?
Why it matters: Prevents unexpected service issues, system inconsistencies, and compliance problems that may result in regulatory fines and penalties.
Question 2: Vulnerability Management
Question to ask: Are protections in place to ensure patient, resident, and member personally identifiable information (PII) / PHI data and ACP information is safe from cyberattacks and data breaches?
Why it matters: Identifies and assesses potential security weaknesses so the vendor can block attacks and minimize damage should one occur.
Question 3: Data Security
Question to ask: How do you apply physical and technology protections to guard against insider threats, human error, and cyber criminals?
Why it matters: Protects digital information from unauthorized access, corruption, or theft.
Question 4: Backup and Restoration
Question to ask: Are periodic backups made of the PHI/PII and ACP data and applications to a separate, secondary device for reliable restoration?
Why it matters: Minimizes business impact of loss or damage due to power outage, cyberattack, human error, disaster, or some other unplanned event.
Question 5: Physical Controls
Question to ask: Do you have well-defined, physical security measures in place and verifiable to protect PHI/PII and ACP data?
Why it matters: Deters unauthorized access to sensitive material via a combination of cameras, keypads, alarms, guards, picture IDs, locked doors, and biometrics.
Question 6: Policies and Procedures
Question to ask: What rules, policies, and procedures do you have in place to establish minimum information technology security and data protection requirements for your company and ACP systems?
Why it matters: Ensures employees understand the role they play in data security and privacy, what is expected of them, and steps they can take to protect sensitive information.
Question 7: Human Resources Security
Question to ask: Are the right people engaged in the correct work, with the proper access and security clearance for their ACP system roles and responsibilities?
Why it matters: Makes sure everyone in the organization is appropriately qualified, screened, and trained to conduct their work with sensitive PHI/PII data.
Question 8: Access Controls
Question to ask: Does your company have good controls in place to grant the appropriate level of access to confidential PHI/PII ACP information based on device, location, and role context?
Why it matters: Reduces risk of data exfiltration by employees, bad actors, or unauthorized users and impedes web-based threats.
Click to download the 8 Criteria for Advance Care Planning System Vendor Control Requirements and Data and Privacy Security Capabilities reference guide.
If you are facing one or more of the third-party risk management program (TPRM) challenges described in TPRM is Broken, then we suggest you start with a HITRUST-certified organization and it’s applications.
At ADVault, we are pleased to demonstrate to our customers the highest standards for data protection and information security by achieving the rigorous HITRUST Risk-based, 2-year Certification.