August 23, 2021//Joel Burleson-DavisLast Updated: September 08, 2021
Let’s face it: When it comes to data security, ensuring your company’s compliance can be a headache, no matter the industry. Unfortunately, this problem is made even worse by the realization that compliance requirements extend beyond your internal operations. In other words, if your third-party vendors aren’t compliant, neither are you. To lighten your load a little bit, here’s a guide for those in the health/medical, financial, and government-related industries to help you make sure your third-party vendors are as compliant as you are.
The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) are two sets of regulations that ensure the confidentiality, integrity, and availability of physical or electronic personal health information (PHI/ePHI). In essence, they are the foundation for compliance in the healthcare industry. Any company that handles PHI and/or ePHI is responsible for assuring HIPAA/HITECH compliance internally, as well as with any third-party vendors with access to personal health data.
Insufficient data security measures are a real threat to medical patients around the country, as 56% of provider organizations have experienced a third-party or vendor breach. In order to protect against third-party breaches, the HITECH Act introduced legislation in 2013 aimed specifically at regulating vendors under the larger HIPAA umbrella. In the legislation, vendors are referred to as business associates (BA). Anyone who has been granted access to PHI/ePHI is required to comply with all HIPAA regulations (and the same goes for any party that has PHI/ePHI passing through their system). Before being granted access to PHI/ePHI, third-party vendors must sign a business associate agreement (BAA), which contractually binds them to HIPAA compliance.
However, staying compliant in a large network that includes many third-party vendors can be difficult. Here are some tips to help maintain compliance:
The end goal of HIPAA and HITECH regulations is to keep patient data safe, not to make things more complicated for healthcare organizations; but keeping patient data safe is a lot easier said than done. After all, many healthcare facilities are still manually collecting patient information, so maintaining HIPAA compliance is already exhaustive from the start of the patient experience. Fortunately, there are solutions that allow healthcare teams to think smarter, not harder, about how to remain compliant while also ensuring the privacy of their patients. HIPAA-compliant online forms make collecting sensitive patient data quicker and safer and for both the patient and hospital staff. Online forms can also be used to get patient signatures and documentation, and they integrate with most HIPAA-compliant software that already exists in healthcare IT systems. There are also HIPAA-compliant online BAA’s to make it easier for hospitals to track agreements across large networks of third-party vendors.
PCI DSS compliance is a sweeping set of industry standards that apply to any business that accepts credit card payments. It aims to keep financial information secure – and it works. In 2019, Verizon reported that it has never investigated a payment card security data breach for a PCI DSS compliant company.
Our blog has previously outlined the specifics of the four merchant levels of compliance classification, but the heart of PCI DSS compliance comes from 12 mandatory security controls. Adhering to these five controls, in particular, can help you ensure the compliance of your vendors:
The FBI’s Criminal Justice Information Services (CJIS) represents one of the most substantive sets of cybersecurity standards in any industry. CJIS requires that any entities that access or manage sensitive US Justice Department information follow strict compliance guidelines to protect national security while preserving public civil liberties. Wireless networking, data encryption, and remote access comprise the backbone of CJIS policy.
If a company does not have the capacity to undergo extensive audit procedures (including that of their third-party vendors), it is not CJIS compliant.
In order to stay compliant, businesses and government entities must meet the requirements for these 13 security policy areas:
Customization for access control of individual users is key in assuring CJIS compliance.
Depending on your industry, specific rules of data security compliance can vary greatly. But the one constant that remains, no matter what, is that when your vendors aren’t compliant, you’re not compliant. Many data breaches and ransomware attacks start with vendors’ access to networks, applications, and servers, so here’s our best piece of advice:
Cover your bases (and protect your data) by vetting your vendors before bringing them on, and invest in software that’s equipped with comprehensive third-party audits and other technical controls. Download our brochure that highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications.