Let’s face it: When it comes to data security, ensuring your company’s compliance can be a headache, no matter the industry. Unfortunately, this problem is made even worse by the realization that compliance requirements extend beyond your internal operations. In other words, if your third-party vendors aren’t compliant, neither are you. To lighten your load a little bit, here’s a guide for those in the health, medical, and financial industries to help you make sure your vendors are as compliant as you are.
Instances of data breaches in the healthcare industry are skyrocketing, thrusting the field into the forefront of data security discourse.
The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) form the foundation of the requirements that ensure the confidentiality, integrity, and availability of physical or electronic personal health information (PHI/ePHI).
In other words, if a company handles PHI and/or ePHI, it is responsible for assuring HIPAA/HITECH compliance internally, as well as with any third-party vendors with access to personal health data. Insufficient data security measures are a real threat to medical patients around the country, as 56% of provider organizations have experienced a third-party or vendor breach.
In order to protect against third-party breaches, the HITECH Act introduced legislation in 2013 aimed specifically at regulating vendors under the larger HIPAA umbrella. In the legislation, vendors are referred to as business associates (BA). Anyone who has been granted access to PHI/ePHI, or if PHI/ePHI passes through their system, is required to comply with all HIPAA regulations. Before being granted access to PHI/ePHI, third-party vendors must sign a business associate agreement (BAA), which contractually binds them to HIPAA compliance.
However, staying compliant in a large network that includes many third-party vendors can be difficult. Here are some tips to help maintain compliance:
- Don’t assume a signed BAA automatically ensures compliance. Vet your vendors’ security measurements before onboarding and audit them periodically to ensure they’re upholding strict compliance.
- Remember BAA requirements aren’t limited to those who directly access ePHI. Even those vendors who simply have ePHI pass through their software are required to sign a BAA. HIPAA compliance applies to anyone and everyone who touches PHI.
- Require subcontractors to sign their own BAA. Subcontractors are business associates of your business associates, which creates a bit of a confusing chain. What’s not confusing is this: Each individual entity that touches PHI/ePHI is required to sign their own BAA.
PCI DSS compliance is a sweeping set of industry standards that apply to any business that accepts credit card payments, aiming to keep financial information secure – and it works. In 2019, Verizon reported that it has never investigated a payment card security data breach for a PCI DSS compliant company.
Our blog has previously outlined the specifics of the four merchant levels of compliance classification, but the heart of PCI DSS compliance comes from 12 mandatory security controls. Adhering to these five controls, in particular, can help you ensure the compliance of your vendors:
- Do not use vendor-supplied defaults for system passwords and other security parameters. In addition to maintaining a hardened firewall, ensure your company restricts access to your cardholder data environment (CDE) to only those authorized, multi-factor authenticated users. This means that everyone, even vendors, should have their own unique credentials.
- Restrict access to cardholder data by need-to-know (least privileges). It’s crucial here to be able to restrict traffic to and from CDE to established connections from authorized and authenticated users. Invest in software that allows you to customize access privileges – each user should only be able to access the data that’s necessary to complete their assigned task.
- Assign a unique ID to each person with computer access. Customizing credentials for each user has the dual benefits of being able to track and restrict individual user activity.
- Track and monitor all access to network resources and cardholder data. Ensure you have the capability to perform detailed audits of all third-party remote access user sessions.
- Maintain a policy that addresses information security. This includes a hardened firewall, vendor privileged access management, comprehensive auditing, and strong cryptography standards.
The FBI’s Criminal Justice Information Services (CJIS) represents one of the most substantive sets of cybersecurity standards in any industry. CJIS requires that any entities that access or manage sensitive US Justice Department information follow strict compliance guidelines to protect national security while preserving public civil liberties. Wireless networking, data encryption, and remote access comprise the backbone of CJIS policy.
If a company does not have the capacity to undergo extensive audit procedures (including that of their third-party vendors), it is not CJIS compliant.
In order to stay compliant, businesses and government entities must meet the requirements for these 13 security policy areas:
- Information Exchange Agreements – Companies that access criminal justice information (CJI) are required to have systems in place in several areas, including, but not limited to: audits, hit confirmation, logging, pre-employment screening, and timelines.
- Security awareness training – Anyone with access to CJI must complete training within six months of receiving the CJI.
- Incident response – Breaches and “major incidents” must be reported to the Justice Department.
- Auditing and accountability – Audits must be provided for: login attempts, actions by privileged accounts, attempts to access, modify, or destroy history/log files, and more. Third parties are included here– they should be tracked at least as closely as internal users.
- Access control – Criteria must be defined and should be based on job, location, network address, and/or time restrictions.
- Identification and authentication – Similar to access control, everyone who is authorized to access CJI must have unique identification and authentication (password, token, PIN, or another multi-factor identification method). This rule applies to both internal users and third parties: everyone must have unique login IDs.
- Configuration management – Any changes to the information system platform, architecture, hardware, software, and procedures must be documented.
- Media protection – Policies and procedures must be documented for digital and physical media storage, access, transportation, and destruction.
- Physical protection – Physical media must be secure.
- Systems and communications protection and information integrity – Applications, services, and information systems must be secure.
- Formal audits – All entities are subject to formal audits by the FBI and other agencies. Vetting third-party vendors before hires, as well as ongoing compliance audits, will protect you from failing formal audits.
- Personnel security – Everyone with access to CJI is required to complete security screening during hiring, termination, transfer and other employee/vendor lifecycle events.
- Mobile devices – CJIS has specific requirements for network access via mobile devices.
Customization for access control of individual users is key in assuring CJIS compliance.
To be compliant, ensure your vendors are compliant.
Depending on your industry, specific rules of data security compliance can vary greatly. But the one constant that remains, no matter what, is that when your vendors aren’t compliant, you’re not compliant. Many data breaches and ransomware attacks start with vendors’ access to networks, applications, and servers, so here’s our best piece of advice:
Cover your bases (and protect your data) by vetting your vendors before bringing them on, and invest in software that’s equipped with comprehensive third-party audits and other technical controls. Download our brochure that highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications.