Third-Party Vendors and HIPAA

March 09, 2017//Ellen Neveux

Last Updated: April 29, 2020

The Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996, at a time when paper files were still stored in cabinets and sensitive information was generally delivered by hand or fax. Now everything is stored on computers and transmitted over the internet, exposing highly sensitive personal health information to serious data breaches.

A hacker can quickly access hundreds of patient files and cause widespread damage, including a release of private information, deletion of crucial health reports, large-scale identify theft and ransom threats. Companies in the healthcare business now find themselves grappling with complicated cybersecurity issues far outside the medical space. Considering the risks of HIPAA non-compliance, healthcare companies generally benefit from hiring third-party vendors that specifically handle HIPAA regulatory compliance. To fully protect patients, these vendors should have clear policies that restrict access, remain transparent and auditable, and maintain the most updated data security measures.

Restricting access
Who has access to the patients’ information, how, and how much? These are crucial questions for any IT vendor. First, each member of the IT team should have only the level of access required to ensure HIPAA compliance and data security, including restrictions on time, scope, and job function. Each staff member should use a unique username and password to log into the system and go through multi-level authentication as to their identities. An automatic logoff upon a short period of inactivity can prevent unauthorized access under another’s credentials.

Auditable reports
An automatic audit system permits the healthcare company to screen for unauthorized access and to trace the source of the data breach. An effective audit system maintains detailed login information of every support connection system and delivers a complete history of every login, including time, place, personnel and scope of the access to the patients’ records and other sensitive information.

Data integrity and security
The weak link in data security generally occurs at the points of access and transmission. However, regular updates to security settings protect data from corruption and prevent a breach of data during transmission. To protect the data’s integrity and security, recommendations include customer control of configurable encryption, advanced transmission standards (AES) in 128, 192, and 256-bit modes, and data encryption standards (DES) of Triple DES10. Ultimately, the healthcare business bears the burden if patient information is compromised. A third-party IT security vendor should, therefore, have the knowledge and experience to meet the highest standards for HIPAA compliance.

Remote access to a healthcare facility’s networks and systems is an often overlooked area that can represent significant potential exposure for HIPAA breaches.

About SecureLink

Our sole focus is secure third-party remote access. For highly regulated enterprise organizations, SecureLink Enterprise has pioneered a secure remote access platform. SecureLink for enterprise allows an organization to identify, control, and audit third-party vendors. For vendors, SecureLink is the gold standard remote access support platform because it is easy, efficient, and ensures compliance and reduces liability when supporting customers.

close close