Message to vendors: think security

‘They’re not necessarily embracing that responsibility’
By Bernie Monegain
09:00 AM

Mac McMillan put it on the table straight up.

"Let's talk about business associates," he said, to his four-member panel of providers discussing healthcare security at the HIMSS Media Privacy and Security Forum.

McMillan, CEO of security firm CynergisTek, wanted a sampling of how some of the country's top hospitals handle the issues relevant to business associates, specifically vendors.

"It's been three years now that it was hopefully made clear to them they have responsibility," he said. "They're not necessarily embracing that responsibility. How do you fight that and what are you doing around vendor management?"

Anahi Santiago, chief information security officer at Christiana Care Health System, told the audience Christiana has been rigorous on this score.

But, it hasn't been easy.

"Every contract that has an IT component or some sort of patient information component comes through my desk," she said. "And we have a standard terms addendum that is attached to every vendor agreement."

At that point, management of vendors gets more complicated.

"The vendors don't get it, and they want to argue - about patch management, disaster recovery, change management - you name it," she said. "I spend a lot of time going back and forth with the vendors. But the organization understands there's a level of risk that we can accept and there's a threshold where we cannot."

Santiago said, Christiana hasn't gone forward with vendors who couldn't provide the level of security the organization requires.

"I do think it's really important to have that verbiage in the agreement," she said. "But it doesn't stop there. Then every six months, every year, we have to go back and review. It has become extremely difficult to manage when those re-certifications are up."

At Partners HealthCare in Boston, CIO Jim Noga has faced similar difficulties.

"In terms of vendors, it really is hard out there because you may have a small niche vendor that's really important to operations - and they just say it. "We can't sign this DAA with no cap on our liability," he said. "Yet the exposure to us is significant in terms of the harm and damage they can do.   

Moreover, he noted, the agreement often isn't at all sufficient.

"I think you also need to think about contract terms," he said. "If it's an externally facing website, we actually require a third-party analysis."

"I don't think you ever mitigate all of the risk," he added, "but I think you can manage it to a reasonable level. You may be surprised at the number of vendors who say, 'well, gee, nobody's ever asked us that before.'"

Noga and his team try to convince the vendors they would be much more marketable, if they could bring that forward to a customer, but often to no avail.