In today’s healthcare environment, transparency with partners and advisors is essential to maintaining strong relationships with your patients and stakeholders.  If you rely on service providers to operate, grow and advance, you need to foster trust and transparency with those organizations. That’s why those handling sensitive information, such as protected health information (PHI) with signed Business Associate Agreements (BAA), should be held to a high standard. How equipped are they to protect data? To properly scrutinize a service provider’s security posture, due diligence is required.

How to vet effectively

One way to vet partners and ensure data security is via credible, independent assurance. Using the Common Security Framework (CSF)–created by the Health Information Trust Alliance–practices like yours can create, access, store or exchange sensitive and/or regulated data more securely. Make sure your service providers agree in writing to protect your practice’s data with reasonable controls (e.g., policies and procedures) designed to detect, prevent and mitigate risk.

When is the right time to evaluate partners

Before you enter a relationship with any business partner, you should assess their security policies and ability to follow through. It’s important to only provide data access to external parties after the appropriate controls have been implemented, and, where feasible, a contract has been signed defining the terms and conditions for data access.

What security rules should you follow for the best third-party relationships

Here are some basic rules of thumb you should follow when working with service providers:

  • Establish and document personnel security requirements including security roles and responsibilities for third-party providers.
  • Use encrypted channels (e.g., VPN) to secure all remote access connections between your organization and external parties.
  • Provide minimum necessary access to your information to minimize security risks.
  • Identify and mandate information security controls to address supplier access to your information.
  • Maintain written contracts that acknowledge the service provider is responsible for the security of the data they possess or otherwise store, process or transmit on your behalf.
  • Implement a screening process for contractors and third-party users.
  • Require third-party providers to notify a designated individual of any personnel transfers or terminations of third-party personnel who possess organizational credentials and/or badges, or who have information system privileges.
  • Ensure that third parties maintain sufficient service capabilities in the event of a service failure or disaster.
  • Restrict the location of facilities that process, transmit or store covered information as needed based on legal, regulatory, contractual, and other security and privacy-related.
  • Once you’ve established roles and responsibilities, continually vet partners on an ongoing basis:
    • Annually: Conduct a periodic review of service level agreements (SLAs) at least once a year and compare them against your monitoring records.
    • Periodically: Throughout the year, audit network services to ensure that partners implement the required security features and meet the agreed-upon requirements, including new and existing regulations.
    • Regularly: Hold progress meetings as required by your SLAs to review reports, audit trails, security events, operational issues, failures and disruptions, and identified problems/issues.

How NextGen Healthcare protects data

NextGen Healthcare performs due diligence with every additional party that may have access to sensitive information. We openly communicate with clients who want a better understanding of what we’re doing to protect their data. If you’re a current NextGen Healthcare client or prospective client, we’re here to answer questions you may have on data security and how to best vet any future partner relationships.