Vendor Access and HIPAA Compliance: Are you Secured?

It can be hard to remember a time before the Health Insurance Portability and Accountability Act, known as HIPAA, was enacted in 1996. These were the days that paper files were still stored in cabinets and sensitive information was generally delivered by hand, or if you were really sophisticated, it was sent via a fax machine.

Fast forward almost 25 years later and unsurprisingly, the world in the healthcare industry looks completely different, except some do still use fax machines. Nothing surprising here, but everything is now stored on computers and transmitted over the internet, which has led to obvious increases in terms of efficiency, but, with this comes risk. We’ve seen an increase in serious data breaches tied to healthcare entities that are exposing highly sensitive personal health information. And not just any type of data breach, these are the ones that are tied to third-party and vendor access, which are known to be more costly in terms of fines and reputational damage.

A hacker can quickly access hundreds of patient files and cause widespread damage, including a release of private information, deletion of crucial health reports, large-scale identify theft, and the increasingly popular route of ransomware.

Gone are the days where healthcare companies only had to deal with issues related to patient care because they now find themselves grappling with complicated cybersecurity issues far outside the medical space.

Considering the risks of HIPAA noncompliance, healthcare companies generally benefit from hiring third-party vendors that specifically handle HIPAA regulatory compliance. To fully protect patients, these vendors should have clear policies that restrict access, remain transparent and auditable, and maintain the most updated data security measures.

How to Restrict Vendor Access

Who has access to the patients’ information, how are they accessing the information, and how much access do they have (or should they have)? These are crucial questions for any technology vendor.

First, each member of the IT team should have only the level of access required to ensure both HIPAA compliance and data security, including restrictions on time, scope, and job function. Each vendor rep should use a unique username and password to log into the system and go through multi-level authentication that’s attached to their identities. On top of that, an automatic logoff upon a short period of inactivity can prevent unauthorized access under another’s credentials.

Why Auditable Reports are Necessary

An automatic audit system permits healthcare companies to screen for unauthorized access and to trace the source of the data breach. An effective audit system maintains detailed login information of every support connection system and delivers a complete history of every login, including time, place, personnel and scope of access to the patients’ records, and other sensitive information.

These reports are not only necessary for internal security purposes, but are integral for proving HIPAA compliance in relation to allowing vendors on your network.

The Importance of Data Integrity and Security

The weak link in data security generally occurs at the points of access and transmission. However, regular updates to security settings protect data from corruption and prevent a breach of data during transmission. To protect the data’s integrity and security, recommendations include customer control of configurable encryption, advanced transmission standards (AES) in 128-, 192-, and 256-bit modes, and data encryption standards (DES) of Triple DES10.

Be Sure, Be Secure

Ultimately, the healthcare business bears the burden if patient information is compromised. A third-party IT security vendor should, therefore, have the knowledge and experience to meet the highest standards for HIPAA compliance. If you’re worried about your vendors not having your compliance in mind, it is of the utmost importance to ensure you are vetting them before onboarding them, as well as checking in on them and doing an “audit” of some sort to make sure you have a ledger of all vendors.

Remote access to a healthcare facility’s networks and systems is an often overlooked area that can represent significant potential exposure for HIPAA breaches. Know your vendors, why they’re connecting, and ensure compliance.

Author: Ellen Neveux, SecureLink

SecureLink provides a remote-access platform that reduces the risks associated with providing remote access to internal networks to vendors and clients

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.