Digital Health organizations and healthcare innovators selling into hospitals and enterprise healthcare generally must complete a vendor security assessment or vendor risk assessment during procurement. Health providers provide a series of security questions and want to vet the security and compliance programs of new vendors.
Vendor security assessments are often structured as questionnaires that ask about company policies, system architecture, interoperability, and overall security practices. Providers use these assessments to measure the overall security risk profile of a vendor and determine procurement accordingly.
Healthcare innovators should be prepared to answer security assessments and provide security context to healthcare providers.
Put Security Policies in Place
Companies should already have administrative policies in place when approaching health providers. Administrative polices should include standard operating procedures and organizational procedures around security roles, risk analysis and assessment, backup and disaster recovery, system access, and data management. Additionally, policies should be built around all applicable regulatory compliance standards. For example, policies should address applicable safeguards for HIPAA/HITECH.
Policies should not just be legal documents, but an actual set of practices implemented across your organization and followed by your team. Administrative policies are great to reference when answering vendor assessments show health providers that your team is prepared and has a security program in place.
Ensure Security Safeguards Are Implemented
Administrative policies are only one part a security program. Digital health companies and software vendors must have technical safeguards in place. Regardless of technologies, infrastructure, organizations should have security protections in place for:
- Access Control
- Firewall/Networking
- Encryption
- Backup and Disaster Recovery
- Audit Logging
- Intrusion Detection
These security safeguards are typically defined in the previously mentioned administrative policies and implemented by DevOps and development team members. Cloud platforms provide many tools for configuring these technical controls, but ultimately it is up to organizations to ensure that resources are configured securely.
Determine Interoperability and Be Ready to Play Well with Other
Health providers manage a large internal infrastructure comprised of electronic health record (EHR) systems, clinical data, and software solutions, and need to know that new vendors will fit into their security programs and systems. Digital health companies should have a defined set of all solution requirements and dependencies, that can be shared with health providers. Providers will need to know what data is required for your solution, what level of access is needed, and how your solution will work.
Hospitals may require certain implementation/integration into existing systems. It is up to digital health companies to decide how much customization they are willing to provide when selling to enterprise healthcare. Since health providers often utilize different infrastructure and technologies, providing a solution that is technologically agnostic and being flexible can help ease implementation concerns and streamline procurement.
Get Your Documentation Together
Digital health companies should gather all security information related to their cloud service provider, software solutions, third party vendors, development teams, and software solutions.
Companies should have a signed and executed business associates’ agreement (BAA) with their cloud provider and have a copy of their latest SOC2 security report. Companies should also have a signed BAA with any other software vendors that will store, process, or transmit protected health information (PHI).
Teams should be prepared to share how security policies apply and are followed by remote development firms or any other stakeholders that are connected to your company.
Be Honest (No Seriously)
Although honesty should be a given, it is worth pointing out that lies or exaggerations about security programs will raise red flags and lead to more questions and more intense scrutiny, so it is important that organizations are honest about their security capabilities.
When developing a partnership or sale, your team should be honest about support and security capabilities should consider how many resources you are willing and able to allocate to the deal. Your team should consider what kinds of service level agreements (SLAs), levels of support, and other security responsibilities your team is willing to follow.
At the end of the day, health providers are looking for digital health companies to improve operations and solve clinical problems. Teams with established security programs, will be better prepared to approach providers and build long-lasting partnerships.
