Something to think about when integrating with a vendor in your environment or on your application.

Due to the diverse security risk that exists in the medical industry, many areas have to be considered when assessing risk in an application, or, service, medical device, network hardware and network configuration and access. I have aggregated the basic information to think about when reviewing possible application deployment and purchase. This is very high-level questions to think about, consider the time to deploy, Complexity and integration when deciding on vendors. Once you find an application or service, complete the same process that a risk assessment will need. Go to the risk intake portal as you normally would for a consultation.

These are Basic requirements, aggregated from vendor and security requirements best practice.

Basic requirements

1. The full description of the product and its use

2. Any connectivity to or within Group Health network will require a Topology showing connectivity

3. Will this application or service handle PHI?

4. Will this application or service handle less than 500 PHI records?

Access control

1. Types of access that this application or process will need to navigate the networks

2. Is access to the application or service role-based access?

3. Can user access be controlled by the application or service admin?

4. Can systems force password changes at least every 90 days, and does the application allow password changes, on the next log-on?

5. Does this application allow the logging of user access, (failed and successful log-on)?

6. Can single sign-on be implemented with the application or service?

Encryption

1. Is the application data be encrypted at rest? Does the application encrypt data in the transmission?

2. Does the vendor use security code review in development?

3. Does the application require a database be built on Group Health servers?

4. Does this application or servicer require a database be built on the vendor servers

5. Can this database and server be encrypted?

Enterprise Architecture

1. Does this application or service require the use of API (Application Programming Interface) for connecting to Group Health network?

2. Will this application or service require changes to firewalls or any configuration changes within Group Health networks?

3. Will this be an organization-wide deployment? If so EA will have to be involved for review.

4. Will the service handle PCI or PHI data locally or transmitted externally?

5. Can this vendor supply a BAA and NDA, (If product handles PHI?)

6. Is this a cloud service (Hosted data on a server) If it is the data is hosted on a server in the vendors network your business data should be separated logically from other customer information.

7. Does the vendor have a data loss prevention and detection program in place?

Documents typically requested

1. SOC/SAS documentation or PCI AOC/ COC HIPAA

2. Policies for physical security for data centers

3. Information security policies and standards (do they have, and can they provide)

4. Sample Topology for either network connection to the organization

5. Sample topology for local connections within the network

This does not replace a risk assessment; use this information in discussions with vendors.