Don’t Compromise on Security When Selecting a Vendor


By Ravi K. Raheja, MD

The average cost of a data breach in the United States has hit an all-time high of 7.35 million dollars. Just this year, there have been more than one hundred hacker attacks on healthcare organizations, according to the U.S. Department of Health and Human Services. Despite better awareness among healthcare organizations, data breach costs average 408 dollars per record. Cybercriminals use weaponized ransomware, misconfigured cloud-storage buckets, and phishing emails to attack.

Hidden costs in data breaches are difficult and expensive to manage, resulting in customer turnover, reputation damage, and increased operational costs. Knowing where the costs lie and how to reduce them can help companies invest their resources more strategically and lower the huge financial risks at stake.

While looking for cost-saving solutions is important for any business, it is critical to make sure your vendor partners also meet the same stringent criteria on data security. This extends to your outsourced after-hours services as well. Not doing the proper due diligence can lead to a significant risk in terms of data loss and security.

Here are fourteen critical questions you should consider when selecting your partners in healthcare:

  1. Do you have a chief information officer (CIO) who oversees the security program?
  2. Do you have a formal security compliance program in place with yearly audits?
  3. Is the vendor URAC-accredited so a third party is auditing the triage call center policies and procedures to ensure they are followed?
  4. Does the vendor subcontract services? If they do, are the proper BAAs (Business Associate Agreements) and contracts in place?
  5. What is their data breach insurance policy limits?
  6. Is the data center infrastructure set up to maximize data protection along with regular scanning of the software and servers?
  7. Does the vendor have an intrusion detection system to alert potential threats?
  8. Does the vendor have adequate IT resources to monitor all systems and to respond quickly to any potential threats?
  9. Do the products meet HIPAA, HITECH, and other security requirements?
  10. Do the security reports meet all auditing and HIPAA-reporting needs?
  11. Do you have a formal HIPAA training program for all staff members?
  12. Does the data center where the data is stored have proper security certifications?
  13. Is the patient data secured at all times and in all modules of the product? (This must include strong password protection or other user authentication, data encrypted at rest, and data encrypted in motion.)
  14. Is the patient’s data secured when accessed via handheld devices, such as through secured through SSL websites, iPhone apps, and so forth?

If the answer is no to any of the above questions, then it may be an indication that you should look deeper and compare vendors before selecting one that will protect your patient data properly. Don’t be afraid to dig deeper and ask vendors questions if you have any concerns. Remember, it is harder to change vendors once you implement a program than to ask questions beforehand and make sure that you have the best system in place for your needs.

Ravi K. Raheja, MD, is the COO and medical director of the TriageLogic Group. Founded in 2005, TriageLogic is a URAC-accredited, physician-led provider of high-quality telehealth services, nurse triage, triage education, and software for telephone medicine. Their comprehensive triage solution includes integrated mobile access and two-way video capability. The TriageLogic group serves over seven thousand physicians and covers over 18 million lives nationwide. For more information, visit www.triagelogic.com.