By law, the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (HIPAA Rules) apply to covered entities– health plans, healthcare clearinghouses, and certain healthcare providers. However, it’s important to note that most healthcare providers and plans don’t carry out all their healthcare functions and activities alone. They often use the services of other individuals or businesses, often referred to as "business associates."
Business associate functions and activities include:
Business associate services are:
Overview of the HIPAA Rule in Healthcare
The HIPAA Rule permits covered providers and health plans to share protected health information (PHI) with these business associates. However, sharing protected data is only allowable if health providers or plans obtain satisfactory assurances that the business associate will safeguard the information from misuse and only use the information for the purposes and duties covered under the Privacy Rule.
The Privacy Rule requirements compel health organizations to conduct rigorous assessments of their business associates' risk profiles and security assurances. And, beyond business associates, there may be other third-party types that should also be risk assessed.
Healthcare organizations have several options when it comes to assessing a third party's risk associate's posture. But, what should a healthcare organization review and confirm regarding business associate security risk?
If a third party has a security certification, providing a copy of that certification for review may be all that is needed. In the absence of security certification, a questionnaire should be completed by the third party. For instances in which other information is required, a review of business associate-provided information security policies and related documentation may be sufficient. A combination of these options may be used, especially if a healthcare organization begins by conducting a questionnaire and reviewing third-party policies and documents.
What does each of these options entail? What security assurances can be requested? What type of questionnaire should be used? And what types of information security policies should be requested? In other words, what needs to be assessed? Let’s cover more of that.
Business Associates' Documents to Verify Security
Some healthcare organizations decide to accept a third party's security assurance for review instead of requesting that the third party complete a third-party risk questionnaire and documentation review. Suppose this is an option your healthcare organization has decided to use at the start of a third-party risk assessment. In that case, the third party will be asked if they have any security assurances. If so, they'll be asked to provide the full report or certificate of certification.
This is a quick way to gain a deep understanding of a business associate's security posture. When the security assurance is issued by an independent authority providing security certification based on a cybersecurity framework, then a certain level of maturity should be guaranteed for the business associate's security posture.
A HITRUST certification, specifically the r2 Certification, ensures that a third party has met particular requirements as outlined in the HITRUST Cybersecurity Framework (CSF). This framework was developed specifically for healthcare organizations. Meeting HITRUST controls for certification purposes automatically ensures a third party meets specific compliance regulations, such as HIPAA, and has a solid security posture. Your organization may decide that a third party having a HITRUST certification is sufficient and enough for assessing third parties such as business associates.
ISO 27001: 2013
Another security certification often used by healthcare organizations to ensure a third party has an acceptable security posture is ISO 27001: 2013. Being a worldwide recognized certification, ISO 27001 is an information security management certification rather than a cybersecurity framework certification. ISO 27001 is designed to illustrate that a third party has a certain compliant information security management program in place and follows particular management processes and procedures. IT Governance provides an informational website and video - What is ISO 27001? - that explains this certification in detail. It's not specific to healthcare, so having ISO 27001:2013 certification doesn't automatically ensure a third party is HIPAA compliant or adheres to HICP (Healthcare Industry Cybersecurity Practices). Still, this certification may be used to assess the security posture of third parties who are not business associates and who do not access, transmit, or store your health organization's protected health information (PHI).
SOC 2 Reports
In addition to security certifications, some healthcare organizations will accept an independent audit report. The most commonly accepted audit report for gathering information and assurance of a third-party’s control environment is a SOC 2 report. It can assess any combination of the five Trust Services Criteria – Security, Availability, Processing Integrity, Confidentiality, and Privacy. Most healthcare organizations prefer a third party to provide a SOC 2 report that, at a minimum, covers three of the Trust Services Criteria: Security, Confidentiality, and Privacy. These elements are required for the SOC 2 report to ensure the third party has a solid security posture that covers compliance regulations.
Also, it should be noted that SOC 2 reports come in two types. A SOC 2 Type I report is a quick, point-in-time snapshot of a third party's current security practices around the selected Trust Services Criteria. A SOC 2 Type II report is a comprehensive audit conducted over a 3 to 12-month period that thoroughly assesses an organization's security program.
Requesting Compliance Reports in Addition to Security Assurances
Security assurances, such as ISO 27001 certification and SOC 2 reports, aren't healthcare specific. So, in addition to ISO 27001 or SOC 2, your organization may need to request that a third party also provide specific compliance reports if they're a business associate or a third party touching PHI or payment card industry (PCI) data. Imagine, for instance, that a third party will store your organization's PHI within their system, but they can only provide a current SOC 2 Type II report. In that case, you'll need to request additional documentation. To ensure a third party meets your health organization's requirements for storing your PHI and cardholder data (CHD), you'll need to request two additional types of documentation. Among these, a HIPAA Compliance Report and PCI Attestation of Compliance (AoC) should suffice.
Sample Security Assurances include:
- Certifications (ISO 27001: 2013, HITRUST r2)
- Independent audit reports (SOC 2 Type I and SOC 2 Type II)
- Compliance reports (HIPAA Compliance Report, PCI DSS AoC, PCI DSS RoC)
Third-Party Assessments Using Third-Party Questionnaires
It's quite routine for a healthcare organization to conduct a third-party risk assessment using a questionnaire. In other cases, you may wish to ask for a security certification or third-party audit. To assess the third-party, you should use a cybersecurity or an information security control framework, which serves as the basis for the third-party questionnaire.
Cybersecurity Framework vs Compliance Framework
A third-party questionnaire should be based on a standard cybersecurity framework. There are several frameworks from which a healthcare organization can choose and use as the basis of a third-party questionnaire. It should be noted, however, that, depending on your healthcare organization’s budget and capabilities, a compliance framework such as HIPAA or PCI DSS may not be as comprehensive as a cybersecurity framework, such as NIST 800-53 rev 5 or CIS Controls. For many, a compliance framework is a good starting point, but your third-party risk assessment should hold your third parties accountable for security risks, and you should choose the framework that is best for your organization’s security posture.
The HITRUST Cybersecurity Framework (CSF) is specific to healthcare. It’s a security framework that could be used for third-party questionnaires. However, the HITRUST CSF is a proprietary framework that only HITRUST Qualified Organizations and HITRUST Qualified Individuals can utilize. That means your healthcare organization may or may not be able to base your questionnaires on this framework. It depends on your affiliation with HITRUST. To learn more about the HITRUST CSF License Agreement and view the Terms and Conditions, visit the HITRUST CSF v9.6.0 License Agreement webpage.
The National Institute of Standards and Technology (NIST) provides frameworks which can be used to create third-party questionnaires. The NIST Cybersecurity Framework (CSF) groups technical controls into the following control functions: Identity, Protect, Detect, Respond, and Recover. Using this framework will help you better understand a third party's security posture in general security terms. However, this framework is more applicable for assessing an organization's risk management program and cybersecurity practices in general. Therefore, questionnaires based on the NIST CSF may not provide detailed visibility into a third party's security practices in privacy and supply chain or those required by HIPAA, PCI DSS, and GDPR.
NIST 800-53 rev 5
Security and Privacy Controls for Information Systems and Organizations, Revision 5, is one possible set of security controls that provides complete visibility into a third party's security posture. Using NIST 800-53 as the basis of third-party questionnaires will ensure that all key security controls and compliance regulations essential to healthcare will be covered. In fact, NIST 800-53 is the framework upon which the HITRUST CSF, NIST CSF, and CIS Controls were created. NIST 800-53 is a comprehensive collection of security and privacy controls that provide full-spectrum coverage of an organization's security posture.
Revision 5 also includes three new control families:
- Privacy risk management
- Supply chain protections
- Cybersecurity program management
At the time of this publication, neither the HITRUST CSF nor the NIST CSF incorporates these new control families. For a detailed look at NIST 800-53 and the specific updates with Revision 5, visit the NIST website.
CIS Critical Security Controls v8
In cases where a questionnaire simply needs to assess if a business associate has basic security hygiene in place, CIS Critical Security Controls makes the perfect control framework. Originally known as the SANS Top 20, the CIS Controls are now in version 8 and have been reduced to 18 controls from 20. The Center for Internet Security (CIS) developed these 18 Controls (and their corresponding sub-controls called "Safeguards") to be used by any organization to implement a basic cybersecurity program. Frameworks such as the HITRUST CSF and NIST 800-53 rev 5 may be too detailed for a healthcare organization to assess a third party who isn’t a business associate, or doesn’t have any access to sensitive data, but still needs to demonstrate an acceptable security posture. A third-party questionnaire based on the CIS Controls can do just that. For more information on CIS Controls, the Center for Internet Security provides an informative poster for quick reference.
One Third-Party Questionnaire or Several?
Some healthcare organizations will decide to use one questionnaire that all third parties and business associates are asked to complete as part of a risk assessment. In other organizations, two or three questionnaires are developed. Each type of assessment is applied depending on the scope, extent, and nature of the access, transmission, or storage of PHI by the third party or business associate. You can create several questionnaires based on different frameworks, such as one based on NIST 800-53 rev 5 and another on CIS Controls. It's up to your third-party risk assessment team as to "what" is best to use for assessing your third parties with your questionnaires.
Third-Party Due Diligence Documentation
A healthcare organization could request that third parties and business associates share copies of all their information security policies for review. When performing a control assessment, you should request documentation as artifacts to verify that certain controls are, in fact, in place. Meanwhile, other organizations may choose to request a third-party questionnaire first and then ask for documentation to verify responses to essential controls or ensure that appropriate compensating controls are in place. In either case, requesting specific documentation from a third party to verify that the third party has a particular security posture is a key part of due diligence and ongoing monitoring.
When performing due diligence, a healthcare organization should request policies related to:
- Independent penetration testing is conducted on an annual basis
- Required use of Multifactor Authentication (MFA)
- Regular employee security and privacy training
- Information security policies
- Change management policies
- Risk management policies
- Third-party risk management policies
Your organization should also request financial reports to confirm the third party or business associates' financial health and proof of cybersecurity insurance. In other words, depending on the scope of the third-party risk assessment, your organization may need to review additional policies and procedures related to more than just information security. Due diligence provides the opportunity to assess any other details required besides a third party or business associate's cybersecurity policies and practices to gain visibility into the third party's risks posed to your organization.
Additional Sample Due Diligence documents include:
- Financial reports (including SOC 1 audit reports)
- ESG policy
Knowing what to assess during a third-party risk assessment is key to gaining insight into your third party's security and privacy posture. Using that insight, you can determine whether the third party or business associate presents risks to your organization due to their security practices (or lack thereof). Whether you accept security certifications, third-party audits, or require every third party to complete a questionnaire and provide a list of documents for due diligence, your third-party risk assessment team should understand which information and elements should be assessed and how best to apply them to meet your third-party risk management needs.
What to Know About SSAE 18 for Your Vendor Management
We had SAS 70, then SSAE 16... now we have the SSAE 18. SSAE 18 is a little different, so we’ve...
Varying Levels of Expertise in Vendor Oversight
If an organization isn’t truly onboard with vendor management, they allocate team members that lack...
Third Party Risk Management - How Does the Vendor Perceive It?
As part of our Venminder Thought Leadership interview series where we speak to experts in-housing...
Subscribe to Venminder
Get expert insights straight to your inbox.
Ready to Get Started?
Schedule a personalized solution demonstration to see if Venminder is a fit for you.