Use These 6 Tips to Select Secure Healthcare Vendors
Don’t trust vendors even if you have a BAA. During their AAPC HEALTHCON 2025 session, “Shielding Healthcare: Strategies to Prevent Cyber Attacks and Protect Patient Data,” Barry Sawyer II, senior cybersecurity auditor at Johanson Group LLP, and Leonta (Lee) Williams, senior director of education at AAPC, explored eye-popping data breach statistics, revealed the impact of attacks, and offered helpful advice to protect your healthcare organization and patients from malicious threats. Read on to learn valuable tips for choosing vendors for your practice. Tip 1: Perform Risk Assessments of Vendors Before you bring on a third-party vendor, you need to make sure you understand their cybersecurity risks. “You have to do risk assessments on the vendors that you use. For the most part if you’re using the large vendors, like Amazon Web Services [AWS], Google, Atlassian, or Microsoft, they have System and Organization Controls 2 [SOC 2] reports and International Organization for Standardization [ISO] reports. You can read the reports and make sure that everything is fine,” Sawyer II explained. However, no matter how positive the reports are, no organization is 100 percent secure against outside threats. This is where a third-party audit comes in. By evaluating the security practices of prospective vendors before they sign on the dotted line, you can understand what you’re getting involved with and make an informed decision about each vendor to ensure you’re working with the least risky entity. Tip 2: Comply With Requirements As a healthcare entity, every person in your organization and every third party you contract with must be compliant with industry requirements. In healthcare, vendors need to be HIPAA compliant. Additionally, technology vendors, including medical device manufacturers, IT equipment, and other appliances need to adhere to security and compliance frameworks from: Tip 3: Establish Legal Contracts According to the U.S. Department of Health and Human Services (HHS), a business associate is a person or entity that “performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a covered entity.” This means that a business associate might at some point handle PHI while care is being provided. It is imperative that your healthcare organization establish business associate agreements (BAAs) with vendors. The BAAs are legal agreements that allow you to define the data protection responsibilities of the vendor to ensure they are compliant with HIPAA regulations. “Make sure you have that BAA in place, so if something does happen, we know who’s responsible for what,” Sawyer II explained. He went on to emphasize that the agreement language should be updated regularly. “Also, make sure the BAA isn’t from 1985. I’ve seen companies where the hospital signs a BAA with a company, and the agreement language was drafted before the cloud was even a thing. So even though you have an agreement in place, I promise you that it’s not relevant,” Sawyer II said. Tip 4: Audit Vendors Regularly Once the agreements are signed and you’ve done your due diligence to ensure the vendor meets the security and compliance requirements, you’ll still want to check up on the entity from time to time. Performing regular security audits will help ensure the vendors are maintaining their compliance while providing your organization with the software, equipment, or services you’ve contracted them for. Tip 5: Trust No One Adopt a zero-trust security model with your vendors. Zero trust is a cybersecurity term that treats everyone and every device that connects to your network as a potential threat inside and outside of the organization. According to NIST, zero trust is an “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” The agency continues to define a zero-trust architecture (ZTA) as a framework consisting of zero-trust principles “to plan industrial and enterprise infrastructure and workflows.” “If an entity doesn’t need access to it, they absolutely, positively should not have access to it. This pertains to any third-party vendor, contractor, large vendor, or small vendor,” Sawyer II stated. For example, if a shredding company comes into your practice to collect the bins of sensitive paperwork to shred, they should only have access to the room where the bins are located. They shouldn’t have access to the server room. Tip 6: Know How to Respond in an Emergency Lastly, you should know how a vendor will respond to a security incident. An entity’s incident response plan should align with your healthcare organization’s policies. “Read through and understand your third party’s incident response plan because if they have a breach and they have access to your systems, it’s going to be a cascading effect,” Sawyer II explained. Mike Shaughnessy, BA, CPC, Development Editor, AAPC
