• E-mail
• Print
• RSS

Tip: Tips for outsourcing VPN implementation and maintenance

HIPAA Weekly Advisor, December 27, 2002

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

If you decide to hire a vendor or contractor to assist with the implementation and maintenance of your virtual private network (VPN), negotiate as many details up-front as possible so that questions during the term of the contract can be resolved quickly and easily.

Consider the following points in your negotiation:

• Write out the expected time frame for completion of work. Don't leave the contract open-ended.
• Determine penalties up-front. Although you may simply withhold payment if a job is botched, in some cases a vendor may not finish the project satisfactorily. Penalties between 8% and 15% of the total costs are often negotiated for contracts that are not completed satisfactorily.
• Identify who will be doing the work. Make sure that the vendor specifies the qualifications of the employees who will actually touch your system. Check that they have experience performing the same type of work they are bidding on.
• Check references. Request references from other health care organizations as similar to your own as possible.
• Delineate roles and responsibilities clearly. Whether you're hiring a vendor who will hand off the VPN to in-house staff or a company you will have an ongoing relationship with, it's important to define responsibilities.
• Consider the cost of rework and unanticipated changes. If a change in a project is unanticipated, you can't define exactly what it will cost. But you can start the project by understanding that a successful implementation will likely involve some work that falls outside the scope of your contract. Negotiate an hourly rate with a vendor for time spent on these items.
• Establish clear outcomes for the project. Decide on performance requirements at the start of the project. Will you measure success as one person connecting to the VPN at a certain time or 200 users connecting simultaneously?
• Outline each party's responsibilities upon termination. Require notice if your vendor intends to terminate your contract. Ensure that if your vendor quits, you will be able to replace the services without interrupting the organization's workflow.
• Identify specifics of the engagement. Spell out in the contract how often you will meet with vendors, how many telephone consultations you expect to have, and what other expectations you have for how much time you expect them to commit to the project.
• Insist on a demonstration of the product on your network. A VPN may work well in the vendor's perfectly configured environment. But there's only one way to know how will it work under the real demands of your organization. Require that the contract include a satisfactory trial period for the product before you roll it out.
• Ask about disaster recovery. How does your vendor intend to keep you in business during a disaster at his company? Get satisfactory assurances that your vendor partners have continuity plans in place that meet your needs.
• Check reliability and stability ratings for your vendors. The Gartner Group and other sources of information provide insight into vendors' track records and likelihood of staying in business.
• Find out whether the vendor outsources or uses other vendors' products as components. Identify these partners and determine whether they are under contract to continue supplying components. If the component is important enough, you may want to specify requirements for replacement.

Editor's note: From the December 2002 issue of Healthcare Information Security.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive