- Home
- » e-Newsletters
Control vendor access Four questions you should ask before signing a contract
HIPAA Training Advisor, December 1, 2005
Control vendor access
Four questions you should ask before signing a contract
Before going to the table with a vendor, Kate Borten, CISSP, CISM, president of the Marblehead Group in Marblehead MA, and Stanley Lyzak, BSEE, CISSP, MCSE, CCNA, A+, network security engineer, advise answering the following questions:
- What type of access should the vendor have?
Access options include a modem connection or virtual private network (VPN). A VPN is typical, but a modem may be useful because hackers are less likely to use them, Lyzak says. However, there are pros to a VPN. "It offers simpler, fine-grain control and better monitoring."
Decide whether you want the vendor to access systems directly or through your network. Direct access locks them into one system, preventing them from doing further damage, but it is also unwieldy to use with multiple vendors and systems. A network connection, on the other hand, is easier to monitor and is efficient, Lyzak says.
- Is the vendor accessing a critical system?
The answer to this question will help you decide how much effort to put into access control. On a critical system (e.g., one that contains PHI), you should have more protection than just a firewall.
A critical system probably has several access hinge points such as password sign-ons and network switches. Optimize these hinges by requiring authentication at each point.
"Understand where to best control this access," Lyzak says. "It could be multiple places."
- How will you authenticate the vendor into your system?
Authentication should include encryption and follow the password rules of your organization, Borten says. "Don't allow vendors to set the passwords and have them be generic forever." Instead, have them create a unique password for each user that they must change with time, much as you would do within your own organization, she says.
- How will you monitor the vendor's work in your system?
Follow this basic rule for monitoring vendor access: Know who did what, when, where, and how, Borten says. Make sure someone at your organization who knows what to look for is responsible for monitoring vendor access. Monitor activities outside of the norm (e.g., late-night access by a vendor that usually accesses at midday and larger-than-usual data transfers).
Editor's note: Adapted from "Control vendor access with a strong agreement" Briefings on HIPAA, November 2005.
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- What does case-mix index mean to you?
- Capturing all necessary codes for IUD insertion and removal can be challenging
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- HIPAA Q&A: Level of encryption needed for email
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- What does case-mix index mean to you?
- Q&A tackles coding questions about injections and infusions
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- HIPAA Q&A: Level of encryption needed for email
- Searched