Does Your HIT Vendor Contract Leave Your Organization Exposed and at Risk?

While no practice, hospital, or health system can ever be wholly guarded against cybersecurity threats or risks, health information technology (HIT) vendors represent one of the highest risk areas in an organization’s cybersecurity structure. Vendor contracts are an appropriate place to address cybersecurity and establish requirements for vendors to reduce the risk of exposure.Performing a “vendor due diligence” is crucial when selecting a vendor, as well as on a continual basis, and should start with the contract. Price and performance can no longer be the only benchmarks for evaluating a vendor.

Security risk management must also play a role when considering the process of assessing and contracting.If your expectations for cybersecurity from your third-party vendors aren’t clear, you increase your organization’s risk significantly. What do you want your vendor to be held accountable for as it relates to cybersecurity? For example, you may want to hold your vendors to a right to a security audit or assessment or industry-specific compliance standard. It is never too late to return to previous contracts to ensure your agreements define cybersecurity or breach of security.Vendors will use their own terms when given the opportunity, which are usually one-sided, intending to protect the vendor and not your organization. If you sign the standard “boilerplate” contract without your provisions, you will accept all the risk with little recourse.

Cybersecurity can be an afterthought with contracts, but it is critical at the contract level as the instances of data breaches rise. Organizations don’t want to wait until a cyber-attack occurs to review the terms of the contract, only to find out the vendor has limited liability for the damages.Addendums can always be attached to new or existing master service agreements, even if the vendor drafts those agreements.Following are just a few terms that are vital to address:

• Who has access to the organization’s IT systems and use of data?
• Are there compliance standards to keep systems and data secure with industry standards, laws, and regulations?
• Is there a requirement to notify you of security breaches and vulnerabilities?
• Is the vendor obligated to return or destroy your company’s data in the event of a violation?
• Who has the right to audit and review documentation and results of previous audits?
• How is risk allocated in the event of a data breach or other security situation?

The healthcare organization must know and understand the contents of its third-party vendor contracts. This awareness is especially important in light of increasing cyber-attacks. You have everything to lose if you don’t take seriously the security vulnerabilities and risks caused by your vendor relationships. And you have much to gain, including peace of mind, if you protect your organization at the contract level.