The intersection of compliance and third parties: How to stay compliant

August 23, 2021

Let’s face it: When it comes to data security, ensuring your company’s compliance can be a headache, no matter the industry. Unfortunately, this problem is made even worse by the realization that compliance requirements extend beyond your internal operations. In other words, if your third-party vendors aren’t compliant, neither are you. To lighten your load a bit, here’s a guide for those in the health/medical, financial, and government-related industries to help you make sure your third-party vendors are as compliant as you are.

HIPAA/HITECH compliance

The number of data breaches in the healthcare industry is skyrocketing, thrusting the field into the forefront of data security discourse The Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) are two sets of regulations that ensure the confidentiality, integrity, and availability of physical or electronic personal health information (PHI/ePHI). In essence, they are the foundation for compliance in the healthcare industry. Any company that handles PHI and/or ePHI is responsible for assuring HIPAA/HITECH compliance internally, as well as with any third-party vendors with access to personal health data. Insufficient data security measures are a real threat to medical patients around the country, as 56% of provider organizations have experienced a third-party or vendor breach. In order to protect against third-party breaches, the HITECH Act introduced legislation in 2013 aimed specifically at regulating vendors under the larger HIPAA umbrella. In the legislation, vendors are referred to as business associates (BA). Anyone who has been granted access to PHI/ePHI is required to comply with all HIPAA regulations (and the same goes for any party that has PHI/ePHI passing through their system). Before being granted access to PHI/ePHI, third-party vendors must sign a business associate agreement (BAA), which contractually binds them to HIPAA compliance. However, staying compliant in a large network that includes many third-party vendors can be difficult. Here are some tips to help maintain compliance:

  • Don’t assume a signed BAA automatically ensures compliance. Vet your vendors’ security measurements before onboarding and audit them periodically to ensure they’re upholding strict compliance.
  • Remember, BAA requirements aren’t limited to those who directly access ePHI. Even those vendors who simply have ePHI pass through their software are required to sign a BAA. HIPAA compliance applies to anyone and everyone who touches PHI.
  • Require subcontractors to sign their own BAA. Subcontractors are business associates of your business associates, which creates a bit of a confusing chain. What’s not confusing is this: Each individual entity that touches PHI/ePHI is required to sign their own BAA.

The end goal of HIPAA and HITECH regulations is to keep patient data safe, not to make things more complicated for healthcare organizations; but keeping patient data safe is a lot easier said than done. After all, many healthcare facilities are still manually collecting patient information, so maintaining HIPAA compliance is already exhaustive from the start of the patient experience. Fortunately, there are solutions that allow healthcare teams to think smarter, not harder, about how to remain compliant while also ensuring the privacy of their patients. HIPAA-compliant online forms make collecting sensitive patient data quicker and safer and for both the patient and hospital staff. Online forms can also be used to get patient signatures and documentation, and they integrate with most HIPAA-compliant software that already exists in healthcare IT systems. There are also HIPAA-compliant online BAA’s to make it easier for hospitals to track agreements across large networks of third-party vendors. 

PCI DSS compliance

PCI DSS compliance is a sweeping set of industry standards that apply to any business that accepts credit card payments. It aims to keep financial information secure – and it works. In 2019, Verizon reported that it has never investigated a payment card security data breach for a PCI DSS compliant company. Our blog has previously outlined the specifics of the four merchant levels of compliance classification, but the heart of PCI DSS compliance comes from 12 mandatory security controls. Adhering to these five controls, in particular, can help you ensure the compliance of your vendors:

  • Do not use vendor-supplied defaults for system passwords and other security parameters. In addition to maintaining a hardened firewall, ensure your company restricts access to your cardholder data environment (CDE) to only authorized, multi-factor authenticated users. This means that everyone, even vendors, should have their own unique credentials.
  • Restrict access to cardholder data to a minimal degree through least privilege. It’s crucial to restrict traffic to and from CDE to established connections from only authorized and authenticated users. Invest in software that allows you to customize access privileges; each user should only be able to access the data that’s necessary to complete their assigned task.
  • Assign a unique ID to each person with computer access. Customizing credentials for each user has the dual benefits of being able to track and restrict individual user activity.
  • Track and monitor all access to network resources and cardholder data. Ensure you have the capability to perform detailed audits of all third-party remote access user sessions.
  • Maintain a policy that addresses information security. This includes a hardened firewall, third-party access management, comprehensive auditing, and strong cryptography standards.

CJIS compliance

The FBI’s Criminal Justice Information Services (CJIS) represents one of the most substantive sets of cybersecurity standards in any industry. CJIS requires that any entities that access or manage sensitive US Justice Department information follow strict compliance guidelines to protect national security while preserving public civil liberties. Wireless networking, data encryption, and remote access comprise the backbone of CJIS policy.

If a company does not have the capacity to undergo extensive audit procedures (including that of their third-party vendors), it is not CJIS compliant.

In order to stay compliant, businesses and government entities must meet the requirements for these 13 security policy areas:

  1. Information Exchange Agreements – Companies that access criminal justice information (CJI) are required to have workflows in place in several areas, including, but not limited to: audits, hit confirmation, logging, pre-employment screening, and timelines.
  2. Security awareness training – Anyone with access to CJI must complete security training within six months of receiving the CJI.
  3. Incident response – Breaches and “major incidents” must be reported to the Justice Department.
  4. Auditing and accountability – Audits must be provided for login attempts, actions by privileged accounts, attempts to access/modify/or destroy history or log files, and more. The same applies to third parties users; they should be tracked at least as closely as internal users.
  5. Access control – Criteria must be defined and should be based on job, location, network address, and/or time restrictions.
  6. Identification and authentication – Similar to access control, everyone who is authorized to access CJI must have unique identification and authentication (password, token, PIN, or another multi-factor identification method). This rule applies to both internal users and third parties: Everyone must have unique login IDs.
  7. Configuration management – Any changes to the information system platform, architecture, hardware, software, and procedures must be documented.
  8. Media protection – Policies and procedures must be documented for digital and physical media storage, access, transportation, and destruction.
  9. Physical protection – Physical media must be secure.
  10. Systems and communications protection and information integrity – Applications, services, and information systems must be secure.
  11. Formal audits – All entities are subject to formal audits by the FBI and other agencies. Vetting third-party vendors before hires, as well as ongoing compliance audits, will protect you from failing formal audits.
  12. Personnel security – Everyone with access to CJI is required to complete security screening during hiring, termination, transfer, and other employee/third-party lifecycle events.
  13. Mobile devices – CJIS has specific requirements for network access via mobile devices.

Customization for access control of individual users is key in assuring CJIS compliance.

To be compliant, ensure your vendors are compliant

Depending on your industry, specific rules of data security compliance can vary greatly. But the one constant that remains, no matter what, is that when your vendors aren’t compliant, you’re not compliant. Many data breaches and ransomware attacks start with vendors’ access to networks, applications, and servers, so here’s our best piece of advice: Cover your bases (and protect your data) by vetting your vendors before bringing them on, and invest in software that’s equipped with comprehensive third-party audits and other technical controls.