Why You Should Care About Vendor Security Reviews
Have you ever wondered what would happen if your employee data were compromised? Whether it be an isolated instance where one employee's data was exposed, or all members enrolled in a particular program, the prevalence of such data mishaps is increasing.
Today, adding any new software into your benefits ecosystem involves more than just making sure the features and functions meet your needs. Sponsoring new technology comes with big risks since almost all modern solutions are ingesting, sharing and outputting highly sensitive employee and member data. While most software vendors will tell you that they will keep your data secure, how do you know for sure?
As you assess new vendors, you will undoubtedly conduct vendor security reviews to assess the security controls and practices of your vendors and third-party service providers. These reviews help identify potential vulnerabilities and risks that could impact an organization's security and help catalog all the vendors who have your sensitive data or access to your systems. However, does your vendor security review provide enough protection? Not only is your employee data at risk, so is the reputation of your organization should a data breach occur.
Once the initial vendor security review is complete it is a best practice to conduct at a minimum an annual security review to ensure that your vendors are staying competitive and compliant with updated security standards. In addition, regulatory compliance frameworks such as the General Data Protection Regulation (GDPR) may require organizations to conduct regular vendor security reviews.
At Abett, we build innovative solutions designed to deliver transparency, competition, and accountability to the healthcare system. That means we work with the most sensitive data there is, including many forms of PII and health data. As a result, we are demanding about data security, ensuring the right controls are in place to protect our clients from breach.
Given our experience successfully completing some of the most rigorous security reviews in the industry, we want to highlight some things to consider when conducting vendor security reviews.
Ask the right questions!
When you begin your security review, it’s best to create a list of standard questions that will help you continue to learn about the vendor while assessing any risks to security. Deciding what vendor information, you need in order to make an informed decision can be daunting. Some questions you could consider, include:
- What will the service or solution enable us to do that we can’t do today?
- How will our employees interact with it?
- What sort of data will we send to it?
- Where will the data be stored?
- What data will we be able to get out of it?
- Do we need to integrate this solution with other vendors’ solutions we use?
- What sort of monitoring is in place?
- What happens to our data when service is terminated?
- What’s the worst thing that could happen from an availability or security perspective?
Assess the vendor’s security qualifications
Thanks to internationally recognized security review processes, it’s easy to immediately rule out vendors that don’t take security seriously, especially when it comes to sensitive healthcare data. Ask your prospective vendors to supply the following certifications or plans:
- SOC 2 report
- CAIQ questionnaire
- Adherence to HIPAA Security Rule
- Adherence to HIPAA Privacy Rule
- A tested security incident response plan
- The controls that they have in place for encryption, access control, detection and monitoring
If your prospective vendor does not readily have these documents available that could be a red flag and may be indicative of their overall commitment to data security.
As an example, during our sales cycles, Abett will freely share these reports and plans and provide additional details about our best-in-class security protocols. Expect the same from any vendor or partner.
Partner with your IT and Security Team
The most successful vendor reviews include cross-functional teams. It is a best practice to include your IT and Info Security teams early in the RFP process to ensure that the features they care about are included in the vendor questionnaire. Based on our experience, your IT partners will likely want documented information on the following features:
- A Single Sign On (SSO) integration for web hosted tools
- Information about the kind of monitoring the vendor has in place
- A security whitepaper or other documentation from the vendor
Abett, for example, readily supplies a security paper that describes the security by design principles and explains how your data is protected from unauthorized access or modification.
Expect Continued Support
Given the importance of data security and the risks involved with a data breach, vendor security reviews shouldn’t be thought of as a one-and-done activity. Rather, once you make your vendor selection, that vendor should remain dedicated to protecting your data at all costs.
You should expect the following from any vendor you select:
- They take the lead for annual security reviews
- You are briefed when key security contacts come and go and have ways to reach key contacts
- They provide updates on security certifications
- They provide their plans for meeting any new security protocols
- You are notified, immediately, of any risks or breaches
To show its commitment to data security, Abett publishes a list of named roles within the company and these employees’ responsibilities with regards to data protection. Each officer is responsible for regularly reviewing and updating their assigned policy, as needed, and communicating changes to appropriate constituents. Each officer is responsible for the enforcement of his or her assigned policy or policies. Look for similar levels of transparency in all your vendors.
At Abett, we know that reviewing benefits systems and implementing new solutions can be a complicated process because of the sensitivity of the data involved. It is well known that benefits plan administrators have a fiduciary responsibility to be good stewards of employee data. By taking data security seriously and ensuring that your data is protected from unauthorized access or modification, our goal is to help lessen the worry about data security and enable you to focus on running the benefits plan. At Abett, security isn’t a bolt-on solution. Rather, our solution was architected from the ground up to follow cloud security best practices. Our solutions were built from the start to be a secure storage SAAS, following modern principles of least privilege, redundancy, and security by design. Strong security design is our first principle.
To learn why Abett passes every vendor security review with flying colors, reach out today.