compliances , health-care-hipaa-hitech-hitech , projects , security

HIPAA Healthcare Vendor Contract Analysis Review Example

November 15, 2014

Review of your IT Systems

  • Contracts,
  • Scope,
  • Service Level Agreements,
  • Business Associate Agreements,
  • And defined SLS and Business Associate Agreements and deliverables;
    • Review of current processes
    • And procedures to support compliance

The core fundamentals will be to identify ownership and performance to include:

  • Security patch management
  • Event logging
  • Event escalation
  • End-point security
  • Incident scoring and handling
  • Incident investigation process
  • Security investigations
  • Breach report metrics
  • Breach reporting process
  • Alert process handling
  • Alert notification

Review implemented technology solutions to assess the effectiveness in support of the preferred corporate security posture and compliance to include the design, implementation, effectiveness of:

  • Firewall architecture
  • Network architecture
  • IDS/IPS
  • SIEM
  • Event Log centralization and analysis
  • Service desk solution
  • Data Loss Prevention solution
  • Effective integration of these solutions 

Secure collaboration

  • Secure email process and/or procedure
  • Secure device use and control enforcement to manage corporate data
  • BYOD posture and Acceptable Device Use agreement
  • User privacy communications and executable agreement 

Management review of current program

Identify the documented contractual commitment to the solution processes currently in place to include:

  • Vendor provided organizational effectiveness
  • Established processes, core values, and attributes to accomplish security goals and objectives
  • Clear definition of the roles and responsibilities of the vendor partners and corporate team
  • Administrative and functional structure to determine resource assignments and coverage of the processes required of the corporate security program
  • Knowledge of the processes necessary for the vendor partners to accomplish their tasks.
  • Analysis and mapping of who, what and where to the overall corporate security program design, fulfilled with a GAP report as appropriate

Program Analysis and recommendations phase

Provide a spreadsheet mapping outcome GAP, RISK and Recommendations. Compare and contrast corporate security posture to:

  • Corporate policy
  • NIST
  • MARS-E and
  • FedRAMP (FIPS 199)

Home