Even for the most seasoned radiologists and hospital administrators, the rapid advances on new technology such as cloud storage, Web-based software and mobile apps may leave some wondering where to start when vetting healthcare IT vendors. For those who feel this description fits them, you are not alone; a session on this topic was packed solid during the 2014 Healthcare Information and Management Systems Society (HIMSS) annual meeting in February.
“Outsourcing data or applications to a cloud provider does not mean you should be hands-off — you need to conduct due diligence and monitor the vendor’s performance. You are ultimately responsible for the confidentiality, integrity and availability of your patients’ data,” explained attorney Steven Fox, principal, Post & Schell PC, which specializes in healthcare data protection and breaches. “In a cloud, your data is not directly under your control and that makes me nervous and it should make you nervous too.”
He contends vendors need to be held accountable and maintain complete transparency if they are going to be responsible for your data. For this reason, when evaluating vendors it is important to identify how each vendor handles a security incident involving protected health information, added Lee Kim, director, privacy and security, HIMSS, who also spoke at the session. She said providers need to assess the steps vendors use to ensure medical devices, applications and patient data are secure and meet HIPAA and other regulatory requirements. This includes how the vendor would handle the loss or theft of a device, or data that may contain patient information such as credit card or social security numbers that might be used for fraud. “The less you have to deal with data losses and breeches the better,” said Lee.
Gathering Data on Prospective Vendors
Fox said it is important to learn as much about a vendor as possible before they store your data. He suggests evaluating vendors to see if their technology is consumer- or medical-grade quality, and added that the maturity of their technology may also play a role in security. In addition, look at the personnel handling the data for the vendor. “If a vendor is resistant or hesitant in sharing information or says ‘that is none of your business,’ then maybe that is not a vendor you want to work with,” Fox said. “You need them to be as transparent as possible.”
When approaching vendors, especially those a provider has worked with in the past, he suggests maintaining the mindset that vendors are not your friends. “They are your business partners, and you need to look at them that way,” Fox said. “Even if Jim the vendor is your friend, you need to do your due diligence. What do you know about this vendor? You want to ask a lot of questions when you are talking to a cloud vendor.”
Use RFP as an Accountability Tool
Fox said facilities should come up with a list of very specific questions they want answers to when evaluating cloud vendors. These should be written into the request for proposal (RFP) that is sent out to prospective vendors to force them to answer each point. When a vendor is chosen, the responses in their RFP should be included in the final contract language. If a vendor resists this, it might mean they were trying to say what they thought you wanted to hear rather than what they can actually deliver. Fox said he has had vendors back-peddle on these points when the information was written into the contract, which helped clarify the reality of what that vendor could truly offer.
Fox has a standard list of questions for cloud vendors, including:
• Is the data stored in the United States or outside the country?
• How will the vendor use the data? Often vendors will de-identify patient data to resell for research or big-data analytics. However, Fox said even if the data is de-identified, it might be possible for people who are very tech savvy to pull a patient’s identification, partial identification or other information from the data. For this reason he suggests asking the vendor to indemnify you for any loss or breech of patient data.
• Is data stored in a proprietary format or is it readily readable and convertible to other systems? This will be important if a facility needs to migrate its data to another vendor.
• Does the vendor have a disaster recovery plan for data backup? If not, Fox said you might not want to use the vendor in case there is ever a flood, hurricane, tornado or fire where the data is stored. Also, he suggests thinking outside the box. He said an upper story of a building can still flood or suffer water damage if a water or sprinkler pipe leaks or a toilet overflows.
• What happens if a vendor goes bankrupt or out of business?
• Has the vendor demonstrated the ability to successfully create interfaces to your particular system? If so, Fox suggests asking for contact information at the previously interfaced facility to speak with them directly and hear their view of how the system works.
• Will the hospital still have access to the data if there is no Internet access? Fox said issues with weather or an Internet provider may cause loss of Web access. If that happens, the hospital may want to keep a copy of the data onsite as a backup.
• Does the vendor have any third-party certifications?
• Fox suggests asking for copies of a vendor’s data and site security policies. Many small vendors may not have these, which could raise a red flag to their plan or ability to properly secure your data.
• How long will it take to recover data after a disaster?
• Does the vendor contract out its cloud storage to subcontractors?
• Is the license perpetual or only for a set time limit? Some software licensing fees are for set periods, say seven years, after which the vendor charges the fee again.
• Include acceptance testing in the contract to ensure the technology works with your systems.
Fox also suggested including any warranties in the RPF. He said to make sure these include compliance to documentation and specifications listed in the contract, interoperability/interfaces, compliance with laws and regulations, security and virus protection, and language to address sunset issues.
Fox offers the advice to never accept a vendor’s standard contract. He also warns that every word in a contract has meaning. Most contracts need edits to address the concerns above. “The contract is really, really important — you want to have a solid one,” Fox said. “The vendor might say ‘none of our other vendors have made this many contract changes,’ but it is important that every word of a contract is read.”
Look in the vendor’s contract for language for limitations of liability or indemnification. Fox said some vendors want you to indemnify them against issues with use of their software.
When finalizing a contract, he suggests not accepting PDFs — they are difficult to edit and often delay the contract signing. Accepting a draft contract in Microsoft Word is best, but make sure to ask for an unlocked copy so edits can be made or notes added.
As a final suggestion, Fox urged not getting involved with vendors who want help co-developing software. He suggested not getting involved in software development clauses, which often result in an IT project becoming a money pit.