Every scanning customer cares about their files and information. And no one ever designs a web site, a process or any other customer facing secure system thinking that being hacked or losing customer data is going to be “Ok”! So how come there are so many examples of major companies being hacked or of companies having to report data breaches to their customers? The answers are simpler than you would expect.
How Security Works
I am going to try and share how I think of this whole process and give some recommendations on what anyone talking to a vendor should ask and look for as red flags or as reassuring signs. Let’s start out with what security is all about. The bottom line to security is letting the people who need to see stuff see it, and to keep people who are not supposed to see it from seeing it. When we are dealing with paper records their security is mostly about physical security. You want to be able to lock the doors/drawers/cabinets and keep people from being able to see (get to) the paper that you do not want them to see. Paper also has a built in limit on theft. Stealing hundreds of thousands of records would take trucks and hours of labor of a group of people boxing and stealing your paper. And the loss of those records is very easy to notice. But once we have converted these records to an electronic format, it is much easier for bad guys to copy all of your records and in most cases walk away with something smaller than a sandwich… and if you are connected to the internet, they may never have even needed to come into your office.
What are Security Standards?
While electronic records dramatically improve most business processes, they also add risks that need to be mitigated by well-designed systems and processes. HIPAA and HITECH are meant to be the Government trying to help protect us as consumers. They are a set of guidelines that are designed to protect our private information from being disclosed to the wrong parties. But as guidelines, they are very much like the safety standards imposed on the car industry. They are a set of minimum guidelines that everyone is supposed to follow. And while all new cars meet or exceed those guidelines that does not make every car on the road equally safe! In the automotive world Consumer Reports® and other sources do independent reviews of the safety, comfort and price of a car. So when a manufacturer says they are safe, you have an independent way to verify and compare their answer to your other choices. In the scanning world it is not quite that simple, but there are ways to find out how well a vendor compares to others without having to be capable of doing those in depth technical comparisons yourself.
Take Advantage of the Work Other People Have Done!
The simplest way to track down the answer to security, is to let someone else do it for you, and to do it for free! When you talk to a vendor, they will all have lists of references. And a reference is an easy way to find many of these answers. The bigger a reference company is, the more likely they have done their own security audit of the vendor. When you call the reference, ask them that exact question: “Did you do and do you keep doing security audits of the vendor”. If none of their references have done an audit that should be a Red Flag. Also ask questions to make sure that how you will use the vendor’s services reasonably compare to how the reference uses their services. And as you already know, if they do not have references, that is a huge Red Flag. The equivalent of a customer audit is an independent external audit of a vendor by a professional auditing agency. There are many large auditing companies that will come in and review if the vendor is meeting a set of security guidelines (like HIPAA and HITECH). Do not confuse an external audit with an internal audit. An internal audit is the vendor looking over their own process and deciding they comply. An external audit by a non-qualified source also should carry very little weight. If I paid my mom to audit our company, she is both biased and unqualified to do the audit (sorry mom). Make sure you look up the agency having performed an audit to make sure they are a valid opinion for you to trust.
How Security Breaches Happen
If security is something that can be accomplished, how come so many people have failed? It is probably most helpful to think about how breaches happen, and then to see how to identify those risks as a customer. I like to think of risks in 2 broad areas: human error and poor implementation/design. The question to start this is asking a vendor “how long they have been in business and if they have ever had a breach”. The longer they have been doing business successfully protecting information is a very positive sign. Poor design and implementation are normally caught by audits and/or by time. If they are failing this area, it is going to catch up to them, and most good audits will expose that weakness. The hardest security risk to detect is human error. Human error is a combination of management style, employee attention to detail and training and culminates when an employee does or does not do something that has unintended consequences. It can be as simple as copying a file to the wrong place or setting the wrong security parameter and as complicated as implementing a patch incorrectly. There is never a way to completely prevent human error. But staffing is the easiest way to spot this challenge. How much staff turnover happens at the vendor? Does the vendor use temp labor? How big is the staff at the vendor? When you ask these questions, look for answers that do not fit with your job. If you are shipping them 1,000 boxes of paper to be scanned and stored and they have a staff of 4… where are the other 30 people they will need to process your job in a timely manner? How a vendor handles the challenges of staffing variables will speak clearly to the types and numbers of employees. Mismatches between staffing and the vendor’s day-to-day needs should be Red Flags.
List of Questions to Ask Vendors:
- How long has the vendor been in business?
- Is the vendor HIPAA/HITECH (insert your industry standard here) compliant?
- Have they ever had a security/privacy breach either electronically or physically?
- Do they have a list of customers?
- Do they have a list of references you can contact?
- Ask the references what services they use from the vendor and how long they have been using them for that service.
- Ask the references if they do and continue to do security audits of the vendor.
- Does the Vendor have an external security audit completed annually?
- Can you get a copy of the audit certificate?
- Is the Auditing agency a good, well-known choice to perform this type of audit?
- What does the vendor’s staffing look like?
- Can the existing staffing handle your workload and time frame for delivery?
- Does the vendor use temp laborers?
- What does management turnover look like (how long has the average manager been with the vendor’s company)?
- What does employee turnover look like (how long has the average employee been with the vendor’s company)?
These are a few other sources to help you with these processes and to understand the risks that are out there:
The federal government breach notification listing
The federal government summary of HIPAA
The federal government HITECH rulemaking and Implementation update.
The Better Business Bureau’s® guide to Security and Privacy