A CIO Outlines Key Vendor Risk Management StepsInspira Health's Tom Pacek on Reducing Third-Party Risks
Inspira Health, a healthcare delivery system based in Vineland, New Jersey, has taken several key vendor risk management steps, says CIO Tom Pacek, who describes the effort.
"It requires that [vendors] have the proper tools, policies, procedures and practices in place to do the same thing that we would do with our data," he says in an interview with Information Security Media Group.
"That is a challenge because we are not in their organizations; we don't know exactly what they're doing; we're trusting that our vendors are complying with all the regulations and doing all the right things by our data," he says. "It is a challenge to monitor that."
To get a better grip on those issues, Inspira Health evaluates the security practices of vendors in multiple ways, he says. That includes using security assessment tools to evaluate vendors before signing a contract with them
In addition to putting into place business associate agreements with every vendor, Inspira Health also requires prospective business partners complete security assessment questionnaires.
"We have a HIPAA BA screening assessment that we send to every single vendor that's going to be working with us. How they score on that sheet ... determines how much risk we're taking on with that vendor and how secure and up to date their policies, procedures and practices are when handling our data."
In the interview (see audio link below photo), Pacek also discusses:
- The types of security practices and controls that Inspira Health looks for in its vendors who handle patient data;
- Other steps Inspira Health has taken to improve vendor risk management;
- Top security priorities for the coming year.
Pacek has been a member of New Jersey-based Inspira Health's leadership team since 2008. As vice president of information systems and CIO, he is responsible for leading IT functions and integrating new technologies. Pacek also leads the information systems, communications and biomedical engineering departments in other strategic clinical and financial projects. He also serves as the president of NJSHINE, a public health information exchange.