Tips for vendor contracting for better info security

BOSTON—Providers can improve their information security by taking steps early on in the vendor contracting process, according to a panel discussion at HIMSS’ Privacy and Security Forum on Sept. 8.

Organizations need to reach a consensus before signing on the dotted line, said Stephen Fox, principal of Post and Schell law firm. Without consensus, “you have a situation where it’s even harder to talk about successful implementation.” You don’t want to shove a system down someone’s throat.

Requests for proposals (RFPs) are really important, Fox said. List your desired functionalities, he said, because that forces the vendor to respond directly to those. “If it’s not in the contract, it might as well not exist.”

Fox also recommended never telling a vendor they have been selected. “Say they are your first choice but if the negotiations don’t succeed you will walk. Unless you’re willing to walk, you have no leverage. The vendor needs to know it’s not a done deal.”

If vendors can’t help organizations comply with regulations, they are not legitimate contenders, said Daniel Schroeder, partner-in-charge, information assurance services for Habif, Arogeti & Wynne. Winnow them down with fundamental questions about their risk analysis process, their controls and how they know those controls are effective and more. He has found that vendors can answer those questions in 10 to 12 minutes or 10 to 12 months.

Fox recommended that organizations find patient people who know how to negotiate. “I ask people if they enjoy buying a car” because those are the people ideal for the process, he said.

Provider organizations and vendors also must agree on what constitutes first productive use, Fox advised. “Make a mutual decision that is not just when the vendor says.”

Providers also should advocate for acceptance testing, Fox said. Vendors often say the auditors won’t let them do that but he then asks for the number so he can call the auditor himself. “I’ve never had to make that call.”

Fox also cautioned providers against agreeing to no liability. “Many people say that’s in their insurance policy but those policies have an exclusion and won’t cover for vendor mistakes. Assumed liability is a dangerous area.”