New Rules for Vendor Compliance

John Moynihan


June 1, 2014

RM0614_vendorcompIf you are a health care vendor, financial or retail service provider, or federal government contractor, additional compliance responsibilities are on your horizon. In response to the unprecedented growth of outsourcing, hosting and contract employment, and in light of several high-profile vendor breaches, regulators have been focusing on the expansive third-party service provider community. Although often overlooked, third-party compliance has become critical for vendors who serve highly regulated industries.

The Health Insurance Portability and Accountably Act's (HIPAA) Omnibus Rule, Payment Card Industry (PCI) 3.0 and the vendor-centric Federal Information Security Management Act (FISMA) collectively signal an unprecedented emphasis on third-party compliance.

Although vendor compliance has long been clouded by ambiguity and misinterpretation due to a lack of regulatory guidance and industry standards, recent updates to these directives have provided much-needed clarity. Unfortunately, many companies still have not recognized or addressed their compliance obligations. Nevertheless, vendors must either meet their data protection responsibilities or risk the prospect of a regulatory violation and, ultimately, exclusion from major industries.

HIPAA Omnibus Rule
The HIPAA Omnibus Rule represents a dramatic change to health care regulation and is causing significant disruption throughout the vendor community. Although enacted in 2009 as part of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), the effective date was postponed until Sept. 23, 2013. The Omnibus Rule addresses important issues like disclosure and patient rights, but the most significant change, from an information security perspective, relates to the responsibilities of "business associates." A "business associate" is any entity that "creates, receives, maintains or transmits protected health information on behalf of a 'covered entity'" (health care providers, health plans or clearinghouses).

Before September 2013, health care vendors were required to meet minimal data protection standards, while hospitals, health clinics and insurance plans were subject to the full scope of HIPAA's Privacy and Security Rules. The Omnibus Rule, however, subjects vendors to the requirements that had previously applied only to covered entities. Therefore, vendors must now implement a combination of administrative, technical and physical safeguards to ensure the security of protected health information, or be exposed to the consequences of a regulatory violation.

Specifically, vendors are required to:

  • Conduct a formal risk assessment

  • Implement measures to mitigate internal and external risk

  • Implement written policies governing the security of protected health information

  • Conduct data security training for all employees

  • Restrict physical access to storage of protected health information

  • Protect workstations and electronic media

  • Implement technologies to prohibit unauthorized access

  • Log all electronic access of protected health information

  • Secure electronically transmitted protected health information

Should you question whether the Department of Health and Human Services (HHS) will enforce these requirements, HHS Office for Civil Rights Director Leon Rodriguez said, "This final omnibus rule marks the most sweeping change to the HIPAA Privacy and Security Rules since they were first implemented. These changes not only greatly enhance a patient's privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates."

PCI 3.0
PCI 3.0 came into effect on Jan. 1, 2014. Since merchants outsource much of their card processing functions, the updated standard logically provides enhanced guidance on vendor accountability. Prior to PCI 3.0, the data protection responsibilities of third-party service providers were left to the collective interpretation of the business and its vendors. While -certain businesses would demand rigorous, verifiable evidence of compliance, many accepted verbal assurances by the vendor. The new standard requires that all service providers give written acknowledgement to each client that they have met and will maintain all applicable PCI requirements.

This revision significantly impacts small to mid-size vendors that have failed to adopt a structured data protection strategy. Should a cloud services provider, hosted call-center, IT services firm, disaster recovery location or document storage company be unable to formally attest to their compliance, clients are compelled to discontinue the relationship. Although many previously chose to avoid the prospect of having to sever ties with a trusted vendor, this detached approach is no longer an option. If a non-complaint service provider is the catalyst for a data breach and the client has not obtained the necessary compliance attestation from this entity, the client will face the consequences.

PCI 3.0 also addresses the practice of vendors using common passwords throughout multiple customer environments. Unfortunately, many vendors do not deploy unique authentication credentials for each client and continue to use common credentials for several unrelated businesses. Should a vendor using common credentials be compromised, then all associated clients with these credentials are at risk of unauthorized access. As many vendors require broad access and are therefore privileged users, the unauthorized access of log-in credentials has serious implications. Accordingly, PCI 3.0 requires that vendors discontinue the use of common credentials and deploy unique passwords for each client.

Finally, PCI 3.0 requires that merchants document the specific data security measures they will perform and which measures will be performed by a third-party service provider. Although merchants were previously required to maintain a list of the vendors that had access to their cardholder environment, the revised standard calls for significantly more detail. It also mandates that all service providers acknowledge in writing the specific security functions they will perform. Due to the rigorous nature of this requirement and the anticipated disruption it will cause, the effective date of compliance has been extended to July 1, 2015.

The Federal Information Security Management Act (FISMA) was enacted in 2002 as a framework for ensuring the security of systems that support federal government operations. FISMA requires all federal agencies, entities administering federally funded programs, federal grant recipients and government contractors to develop, document and implement a program to secure federal information and corresponding systems. FISMA mandates that those subject to the law implement "baseline security controls" through a combination of managerial, operational and technical measures, and is directly aligned to NIST 800-53, the National  Institute of Standards and Technology's outline of security controls for federal information systems.

Although third-party service providers have been subject to FISMA since its enactment, vendor compliance has been prioritized over the past few years. This development prompted government contractors to immediately pursue FISMA compliance or risk exclusion from the federal vendor community. Enforcement of FISMA's third-party standard is being performed primarily through the procurement process, with all prospective vendors required to attest to adherence with rigorous data security controls when responding to a solicitation. The specific language within solicitations and contract awards mandates that vendors submit evidence of FISMA compliance in the form of monthly, quarterly and annual deliverables. Accordingly, if your company is doing business with a government agency, you will be required to provide detailed and ongoing evidence of compliance.

The following list, taken directly from a Federal Highway Administration bid solicitation, details the specific documents that vendors must provide as evidence of FISMA compliance:

  • Security assessment: formal evaluation of control environment (annual)

  • Plan of action: plan to mitigate assessment findings (quarterly)

  • System security plan: documentation of all controls (annual)

  • Security categorization: impact level of each system (annual)

  • System contingency plan: documentation of redundancy (annual)

  • Security policy and workforce training records (annual)

  • Interconnection agreements from sub-contractors (annual)

The New Reality
Although meeting the enhanced requirements of HIPAA, PCI or FISMA will entail additional resources, third-party service providers should view this as a critical, long-term investment. The new reality is that vendors operating within highly regulated industries must demonstrate compliance to each customer. Vendor compliance has evolved into a high-stakes risk. The service provider that is unable to provide evidence that regulatory mandates have been adhered to will inevitably be excluded from operating within certain industries.
John Moynihan, CGEIT, CRISC, is president of Minuteman Governance, a Massachusetts-based information security services consultancy.