Vendor Security Assessments: Best Practices for Answering VSAs


The Journey to Healthcare Compliance (5)

Medstack Has Some Tips & Tricks for Efficiently Answering VSAs

Now that you understand the basics of what a Vendor Security Assessment (VSA) is, as well as some tips for navigating the VSA process effectively, you’re ready to complete your first VSA.

However, understanding the things you need to do and knowing the best practices you can use to complete them are two very different things. And since VSAs range in length anywhere from 50 questions to over 250 questions, tackling one VSA successfully doesn’t mean you’re ready for all of them.

MedStack has put together some useful information that you can use to improve your practices for completing VSAs, which will not only save you time, but ensure the process is less stressful for you as well.

Tips for Proactively Preparing

Understand Your Own Processes First

You can’t begin filing a VSA efficiently until you have a deep understanding of the processes that are used within your own company.

The enterprise wants to know that you have a formally written and documented process for any contingency that could arise. Answering these types of questions accurately requires you to take time to understand all the details of the processes you currently have in place.

When answering questions about these processes, it’s crucial that you back up these claims with information regarding the policies you’ve put in place to support them.

Prepare Your Policies

Part of ensuring that you have all of the applicable information regarding your business processes starts with documenting the actual policies that you have in place.

Don’t have a policy in place to support a specific process? Now is the time to draft one and put it into effect. Otherwise, you might not be able to give honest, satisfactory answers when you complete the questionnaire.

The more specific policies you can quote alongside your business’ processes, the more credible and reliable your internal functions appear.

This helps add authority and confidence to your VSA, which also shows new enterprise clients that they can feel confident in partnering with you.

For example, when asked what kind of firewall your system is using, your answer would ideally be “not only do we have a firewall (and list its specs), but we are currently using this firewall policy [LINK]”.

Think About Your Audience

You should never try to duplicate answers from one VSA to another. The questions may be similar, but they may not be the same.

The more question-specific information you can give in your answers, the better. This also applies to relaying that information in a way that applies specifically to the enterprise considering your VSA.

Making this extra effort shows that you not only understand all the intricacies of your business, but you’re taking the VSA process seriously. It will also provide better clarity for the people reviewing your VSA, which looks favorably on your submission.

Business Stakeholders

These are the people that want your app. They’re interested in the things that your business can offer them, so you should remember that in their eyes you may already have what it takes.

For them, the VSA helps ensure that while your services benefit them, the risks that come along with bringing another third-party vendor into their systems are manageable and minimized.

Privacy & Security Professionals

These are the true gatekeepers. They’re often understaffed and overworked, so they’ll be looking for signs that your business fits their model of good security.

Third-party data breaches are one of the biggest concerns for any healthcare enterprise, so it’s no surprise that HIPAA compliance and HIPAA security are such important considerations.  These terms aren’t mutually exclusive either, as many HIPAA requirements have some flexibility built into them. However, remaining compliant means that at a minimum all of the required controls need to be implemented.

The privacy and security teams evaluating your VSA will be able to tell whether your systems are protected enough to consider allowing you access to their protected data.

If you’ve been considering instituting further HIPAA security measures, do it before you submit your VSA. That additional security could make all the difference.

Know how you protect each enterprise’s Protected Health Information (PHI), and what specific tools are used to guarantee that protection.

Keep Answers Short & Sweet

Adding unnecessary or unclear information that isn’t related to the question that’s being asked makes your business look inexperienced – or worse, unreliable.

Always keep answers short and sweet whenever possible. Think about the phrasing they’ve used in their question and the specific examples (if any) that you can give to answer their question in a clear, concise way.

Never Give More Information Than Requested

Don’t start offering up additional information that isn’t being requested as part of the question.

Not only does that look poorly on your business from a communications perspective, but it also makes you look disorganized.

Think of it this way: if your VSA answers imply you have difficulty following directions or maintaining clarity throughout an evaluation process, what is the likelihood that you can be trusted to ensure the continued privacy of health information?

Use Your Experts

Just because you can’t answer a question efficiently or accurately in your questionnaire doesn’t mean that you need to worry.

You should have people working in different departments of your business that you can reach out to for information when it comes to giving clear, concise answers.

Have experts on your team help give detailed answers about the privacy and security tools you’re using.

For privacy and PHI, have them focus on areas like how you control access to data, whether clinicians can access that data, how you verify data is correct. how you handle patient requests, how your data flows (diagrams can help), and what you do if a patient’s data is incorrect.

Security questions may be more high-level, but have those experts on your team look at what specific standards for security you’re currently using. Do you have risk management or assessment programs? Do you do internal/external security audits? How is your network encrypted? You should also be prepared to share your security architecture diagram.

No single person has all the answers, and customers know that. Use the expertise you have on your team, instead of trying to answer all of the questions by yourself.

Ensure You’re Fully Compliant

Maintaining unwavering health information privacy is the goal of every healthcare enterprise, but have you taken every step necessary to ensure your business is fully compliant?

It’s also crucial to have all your compliance documentation in order and ready to reference, before you start completing the questionnaire. This way, if you are missing something or could improve your compliance practices, you’ll have the opportunity to address them prior to submitting the VSA for evaluation.

Taking this step helps avoid overlooked compliance issues, and in turn, reduce the chances of receiving avoidable rejections from potential customers.

Don’t Leave Yourself Liable

Always be honest in a VSA. Never include misleading, false, or purposefully inaccurate information in your VSA, because you could be leaving your business open to serious liability issues.

If your privacy and security or privacy compliance practices aren’t at the level they need to be, you can’t fudge the truth to try and land a new client.

Is your business missing something that’s being requested by the enterprise? That either needs to be properly addressed prior to submitting the questionnaire, or it needs to be reflected accurately in your VSA.

Even if it means you likely won’t get this contract, lying on a VSA is never worth the risk. When you notice things that your business can’t address or doesn’t meet the criteria, make a note for yourself.

You may not get this client right now, but you can make adjustments to your planning, processes, and policies to ensure the next time a similar opportunity arises, you’ll be prepared for it.

Keep Copies of Previous VSAs for Reference

Always keep copies of your previously submitted VSAs for future reference.

Not only will this save you time and effort trying to source accurate high-level answers from other members of your team, but it will expedite the entire VSA filing process.

Just be sure to do a detailed evaluation of each answer before you utilize it in a new VSA, because your policies or procedures may have improved since your last VSA was completed.

You’ll want to include any updated information, so each VSA is sent out with the most accurate, up-to-date data.

You also want to avoid copying over any answers directly from old questionnaires, as the wording of the question in the new VSA may not match properly with that of the old one, which can lead to confusing or inaccurate answers.

Be Prepared to Show How Your Maintain Privacy for Health Information

Ensure your NIST, ISO 27001, SOC 2, CIS, and HIPAA compliance practices are all up-to-date and all necessary information is readily available to prove that you’re compliant with all relevant regulations.

Save yourself some headaches and be sure to have all the appropriate documentation available to you when you’re completing a VSA. This will save you time and energy preventing you from having to search for documentation in the middle of filing.

Talk to the Client Before You Start the VSA

There’s nothing wrong with asking questions to the client or requesting clarification about any of the questions that you’re expected to answer on your VSA.

In fact, it can look responsible for you to request clarification, rather than make an assumption that could lead to a misleading or inaccurate answer.

If you believe your health information privacy standards may not meet those of the customer, ask them about their requirements.

Not only will this look good on you for ensuring your due diligence in research prior to filing your VSA, but it gives you time to make adjustments to your own policies, in case they aren’t meeting the standards the customer needs.

In turn, this prevents avoidable rejections from customers, as well as gives you the opportunity to proactively improve your business’ processes, which better prepares you for future VSAs.

Streamline Your VSA Filing Process

If your process for filing VSAs or other important paperwork is just to sit down and tackle them one by one, you may want to consider instituting something more time efficient.

VSAs can take an extremely long time to fill out by hand, especially if you’re not prepared. Consider how overwhelming that can become if you have multiple VSAs that you’re trying to complete simultaneously.

Take some time to create a process that reduces how much time you need to spend per questionnaire.

You can create a database of answers, which you can add to each time you submit a VSA. After a few, you’ll notice trends in the questions you’re being asked, as well as the answers you’re giving. This will help you prepare to face other VSAs in the future.

Alternatively, you can turn to a company like MedStack. MedStack can alleviate a substantial portion of the time required for filing VSAs, and allow you to take back precious time and energy for other critical tasks like growing your business.

Save Time & Money by Using MedStack

Make MedStack Part of Your Best Practices for Answering VSAs

Filing VSAs can be a huge burden on your internal resources if you’re answering hundreds of similar questions by hand, across multiple security questionnaires.

Take advantage of built-in security controls and privacy features, as well as inheritable policies, with MedStack’s VSA assistance that can answer up to 90% of your questions automatically.

Submit your VSA directly to MedStack, and our proprietary, AI-powered answer library will take care of the rest.

We’ve already completed hundreds of security questionnaires, and MedStack is eager to help you put your business on the fast track to growth.

Choose MedStack, and let us take your application from zero to healthcare hero.


Sample Questions & Answers:

Are all servers, storage, applications, databases, network, and security devices configured to capture an audit log? Describe.



See policy: Logging and monitoring

Section: Log events automatically on all operational systems

Note: MedStack provides customers with the ability to view logs and monitoring data.

Note: MedStack logging and monitoring system includes Logstash, Elastic Beats, Elasticsearch, Kibana, and Threat Stack.

Note: MedStack logs and monitoring data are segmented by customer.


The vendor must configure user password parameters to require passwords meet the following: • Minimum password length of 8 characters • Contain both alphabetic and numeric characters



See policy: Access Control

Section: Secret authentication information

Do you process HIPAA Patient Protected Health Information (PHI)?

a) Do you have policies and procedures to verify that a person or entity seeking access to ePHI is the one claimed?

b) Do you have surveillance activities that look for unauthorized access (“Snooping”) of PHI?

c) Do you have policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI?



See policy: Information privacy

Section: We do not directly collect, use or disclose PHI

See policy: Asset management

Section: Acceptable Use for employees


How often are user access privileges reviewed? Describe your formal process to have management regularly review users’ access rights



See policy: Access control

Section: Automate access control management for access 

Section: Review access grants quarterly

MedStack Provides Quick & Easy Filing Options for VSAs

Efficient, Accurate Filing in a Fraction of the Time

VSAs can be a large resource burden, with each one requiring many hours – sometimes days – to complete. MedStack makes this process faster and easier, allowing you to send your VSAs directly to us.

Our AI-powered proprietary answer library can answer up to 90% of compliance-related questions for you – and its adaptability is increasing every day. 

MedStack has already helped complete hundreds of assessments from major enterprises across North America, with the backing of our real-time updated, inheritable policies, as well as our built-in security and privacy controls.

Stop wasting your time, energy, and resources focusing on paperwork instead of your product. Let MedStack put your business on the fast track to growth and take your application from zero to healthcare hero.