Vendor Security Assessments: Successfully Navigating the Process


The Journey to Healthcare Compliance (4)

MedStack Can Help You Make Sense of the Complicated Submission Process

Now that you know a bit about the basics of Vendor Security Assessments, you’re ready to begin preparing yourself for the submission process.

However, this is no small task. VSAs can be long, time-consuming questionnaires to fill out. If you’ve never completed a VSA before, the process can be quite daunting.

What should you do to prepare? What questions are they going to ask? How can you show large healthcare enterprises that your organization is a safe, reliable vendor?

This page will walk you through more information about the process for approaching VSAs from healthcare enterprises.

First Steps After Receiving a VSA

While you may not realize it, you should be excited if one of your potential clients has sent your business a VSA to fill out and submit.

Clients will only send a VSA to you if they’re seriously considering doing business with you. This means, you’ve already crossed the first hurdle – the enterprise is interested in partnering with you.

So, before you dive into the process of filling out the VSA, take a moment to congratulate yourself. You’re on your way to securing a new customer.

No Two Assessments Are the Same

There are a lot of common questions that you’ll see across many VSAs from different enterprises, but that doesn’t mean they’ll be the same.

Some organizations may put more focus on one area of your business than another in the questionnaire.

For instance, one organization may focus heavily on HIPAA policy adherence, GDPR, and PCI Data Security Standards secure compliance, while another may be more concerned with data center or infrastructure security.

Come prepared for all possible contingencies, and you won’t be scrambling for answers when you’re completing the VSA.

Demonstrating That You’re a Mature Vendor

Vendor ‘maturity’ refers to the state of development of your business, as well as the history of relationships that you hold with your existing partners and customers.

To achieve vendor maturity with your enterprise clients, you need to demonstrate a deep understanding of risk management, as well as show consistent efforts towards maintaining and improving upon existing processes.

This can be done in a number of ways, each of which relates back to an overall business model that’s built on forward thinking and safe, efficient business practices.

Business Continuity

How vendors manage a crisis is an important factor to consider when discussing vendor maturity.

Establishing strong business continuity involves creating a strategic plan to manage challenging situations that may arise, as well as having solutions in place to reduce or prevent a disruption of your services.

Vulnerability Management

There’s no such thing as a perfect security system, which is why it’s so important for your business to create a vulnerability management plan.

Understanding where vulnerabilities exist within your business, and taking consistent steps to minimize and remove these risks whenever possible, demonstrates vendor maturity to enterprise clients.

IT Policies & Procedures

The types of IT security protocols and policies that you’ve put in place for your business demonstrates the potential safety of all private data that your business may become privy to through your client relationships.

Ensuring that you’re using tools and software that meet or exceed industry standards, as well as a comprehensive, well-designed internal IT strategy, shows enterprise clients how committed you are to preventing breaches of their secure data.

Secure Compliance

There are various secure compliance practices that need to be taken into account, and kept in place, so that your business remains up-to-date with HIPAA policies, General Data Protection Regulations (GDPR), and Payment Card Industry (PCI) Data Security Standards.

These compliance practices are absolutely essential if you’d like your business to be considered a mature vendor.

How Often Are Vendors Assessed?

Most vendors will receive a VSA to complete before a new enterprise client will consider them for a partnership.

However, there is currently no set standard in place for vendors being asked to complete VSAs again in the future. Some organizations may ask vendors to complete a VSA each year, or every several years. They may only ask them to complete an initial VSA.

As long as you’re prepared to complete VSAs efficiently at any time, you’ll have no issue completing VSAs whenever they’re requested.

At MedStack, we can answer over 90% of compliance-related questions on your behalf, saving you countless hours of time and frustration versus completing VSAs manually.

How Long Does a Typical VSA Take to Answer?

By hand? A VSA could take dozens of hours to complete, depending on how prepared your business is to answer the questions.

Even if you’re completing multiple VSAs simultaneously, the questions won’t be identical, so you shouldn’t use duplicate answers.

Allowing MedStack to help you complete VSAs can remove the vast majority of the time you’ll spend completing extensive questionnaires.

This is time that could be better spent on other areas of your business, like finding new potential customers with which your business could partner.

Pre-Assessment Vendor Checklist

Before you jump into filing VSAs for your business, consider going through this checklist to ensure that you’re prepared for all of the questions that you’ll be expected to answer.

While these may not all relate to every VSA questionnaire, it’s important that you understand the answers to all of these questions. This way, you’re prepared to answer in-depth questions about your company and its history, as well as the policies, procedures, and security measures you have in place.

You’ll need to ask yourself questions such as:

  • Are your cloud services configured for secure compliance?
  • How is confidential information collected for your internal systems?
  • Where is confidential information stored?
  • What process is used to transmit data securely?
  • Is all collected, stored, and transmitted data encrypted using the Advanced Encryption Standard’s (AES) best practices? Including:
    • Established secure password access for all private information on all database servers
    • Protected access to internal servers from unauthorized visitors
    • An established incident response, in the event of a data leak
    • Antivirus & spam-blocking software to protect secure data from malware and phishing programs
    • Protected web applications against cybersecurity attacks
  • Is your business currently up-to-date on all necessary compliances, such as HIPAA policy?
  • Has your business ever experienced a data leak in the past?
  • If so:
    • How was it handled?
    • Were there any repercussions resulting from the leak?
    • What new security features have you put in place since the data breach?
  • What are your internal privacy policies?
  • What software are you currently using to maintain network security for all your internal systems?
  • How resilient are your current security systems?
  • Could your current systems be improved prior to applying?

This is only the tip of the iceberg. Some VSAs are hundreds of questions long.

You will need to do a deep, thorough evaluation of all your business’ internal processes, regulatory compliance practices, and security systems to ensure you’re prepared for all of the potential questions that you’re likely to be asked.

TIP: Answer all questions as clearly and concisely as possible. Never volunteer information or give more information than is being asked. 

Sample VSA Questions

Here are some examples of common VSA questions that you might encounter, along with possible answers.  

Example One: Implements encryption in-transit for PHI/PII/CCD information with a strength of at least AES 256 bit or uses TLS 1.2 exclusively or higher. If yes, please provide details in the comments section.

Example Two: Do you have an Information Security Policy that has been approved by management?

Example Three: Are employees in the organization trained and aware of the policy and notified of any policy changes?

MedStack Saves You Time & Money

Without Ever Sacrificing Privacy or Security

VSAs can be a large resource burden, with each one requiring many hours – sometimes days – to complete. 

MedStack makes this process faster and easier, with inheritable policies and built-in privacy and security controls that all of our customers benefit from.

Simply send your VSAs directly to us, and our AI-powered proprietary answer library will help you take care of the rest. 

We’ve already helped complete hundreds of assessments from major enterprises across North America.

So stop wasting your time, energy, and resources focusing on paperwork instead of your product.

Let MedStack put your business on the fast track to growth and take your application from zero to healthcare hero.