February 12, 2020
By Diana J. P. McKenzie, published on Law.com
In recent years, data breaches have become more prevalent, and cybercriminals have continued to develop more sophisticated tools to gain unauthorized access to health data. One recent report shows that since 2009, hackers have stolen more than 176.3 million health records in over 1,100 separate breaches. A large percentage of these breaches are caused either by human error or by inconsistent security requirements among healthcare providers and their vendors.
As the risk of security-related events increases, vendor form agreements are increasingly drafted with a focus on protecting the vendor and shifting a large amount of risk to the customer. While we are now seeing more security-related provisions in healthcare IT agreements than we once did, most vendor form agreements still lack necessary provisions that customers should require. This article will provide recommended provisions that healthcare customers should consider adding to their healthcare IT contracts to mitigate risk and to ensure the vendor is responsible for consistent security standards.
1. Due Diligence on Vendor Related to Security. Prior to entering into a contractual relationship with a vendor, healthcare customers should consider requiring the potential vendor to provide information related to the vendor’s past security incidents, including whether: (i) the vendor has experienced any security incidents/breaches in the past and how such incidents were remediated, (ii) there are any claims or potential breaches known to the vendor that may give rise to a claim impacting the customer, (iii) any regulatory action is threatened or pending as a result of a security incident or vulnerability, (iv) the vendor sells data to any third parties (taking into consideration a broad definition of “selling” data as defined under the California Consumer Protection Act (CCPA)), (v) the vendor is certified/licensed to provide the services contracted, and (vi) the vendor employs qualified personnel. Healthcare customers may want to consider representations/warranties in their contracts related to these due diligence questions based on the vendor’s response.
2. Data Center Location. As hosting arrangements and cloud-based systems have become the norm, an understanding of where a company’s data is housed is imperative. A healthcare organization should include a clause detailing the location of the relevant data center where the vendor (or its subcontractor) houses customer data. Some customers prefer these data centers to be located only within the United States, or at the very least to have restrictions on where customer data can be accessed and viewed from.
3. Physical and Technical Protections. Customers should consider what physical and technical requirements are necessary to protect their data, as well as hardware, if applicable. For example, requiring a minimum level of encryption in transit and at rest is becoming more standard. Some customers also specify physical transportation requirements between data centers, such as the use of bonded and insured logistics companies, and designating who is responsible for damaged equipment during transit.
4. Subcontracting Rights and Responsibilities. The permissibility of subcontracting to downstream vendors should be addressed as well. If subcontracting is permitted, customers should require that a vendor seek and obtain the customer’s consent prior to subcontracting to allow the customer to perform due diligence on such subcontractor. In addition, it is common practice for the prime contractor to retain responsibility for the integrity of the data as well as the responsibilities under the contract regardless of who is performing the work.
5. Security and Background Checks. Depending on the nature and the level of sophistication and risk associated with a particular deal, customers may want to require vendors to complete employee screening and background checks prior to allowing employees to be onboarded to the customer’s account. Customers should also include a provision that requires vendors to follow all of the customer’s onboarding procedures, which may include certification through a third-party vendor management company.
6. Catch All Clause. We also recommend that customers require a general security clause that covers, at a minimum, the following: (i) routine backup and archiving for a minimum specified retention period, as well as offsite retention; (ii) industry standard security at all data centers; (iii) network security and firewall protection; (iv) ongoing maintenance of all operating systems and applications at vendor-supported levels; and (v) regularly scheduled penetration testing and remediation of any vulnerabilities. This provision allows the customer to maintain a minimum set of security standards across all vendors, and it is helpful language to point to should there be a security incident. We often recommend a termination right for the customer if these standards are not met by the vendor.
7. Restricting Access to Data. Customers should focus on restricting access to customer data to ensure that the integrity of the data, as well as patient confidentiality, is maintained. Although the minimum standards for safeguards are provided under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), it is advantageous to include more stringent standards given the current environment. In the event a vendor requires access to customer data to perform contracted services, customers should require the following: (i) restricting the use of any customer data solely to the purposes required by the agreement; and (ii) restricting disclosure of customer data to any third party, except (a) on a need-to-know basis to perform the services subject to a confidentiality agreement or (b) as required by a judicial order, provided that the vendor notifies the customer (to the extent allowed by law) in order to provide the customer an opportunity to intervene and/or minimize the scope of any disclosure.
8. Security Standards/Certifications. In order to reduce risks, it is beneficial to include a provision requiring a vendor to maintain certain certifications related to security throughout the course of the agreement. ISO/IEC 27001 is a well-established, yet expensive to obtain, security standard. Thus, some vendors may push back on this requirement. When determining what standards a customer requires, it is important to review the level of risk and the nature of the services to be provided. In some instances, requiring a vendor to monitor and take actions to protect against the OWASP Top 10, a list of the top ten most prevalent application vulnerabilities, can provide a healthcare organization additional safeguards against threats.
9. Third-Party Security Audits. For more sophisticated deals that incur greater risk, we recommend a provision allowing the customer, or an appropriate third party, to audit the vendor’s security protections. A standard clause dealing with this issue contains language requiring a third-party auditing firm to conduct, at a minimum, an annual SSAE 18 audit, and for the vendor to comply with the terms of the audit. Upon the customer’s request, the vendor should also be required to provide the customer with a copy of the audit results. Any reports of audit findings may typically be retained by the customer but must be treated as confidential information of the vendor. In the event the vendor is found noncompliant with audit standards, the vendor should be required to take actions to remediate and provide the customer with evidence of such remediation. In certain situations, termination may also be an appropriate remedy for failure to comply with this provision and industry security standards.
10. Data Breach Response. Given the frequency of breaches, it is important to clearly designate a vendor’s responsibilities and notification timelines following a security incident. Language should be included to ensure that the vendor will immediately notify the customer in writing if the vendor suspects or becomes aware of any unauthorized access to the customer’s data. While traditionally, some customers added language that tracked the relevant breach notification statutes, we now recommend the notification schedule be more restrictive than required by law, in order to allow the customer time to conduct an internal investigation. The vendor should also be required, at its own expense, to fully cooperate with the customer to prevent or stop the underlying cause of a breach. Further, the vendor should be required to fully and immediately comply with applicable state, federal, and international data breach laws and regulations. As credit monitoring services have become a common remediation practice following a breach, we are seeing many customers pass the costs associated with such remediation off to their vendors to the extent these breaches are caused by a vendor.
11. Exclusion for Limitation of Liability Caps. Almost all commercial contracts have a cap on the limitation of liability. As a starting position, customers should request vendors to exclude breaches of a vendor’s security-related obligations from this cap. Many vendors will balk at this position because of the unknown level of risk and the increasing inevitability that data breaches will occur. Thus, a middle ground is to have a super-cap (i.e., greater than the general limitation of liability cap, but not unlimited) for these types of breaches.
12. Indemnification Against Security-Related Breaches. Healthcare organizations should include a statement requiring a vendor to defend, indemnify, and hold the customer harmless from any liability, loss, costs, and damages arising out of or related to any third-party claim as a result of vendor’s breach of its security-related obligations. Indemnification costs should likewise be excluded from any caps on liability so as not to limit the significance of this remedy.
13. Cyber-Insurance. A healthcare IT contract should include a provision requiring the vendor to maintain a minimum threshold of cyber-insurance. As the cyber-insurance industry is continually adapting, healthcare customers should consider the scope of coverage and review policies annually to be sure they are complete. Types of coverage that a customer may want to consider requiring a vendor to maintain include coverage regarding the following: technology products, technology information and services, media liability, Internet media content, network security liability, Internet professional liability, physical theft of data, and identity theft.
14. Disaster Recovery/Business Continuity. To ensure data integrity in the event of a major incident, the vendor should be contractually required to maintain an up-to-date disaster recovery (DR) plan that is tested at least on an annual basis. The DR plan should include applicable recovery time and recovery point objectives. In the event that testing identifies deficiencies, a remediation plan and schedule should be provided to the customer. A written summary of all DR material should be furnished to the customer upon the customer’s request, provided the customer protects the summary as the confidential information of the vendor.
Diana McKenzie is a partner and chair of the Information Technology & Outsourcing Practice Group at HunterMaclean. For more information, please contact Diana at dmckenzie@huntermaclean.com.