Questions to ask ITWhen you work with outsourced IT or Managed Service Providers (MSPs) you need to vet them closely to make sure they truly do understand what HIPAA requires from your organization.  Here are seven questions to ask your IT team about HIPAA.

7 questions to ask your outsourced IT team

1. What training does your compliance officer have?  What training do you provide your workforce?

What you are looking for here is that the compliance officer has HIPAA training above and beyond what the workforce is doing.  The second thing you want to know is how well is the workforce trained.

If they take it seriously then you should see something more than everyone gets a 45-minute video once a year.

2. Are any of your downstream BAs offshore or do you or your BAs outsource offshore?

You need to know if they are paying attention to where your data may be going.  If you don’t allow offshoring your data but you don’t make sure you BAs enforce it also it is unlikely your data never leaves the US.  Someone somewhere down the line is offshoring.

3. What is your incident response plan for addressing a client hit with ransomware?

Your IT company must understand that preserving evidence and preparing for an investigation is also important.  Many vendors have no idea there must be an investigation.  They just worry about getting things up and running.  This approach often means you will have another attack within a few months.

If they don’t have a plan for addressing ransomware properly then they don’t understand your requirements under HIPAA.

4. What security applications will you use for my systems?

You want to know if they can explain that they use something designed for businesses.  It is essential that it isn’t just a basic antivirus program.

The next part is you want to see what system they have for dealing with quarantines or alerts that come from security applications.  If they aren’t monitoring it and clearing it up regularly then it doesn’t matter what the applications find.  You should be getting a regular report to show that your devices are all protected, up to date and any alerts have been addressed.

Another note, if you have a list of devices that includes 132 computers but your security list only includes 95, you need some answers.  Your totals should balance between your reports.  It isn’t unheard of for devices to be overlooked and not properly protected.

5. How do monitor and manage patches to my applications?  What applications are included?

Most MSPs will monitor for updates to systems software like Windows, Linux, Mac, etc.  However, many aren’t looking at everything like Quickbooks or other applications you use regularly.  They can’t check them all but they should make sure the updates you need for apps like Adobe, Microsoft Office, Quickbooks, browsers, etc. are happening also.

There should also be a regular report showing how this is done.  If you don’t get that report then how do you know everything is being watched and kept up to date?  Same goes for this report when it comes to balancing.  All devices should be accounted for in there in some way.

6. How will you keep me up-to-date on the things I need to worry about in my business related to technology?

Periodic meetings or reviews are the best way to make sure you are covered.  This doesn’t mean monthly meetings sucking up everyone’s time.  There should be at least one annually.  It isn’t a bad idea to have a quick 30-minute quarterly review of projects and report status.

Don’t forget that your MSP is in charge of implementing and monitoring the policies and procedures you put in place for those technical safeguards.  They are part of your compliance team not just some folks in a dark room somewhere making things work.

You need them to be able to tell you what threats may affect your business and what they are doing to address them proactively.  If your vendors are just doing their normal day to day and not staying up to date on the nerd news they probably miss some things that matter to you.  You trust them to be aware and advising you if things are changing that could impact you.

There are some providers that focus only on Windows or they say they watch the patches or something vague.  You want to know where they are getting their news and how much are they following on a regular basis.  Relying on tools and other vendors too much may mean you are being exposed when you think you are protected.

7. How will you make sure my firewall or other network management devices are patched and up to date?

Most devices today include software on them especially parts of your network like firewalls and access points.  Your policies and procedures should address these and your MSPs plans should also.  If these devices have security holes then it isn’t really a security network at all.  The traffic between machines could be at risk even if your devices are secured themselves.

This is one more set of reports that should include details and proactive protections being taken.  Things get changed accidentally.  People make mistakes, even those working in IT.  Someone must be auditing and paying attention to confirm nothing is going wrong.  If you find a problem and patch it before a criminal finds it you will be very thankful for those reviews and reports.

If you don’t ask these questions then you are just assuming they know what they are doing.  It is important to note that a provider that really has this stuff under control will be proud to tell you what they are doing.  If someone gives you push-back you have to ask why.  Are they over-confident and feel like these questions are below them?  Are they not doing the work you think they are doing?  Do they really not know the answers? None of these possibilities are a good sign for the condition of your network.  Have a conversation today not next year.  It could mean the difference in thousands of dollars lost in improper tech, data breaches, poor equipment, and much more.