Security Risk Management: What Schools Need to Know Prior to Choosing an SHR Solution
Educational institutions collect various types of sensitive information from students and employees. For students, personal identifiable information (PII), health records and, sometimes, parent credit card information is collected and stored in addition to their school performance records. Higher educational systems may be involved in research that is considered confidential and proprietary. Hackers generally target organizations where they may get the most personal health information (PHI). Healthcare and education are a prime target not only because they have a vast collection of PHI records, but also because they are known to have a weaker defense mechanism. That is the very reason why it is so vital for schools to evaluate the security vendor of the available Student Health Record (SHR) solution prior to making their purchasing decision.
Security is a process. It starts with identifying the sensitive information data set, its location, who should be authorized to access it, and how to best secure it based on the known threats. Security policies document these details and provide employees guidance on how to protect the private information. Then, it’s all about the execution and a life cycle of learning and improving.
Because schools are a common target for security breaches, it is vital for schools to have a detailed protocol in place. Following the set security processes that have been successfully implemented ensures that human error will not be the cause of a PHI leak or threat.
Schools deal with a variety of vendors and each vendor should be expected to have a security program in place. Just like the school itself, its vendors must protect the school’s data assets whether that’s from an external or internal threat. Here are some requirements schools should consider when selecting new SHR vendors:
- Do they adhere to a set security framework and protocol? Is their framework a good match for the school’s framework?
- If they process credit card payments, do they comply with PCI (Payment Card Industry) Data Security Standards? Do they have a self-assessment questionnaire or report on compliance to support that?
- Do they apply the HIPAA Security Rule for Patient Health Information (PHI), whether it’s in physical format (paper, tapes, drives) or as an Electronic Health Record (EHR)?
- Do they have a security policy and incident response policy?
- Do they perform routine audits?
- Do they have a completed Due Diligence Questionnaire (DDQ) available for the school administration’s review? A DDQ is simply a questionnaire that is composed of questions specifically tailored to the entity doing the survey. In this case, a school would ask the potential vendor to answer questions regarding their security process.
- Do they perform regular security assessments to improve their security posture (risk assessment, penetration testing, phishing campaign, physical security review, etc.)? A well-established vendor should always be proactive in their efforts to maintain a strong security protocol.
- Does their IT staff have any security experience? You can use sources such as LinkedIn as a resource in your independent research.
- Do they perform security awareness training for their employees on a regular basis?
- If they use remote access applications to access sensitive data, do they use strong password policies and a 2-factor authentication?
Why is the vendor security review so important for schools? Protecting the personal identifiable information of students and staff is critical for schools and the vendors serving them. It’s a collective responsibility towards those who are asked to submit their private data.
Magnus Health and Agio have partnered to ensure that the integrity, confidentiality, and accessibility of school and student private data does not become compromised. Agio evaluates the SHR services that Magnus provides to schools, and reviews the security processes of every department in our company who handles PHI. Through this analysis, and based on current cybersecurity practices, Agio identifies any possible deficiencies in the services provided by Magnus and provides recommended modifications to our practices based on the evaluation. Agio’s Health Care 360° Cybersecurity Program is a two-year centralized cybersecurity and compliance program, architected specifically for the healthcare industry, delivered and managed by seasoned technical experts, who act as your sounding board for all things related to patient confidentiality, patient care, and the overall patient experience. Specifically, the program aligns to HIPAA Security and Privacy Rules, NIST SP 800, HITRUST CSF, as well as security best practices, driving clients toward not just compliance, but a more secure environment as well.¹
For more information on why vendor accreditation is important check out our “ Vendor Accreditation and Why It Matters to Schools” blog post!
¹ Agio’s Heath Care Executive Briefing