The javascript used on this site for creative design effects is not supported by your browser. Please note that this will not affect access to the content on this web site.
Skip Navigation
H H S Department of Health and Human Services
U.S. Department of Health and Human Services
Health Information Technology and Quality
Improvement

A-Z Index  |  Questions?  |  Order Publications  |  HRSA Mobile

What are the questions you should be asking vendors to verify how secure the systems are?

It is often difficult to get a clear understanding from vendors what the exact capabilities of their systems are to meet HIPAA and other security provisions. The following list of questions will help you start a productive dialog with your system vendor.

  • Does the vendor's application include the security features that are required to operate the system securely?
  • Is the vendor's application certified by the CCHIT?
  • Has the vendor applied sufficient controls in its development process to ensure the absence of serious software vulnerabilities? 
  • How does the vendor manage software fixes released by the underlying platform providers?
  • How does the vendor manage its own personnel who access your EHR system for support purposes?

Resource:
Detailed list of questions for EHR vendor go to exit disclaimer.  Developed by Tunitas.

Resources on secure development methodologies:
CLASPgo to exit disclaimer (Comprehensive, Lightweight Application Security Process)
OWASPgo to exit disclaimer or (Open Web Application Security Project). 
Microsoft's Secure Development Lifecyclego to exit disclaimer (or SDL)
Common Criteria for Information Technology Security Evaluationgo to exit disclaimer

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.
About
Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care.  More>
Stay Informed

Register for the HealthIT and Quality Improvement eNewsletter

Comments?
E-mail the HealthIT e-mail box: healthit@hrsa.gov