To: Board of Supervisors
From: Dr. Grant Colfax, Health Services Director
Report Title: Information Security Agreement with Healthcare Information Technology Vendors
☒Recommendation of the County Administrator ☐ Recommendation of Board Committee
RECOMMENDATIONS:
APPROVE a form Information Security Agreement and AUTHORIZE the Health Services Director, or designee, to execute the form agreement with healthcare information technology vendors so the vendor can disclose sensitive software system security information to the Health Services Department Chief Information Officer in advance of contracting with the County.
FISCAL IMPACT:
There is no fical impact for this action.
BACKGROUND:
Prior to contracting with a vendor, the Department requests different types of information security reports from the vendor in order for the Department to determine if a vendor’s information security systems and processes meet the Department’s data security standards. Examples of these reports include SOC2 (Service Organization Control) Type 2 reports, independent auditor system penetration tests, ISO (Internation Organization for Standardization) 27001 reports, and NIST (National Institute of Standards and Technology) tests. The Department then reviews these reports against established criteria.
A vendor’s information security reports reflect the proprietary method created by the vendor to protect data that it processes for its customers, and which processes and systems the vendors treat as a trade secret. As a result, vendors do not want to disclose the security reports to the Department in connection with an Request For Proposal (RFP) response or a sole source selection and in advance of entering into a contract that includes provisions to protect the confidentiality of the security reports. The Department needs a mechanism that will allow these healthcare information technology vendors to disclose the information security reports to the Department for the purpose of the Department performing its information security due diligence. The due diligence review allows the Department to determine if it is appropriate to contract with the vendor and place County and patient data in the vendor’s cloud.
Authorizing the Health Services Director, or designee, to enter into an information security agreement with potential information technology vendors responding to a healthcare information technology RFP or sole source selection will allow the Department to appropriately investigate and assess potential information technology vendors’ data and information security systems to determine if contracting with them to host County data and protected health information is appropriate.
CONSEQUENCE OF NEGATIVE ACTION:
The Department will not be able to procure information security reports from potential information technology vendors and will not be able to adequately assess potential vendors’ information security systems and procedures.