To: Board of Supervisors
From: Dr. Grant Colfax, Health Services Director
Report Title: Information Security Agreement with Healthcare Information Technology Vendors
?Recommendation of the County Administrator ? Recommendation of Board Committee
RECOMMENDATIONS:
APPROVE a form Information Security Agreement and AUTHORIZE the Health Services Director, or designee, to execute the form agreement with healthcare information technology vendors so the vendor can disclose sensitive software system security information to the Health Services Department Chief Information Officer in advance of contracting with the County.
FISCAL IMPACT:
There is no fical impact for this action.
BACKGROUND:
Prior to contracting with a vendor, the Department requests different types of information security reports from the vendor in order for the Department to determine if a vendor's information security systems and processes meet the Department's data security standards. Examples of these reports include SOC2 (Service Organization Control) Type 2 reports, independent auditor system penetration tests, ISO (Internation Organization for Standardization) 27001 reports, and NIST (National Institute of Standards and Technology) tests. The Department then reviews these reports against established criteria.
A vendor's information security reports reflect the proprietary method created by the vendor to protect data that it processes for its customers, and which processes and systems the vendors treat as a trade secret. As a result, vendors do not want to disclose the security reports to the Department in connection with an Request For Proposal (RFP) response or a sole source selection and in advance of entering into a contract that includes provisions to protect the confidentiality of the security reports. The Department needs a mechanism that will allow these healthcare information technology vendors to disclose the information security reports to the Department for the purpose of the Departm...
Click here for full text