Best Practices for Answering Hospital Security Questionnaires

Best Practices for Answering Hospital Security Questionnaires

Digital health companies, startups, and software vendors sell to hospitals and enterprise healthcare generally must complete a vendor security assessment or vendor risk assessment during procurement. Healthcare providers provide a series of security questions and want to vet the security and compliance programs of new vendors.

These assessments are often provided as lengthy questionnaires that ask about the vendor’s structure of security programs. Vendors should be prepared, in order to streamline this process and more easily pass through security assessment.

Below are some of the steps that organizations should take when preparing for vendor risk assessments and security questionnaires:


1. Have Security Policies in Place

Companies should already have administrative policies in place when approaching health providers. Administrative polices should include standard operating procedures (SOPs) built around the organization and technologies. Policies should be written in plain-English and detail actions including managing risk assessment, employee training, system access, and vulnerability scanning.


2. Set Technical Controls

Digital health companies and software vendors must have technical safeguards in place to secure production data and protected health information (PHI). Regardless of technologies, infrastructure, organizations should have security protections in place for standards such as audit logging, disaster recovery (DR), encryption, vulnerability scanning, etc. Organizations operating in the cloud (AWS, Azure..) still have a number of security responsibilities under the cloud shared responsibility model.

Teams should setup security configuration for application and services should be implemented to meet applicable regulatory needs (HIPAA, FDA, PCI DSS, etc).


3. Collect All Appropriate Security Documentation

Digital health companies should gather all security information related to their cloud service provider, software solutions, third party vendors, development teams, and software solutions. You can get a list of documentation in our Guide to Vendor Assessments.


4. Be Honest About Security Capabilities

Enterprise healthcare organizations use security assessments to vet vendors and ensure they will actually follow through on security programs and standards. Small teams that exaggerate security capabilities (IE. Teams of 5 claiming to perform a penetration test every quarter, etc) will mostly go through much more intense scrutiny. It is best that organizations establish realistic security standards and relay these standards to health providers.


Hospitals and health systems are always looking to connect with innovators but must ensure that these vendors do not pose a security risk to the organization. Healthcare innovators and software vendors should be prepared with the appropriate security safeguards and documentation in place in order to streamline the security assessment process.

Not sure about security questionnaires? Learn more about best practices for security assessments by downloading our “Preparing for Vendor Security Assessments” Whitepaper.