Manage IT Providers Like Anyone Else Working for You
- Diane Evans
- Jun 19
- 2 min read
Updated: Jun 23
By Diane Evans - June 19, 2025
A new cyber alert points to the threat of data breaches as the result of bad actors targeting third-party IT providers.
For long-term care organizations, this is pertinent, given the high reliance on Managed Service Providers and other IT vendors to keep your information secure.
To protect your organizations, good business starts with contract language that clearly defines services that a third-party IT provider will render.
Here are some points to keep in mind:
Business Associate Agreements should hold IT providers accountable for documenting all work performed on behalf of your organization. Insist on system-generated verifications, whenever possible, so you can be sure work has been completed.
Within the agreements, services should be detailed according to categories, such as:
Patch management/software updates;
Network security;
Auditing and monitoring;
Access controls
Data backups
Routine maintenance.
To comply with the Health Insurance Portability and Accountability Act (HIPAA), make sure your third-part IT vendor trains its employees on privacy and security regulations, with levels of training based on job roles. You should be assured that access to your organization’s data is limited to a need-to-know basis, and that the IT provider is monitoring its employees’ use of your data.
Call to Action: Revisit your Business Associate Agreements to ensure that you are effectively holding third-party IT providers accountable – and responsible. In addition, by clearly defining the IT provider’s scope of work, you can then ascertain what’s left to be done in-house.
In sum: Don’t assume that an IT provider is doing everything required under HIPAA. In our experience, that is seldom the case. It is ultimately up to you to identify and address any gaps in IT security as required under HIPAA.
#ManagedServiceProvidersLong-TermCare
Comments