It seems like every month there's a new report of a malware attack wreaking havoc on global businesses. In the last 18 months alone, the health care industry has been the victim of cyber-attacks affecting organizations such as MedStar, Merck, and others—making the topic of IT security top-of-mind for health care executives.
The most recent victim of these attacks was Nuance Communications. Nuance health care solutions are deployed in 86% of all U.S. hospitals, and this attack knocked out large portions of their network leaving thousands of health care organizations at a stand-still. Significant progress has been made in restoring systems since the attack, but many customers are still offline and can expect to remain so for the next couple of weeks.
While recovery efforts are still underway, this got me thinking about IT contracts. Historically, IT has been one area of purchased services typically spared by budget cuts, but I've seen this change dramatically in the last two years, particularly the last 9 to 12 months.
IT has become a massive expense on most hospitals' budget sheets, painting a large bullseye on this particular line item for executives. Add in the headaches created when a cyber-attack occurs and you've got yourself a recipe for disaster. To protect your organization and your IT investments, you need to get the business and legal terms right in your contract negotiations. Here are three no-regrets strategies for your IT contracts:
1. Know what commercial options are available to you. Are you getting a good deal?
It's important to understand your options for service coverage. Every contract is going to vary somewhat from organization to organization depending on the size and scope of the project, and most vendors aren't going to tell you what your neighbor paid for the same product.
Before you go into a negotiation, familiarize yourself with the different types of commercial models available. Reach out to your network of business contacts or colleagues within your system to find out what sort of favorable terms they received, how much they were charged for the product, and whether they've had a good experience working with the vendor.
2. Give yourself as much legal protection as possible.
There comes a point in any IT contract where you reach legal terms negotiations. Know what legal terms are appropriate, what the vendor will and will not concede to, and what the minimum standard is. If you're not familiar with legalese, bring in a consultant or someone from your hospital's legal team to review the contracts. When it comes to protecting your hospital and patient data, this isn't the place to take your vendor's word for it that the contract language will fully protect your organization in the event of a privacy breach.
3. Be as specific as possible about how the relationship will be executed.
What specific outcomes or deliverables of the project are important to you? Whether it's service response time, a status report, or a utilization report, make sure your requirements are stated up front and included as a written requirement in the contract. And when it comes to violation of data security, the contract should outline who is responsible, what the final resolution will be, who handles it, and how it will be arbitrated.
When cyberattacks occur, it's easy to think retrospectively, and perhaps regretfully, on what you could have done to protect your organization. The reality is that cyberattacks will likely continue to happen in the health care industry, so don't wait for the next one to come along before you take action. Make the time now to review your IT contracts and reach out to your vendors about renegotiation. If you're considering a new contract, invest the time to do your research, connect with colleagues, and work with the vendor to create a contract that supports a mutually beneficial business agreement as well as thorough data security protection.