Every contract Christiana Care Health System inks that bears any IT component crosses the desk of CISO Anahi Santiago.
And that's where management of vendors, be those selling mobile wares, medical devices, or business associates, gets more complicated.
"The vendors don't get it, and they want to argue -- about patch management, disaster recovery, change management -- you name it," she said. "I spend a lot of time going back and forth with the vendors. But the organization understands there's a level of risk that we can accept and there's a threshold where we cannot."
[Related: Criminals holding your data hostage: Should you pay up?]
Christiana, in fact, hasn't gone forward with vendors who couldn't provide the level of security the organization requires, Santiago said.
At Partners HealthCare in Boston, CIO Jim Noga has faced similar difficulties.
"In terms of vendors, it really is hard out there because you may have a small niche vendor that's really important to operations -- and they just say it: 'We can't sign this BAA with no cap on our liability,'" Noga said. "Yet the exposure to us is significant in terms of the harm and damage they can do."
Noga and his team try to convince vendors they would be much more marketable if they could bring that forward to a customer, but often to no avail.
It's not just Christiana and Partners, either.
Mac McMillan, CEO of security firm CynergisTek, wanted a sampling of how some of the country's top hospitals handle the issues relevant to business associates, specifically vendors.
"It's been three years now that it was hopefully made clear to them they have responsibility," McMillan said at the HIMSS and Healthcare IT News Privacy and Security Forum. "They're not necessarily embracing that responsibility. How do you fight that and what are you doing around vendor management?"
Related coverage from Healthcare IT News Privacy & Security Forum:
CISOs: Healthcare's new rock stars