Your security compliance hinges on the policies and procedures your employees follow -- not the machines or applications they use. Yet, vendors continue to use your fear of non-compliance to sell you a "miracle" product. Check out our purchasing tips before you spend another dollar on your security compliance program.
Beware Of The 'Hard Sell': There are several tactics vendors might use to convince you to buy their products, warns Rick Ensenbach, senior security consultant for Shavlik Technologies in Roseville, MN. Those tactics range from the standard "Everyone's doing it" to the innovative "You'll be a trend-setter" argument.
Here are the most common marketing techniques you should be leery of:
1. The hard sell: "If your vendor starts sounding like a used car salesman, you need to be suspicious," Ensenbach says. That doesn't mean the product can't accomplish what you want, but you will need to perform an in-depth evaluation before you sign on the dotted line.
2. The miracle cure: No one product or service can tackle all your compliance concerns, claims C. Jon Burke, a security consultant for Toshiba America Medical Systems in California. The product may help you comply with one facet of the rule, but complete compliance depends on how you use a system or product, he says.
3. The "HIPAA-compliant" product: HIPAA compliance is based on your organization's risk and how you handle that risk, says Elisabeth Derwin, a San Francisco-based security specialist. No agency has set guidelines as to what is compliant -- or what isn't. This misconception is the most pervasive.
4. The "bells and whistles" product: When you buy a new product, you want something that specializes in solving your problem -- not something that could tackle a ton of additional issues should they arise. "Each feature the product offers is one more chance for a complication that you'll have to deal with down the line," Burke notes.
Look For Reputable Brands: The best product is flawed if you have to replace it in three years because the company no longer exists or the product can't meet your expectations. Here are the assurances you need before you make a purchase.
1. Brand recognition. "As people learned during the dot com explosion, you must ensure that your vendor and its product will be around long term," Ensenbach points out. Stick to vendors and products that have a solid, long-standing reputation.
If you don't recognize a product or vendor name off the bat, check with your peer network, Ensenbach suggests. For example, you could query your local or national list serve, or contact a major area hospital that you know uses the product.
2. References. "You should be able to call a few well-known references and talk specifics,"" Burke says. Ask your vendor to narrow the scope of its reference list to those who have implemented the product (not those who recently purchased it) and, ideally, those who bought it for the same reasons you present.
Here's What To Walk Away With: Your last step before finalizing a purchase is to tack down how involved your vendor will be after the money changes hands. Make sure you have these contracts in-hand before you seal the deal:
1. Product upgrades. You should hammer out a plan with your vendor for the frequency, method, downtime and costs for upgrading your product, Burke says. You'll also need to distinguish between upgrades that enhance security and those that are just an added perk.
2. Tech support. You need to know what level of tech support your vendor will provide -- and for how long after the purchase, Ensenbach says. For example, will they be available 24 hours a day? Will they come to you if there is a major problem? How long will you have to wait for a replacement if the product fails?
This will depend on the product, Burke points out. If you're purchasing an electronic records system, you probably need an extensive support contract. But if the purchase is for an e-mail encryption solution, you might not need as much vendor support.
3. Training. Your training needs will depend on the level of tech support. If you'll have minimal tech support, you might need extensive training up front, Derwin says. On the other hand, if your vendor will be handling all your tech support, you may need very little training.
4. Documentation. You must know immediately what type of administration and operation manuals you'll receive with your purchase, Ensenbach says. Best bet: Push for hard copies that are easily accessible by your employees.
CD-ROMs may require you to print the information on your own. And you could face a copyright violation because you'll need to make copies of the CD-ROM for your disaster recovery program.
The Bottom Line: Provide this guide to all your staff members who are responsible for making purchases for your organization. And don't be afraid to walk away from vendors who try to push you into a purchase you don't want or need.