Bill Winterberg made an excellent comment on my last article about information security - regarding outsourcing our applications to third-party web-based providers. This is coined "cloud computing" - i.e. our data and software is utilized and accessed via the web browser.
As Operations frequently deals with the most delicate information about your customers and may be managing some of the most complex processes in the practice - choosing your service providers is a critical process. You are handing off the data and connecting to them remotely with an assumed trust factor that your activities and database(s) are secure.
Without getting too deep ito the weeds - security is handled on three levels:
The latter two are clearly under your control. The service provider security is not. An important component for any service provider who works in the "cloud" of the Internet should be a SAS 70 audit. SAS 70 is shorthand for Statement on Auditing Standards: Number 70. It was established by the American Institute of Certified Public Accountants (AICPA). The SAS 70 defines the processes and controls a service provider has in place to correctly manage their business. As it is most popular with service organizations - it also reflects how the process and controls in place to insure the information they have about you and your business is secure.
There are two types of SAS 70 reports - a Type 1 and Type II. The Type I documents the aforementioned process and controls. The Type II - more valuable to you as a decision maker in selecting a vendor - also includes the affirmation of an independent auditor's review and testing of the process and controls.
In my view - for the most critical and confidential data your business handles (account numbers, tax ids, bank and medical data, etc.) a Type II SAS 70 should be required for vendor selection. This is an investment by your service provider to attest and confirm they have the process and controls in place to effectively manage their business and secure your confidential data.
A final note - not only should technology vendors be asked for a SAS 70 by your practice - but also any other service provider who interacts or stores your data at some point in the business process.