Refer a Patient
About Us
Who We Are
Leadership
Woundtech Wound Care
Specialist Wound Care
Patient Experience
Our Partners
Referrals
Insights
Outcomes
News & Resources
FAQs
Careers
Contact Us
Notice of Cybersecurity Incident
Are you need IT Support Engineer?
Free Consultant
Vendor Risk Assessment
Home
/
Vendor Risk Assessment
vendor security assessment form
Step
1
of
7
14%
Instagram
This field is for validation purposes and should be left unchanged.
This field is hidden when viewing the form
Next Steps: Sync an Email Add-On
To get the most out of your form, we suggest that you sync this form with an email add-on. To learn more about your email add-on options, visit the following page (https://www.gravityforms.com/the-8-best-email-plugins-for-wordpress-in-2020/). Important: Delete this tip before you publish the form.
Woundtech Third Party Vendor Assessment Questionnaire
Vendor Company Information
(Required)
Company Name
Vendor Company Address
(Required)
Street Address
Address Line 2
City
State
Alabama
Alaska
American Samoa
Arizona
Arkansas
California
Colorado
Connecticut
Delaware
District of Columbia
Florida
Georgia
Guam
Hawaii
Idaho
Illinois
Indiana
Iowa
Kansas
Kentucky
Louisiana
Maine
Maryland
Massachusetts
Michigan
Minnesota
Mississippi
Missouri
Montana
Nebraska
Nevada
New Hampshire
New Jersey
New Mexico
New York
North Carolina
North Dakota
Northern Mariana Islands
Ohio
Oklahoma
Oregon
Pennsylvania
Puerto Rico
Rhode Island
South Carolina
South Dakota
Tennessee
Texas
Utah
U.S. Virgin Islands
Vermont
Virginia
Washington
West Virginia
Wisconsin
Wyoming
Armed Forces Americas
Armed Forces Europe
Armed Forces Pacific
ZIP Code
Vendor Contact Name
(Required)
Vendor Contact Name
Vendor Contact Email Address
Vendor Company Website
(Required)
Data Access Notes
(Required)
Please describe the data to be exchanged (business reason, frequency, and method of proposed data exchange):
SOC2/HITRUST Certification
(Required)
Yes
No
Does your organization hold a current SOC2 and/or HITRUST certification? (If yes, please attach the latest reports)
SOC2/HITRUST Report Upload
Accepted file types: pdf, doc, docx, Max. file size: 1 GB.
Consent
(Required)
I agree to our company information being collected
Policies and Processes
Does your organization document, publish, and enforce security policies?
(Required)
Yes
No
Do you review and update these policies at least annually?
(Required)
Yes
No
Does your organization document and enforce HR policies?
(Required)
Yes
No
Does your organization have acceptable use policies?
(Required)
Yes
No
Does your organization have policies governing the use of company email, internet, and devices?
(Required)
Yes
No
Does your organization have encryption policies and standards?
(Required)
Yes
No
Does your organization adhere to a Data Breach Notification policy?
(Required)
Yes
No
Provide Notification Timeframe Below
Notification Timeframe For Breach In Hours
(Required)
Does your organization have documented policies regarding the storage, handling, and disposal of sensitive data?
(Required)
Yes
No
Outline Procedures if Yes
Describe your organization's data handling and disposal procedures
Does your organization have policies for third-party management of sensitive data (storage, use, and disposal)?
(Required)
Yes
No
Outline Procedures if Yes
Describe your organization's policies for third party management of sensitive data
Does your organization outsource any security management functions?
(Required)
Yes
No
Specify Outsourced Functions if Yes
Describe your organization's outsourced security functions
Do your policies and procedures comply with relevant privacy laws regarding the security and protection of customer data?
(Required)
Yes
No
Outline Procedures if Yes
Describe how your organization's policies align with privacy laws with regards to protection of customer data
Physical and Data Center Security
Does your organization regularly assess physical and environmental risks?
(Required)
Yes
No
Are data center perimeter controls managed through access cards?
(Required)
Yes
No
Are keypad controls used for data center perimeter access?
(Required)
Yes
No
Are security guards employed at data center perimeters?
(Required)
Yes
No
Do you have business continuity plans in case your office becomes inaccessible?
(Required)
Yes
No
Is network equipment physically secured?
(Required)
Yes
No
Do you use external data center providers?
(Required)
Yes
No
If yes please list
Please describe external data centers and host providers
Do you maintain visitor logs for more than 30 days?
(Required)
Yes
No
Does your organization have a documented policy for physical security requirements in your office?
(Required)
Yes
No
Data Handling and Security
How does your software ensure compliance with HIPAA and other relevant regulations?
(Required)
Where is application data stored? (e.g., Amazon S3, SQL, Snowflake, Azure, etc.)
(Required)
Does your software provide comprehensive audit trails for data access and changes?
(Required)
Yes
No
Is all data encrypted at rest?
(Required)
Yes
No
Is all data encrypted in transit?
(Required)
Yes
No
What encryption methods are used to encrypt data?
(Required)
Please list all encryption methods used
Does your software support data exchange with other providers or systems? (e.g., API, SFTP, FHIR, Webhooks)
(Required)
Yes
No
Does your software comply with industry standards like HL7, ICD-10, and CPT?
(Required)
Yes
No
Describe your business continuity plan related to data availability (e.g., uptime SLA, data backup, and recovery).
(Required)
Who owns the data stored in your system, and what happens to the data if we switch vendors?
(Required)
AI Capabilities and Features
Does your application use AI functionality (e.g., predictive analytics, natural language processing, clinical decision support)?
(Required)
Yes
No
Please Specify AI Solution(s) Used
Does your organization use AI to train or learn from live identifiable information (e.g., PHI or PII)?
(Required)
Yes
No
If yes, please describe how data is used to learn or train AI
Information Security Measures
Does your organization have an information security program? (Provide Links if Yes)
(Required)
Yes
No
Please provide links to relevant security and privacy policies
Please upload any applicable security policies and documentation.
Drop files here or
Select files
Max. file size: 1 GB.
Does the security program apply to all operations and systems that process sensitive data?
(Required)
Yes
No
Do you provide security awareness training to all employees (including phishing prevention and social engineering)?
(Required)
Yes
No
Are relevant staff and managers professionally certified in information security?
(Required)
Yes
No
Is administrator-level access to network infrastructure limited?
(Required)
Yes
No
Are there strict controls for accessing security logs?
(Required)
Yes
No
Is multi-factor authentication (MFA) required for access to all systems?
(Required)
Yes
No
Has your organization conducted a penetration test (PEN test) in the past 12 months?
(Required)
Yes
No
Are you able to provide your latest penetration test results?
(Required)
Yes
No
Please attach latest Pen Test Results
(Required)
Max. file size: 1 GB.
Endpoint Security Measures
How do you ensure the confidentiality and integrity of data when employees work remotely?
(Required)
End-User Devices (Laptops, Desktops, Tablets)
Do you use data loss prevention (DLP) tools to prevent sensitive data leakage?
(Required)
Yes
No
Is MDR (Managed Detection and Response) or EDR (Endpoint Detection and Response) software enabled on all computers handling customer data?
(Required)
Yes
No
Is antivirus software required and enabled on all endpoints?
(Required)
Yes
No
Is antivirus scanning performed regularly on all endpoints?
(Required)
Yes
No
Does your organization allow the installation of non-approved software on endpoints?
(Required)
Yes
No
What is your process for managing and deploying security patches and software updates to endpoints, and how often is it done?
(Required)
Δ
