← Armando Monroy

The security questionnaire playbook: how to handle a 300-question health system assessment without losing two weeks

· 10 min read

The security questionnaire playbook: how to handle a 300-question health system assessment without losing two weeks

A healthtech CTO forwarded me a spreadsheet last month with the subject line “I am not okay.” The attachment was a security questionnaire, approximately 280 rows long, from a regional health system, sent that morning by a procurement analyst with the note “please complete within two weeks.” His engineering team was small, and the deal was meaningful year-one ARR for an early Series A. He did not know which questions he could answer from existing documentation, which ones required a real conversation with engineering, and which ones would quietly kill the deal if he answered them wrong. It was the compliance wall moment I have written about before, arriving as a spreadsheet.

That email is the most predictable moment in healthtech sales. A 2025 Forrester study cited by automation vendors, the average completion time is 14 calendar days per questionnaire, with 8 to 20 hours of actual focused work within that window. Two weeks of interrupted CTO time, with the deal sitting in limbo.

TL;DR: Health system security questionnaires are not generic SaaS reviews with a HIPAA section bolted on. About 30 to 40 percent of the questions are healthcare-specific, and a generic response library will fail on those. Build the library by control family, delegating so the CTO reviews decisions instead of answering questions, learn the formats health systems use (HECVAT, SIG Core, CAIQ, custom), and send a pre-emptive package that deflects 40 to 60 percent of the questionnaire before it arrives. The goal is not faster answers. It is fewer questions.

What makes health system questionnaires different

Roughly 60 to 70 percent of any enterprise security questionnaire is universal: access controls, encryption, incident response, business continuity, vendor management, and penetration testing. A mature library handles them, whether you are selling to a hospital or a bank.

The remaining 30 to 40 percent is where health systems diverge, and where I see most startups lose time. The HECVAT (Higher Education Community Vendor Assessment Toolkit) version 4.1.5 has 321 questions. The SIG Core (Standardized Information Gathering questionnaire, Core edition) has 627. A custom health system questionnaire commonly runs 200 to 400 rows. A generic B2B SaaS review might be 50-100.

These are the healthcare-specific categories I watch for:

PHI handling and data classification

How does your system identify, tag, and classify PHI (protected health information)? Can you demonstrate that PHI does not co-mingle with non-PHI in your storage layer? Health systems expect AES-256 at rest and TLS 1.2 minimum (TLS 1.3 preferred) in transit, with FIPS 140-2 or 140-3 validated cryptography. TLS 1.0 and 1.1 are rejection triggers.

Clinical data residency

Does PHI remain within the United States? Specify the cloud regions. If data crosses regions for disaster recovery, how is PHI handled in the secondary region? Health systems signing contracts after 2023 increasingly include data residency clauses directly in the BAA (Business Associate Agreement), which I covered in detail in last week’s post on BAA structuring.

Breach notification timelines

“As soon as reasonably practicable” is not an acceptable answer. The contractual standard is 24 to 72 hours. The question is connected to whether your incident response plan can actually execute the timeline you commit to. Answering “24 hours” without the on-call rotation, the templates, or the escalation path creates a future contract violation in writing.

BAA chain and subcontractor oversight

Provide a list of every subcontractor that creates, receives, maintains, or transmits PHI on your behalf. The post-Change Healthcare environment has made health systems stricter here. “Yes, we have BAAs,” without a named, dated list gets no credit.

EHR integration security (FHIR, HL7, OAuth)

Do you use SMART on FHIR (Substitutable Medical Applications and Reusable Technologies on Fast Healthcare Interoperability Resources) authorization? Are shared service accounts used for any clinical data access? The shared service account question is a common disqualifier. If your product connects to an EHR (electronic health record) with a single shared API key, that is an access control failure under HIPAA (Health Insurance Portability and Accountability Act) and a problem under the proposed 2026 HIPAA NPRM (Notice of Proposed Rulemaking).

Operational expectations that show up everywhere else

Not all of these are in the HIPAA statute. They show up in nearly every health system questionnaire anyway:

  • Quarterly access reviews, with MFA (multi-factor authentication) enforced wherever PHI lives, including non-production.
  • RTO under four hours and RPO under one hour for PHI-critical systems, with a tested BC/DR (business continuity/disaster recovery) exercise in the last 12 months.
  • Annual third-party penetration testing, critical and high findings remediated.
  • HIPAA-specific training, phishing failure rate below 15 percent.
  • Critical patches within 15 calendar days, high within 30.

A response library built from generic SaaS questionnaires will fail across most of these categories. The fix is not to answer harder. It is to be organized differently from the start.

Building the response library

Across SIG, CAIQ (Consensus Assessments Initiative Questionnaire), HECVAT, and custom formats, roughly 70 percent of questions ask for the same information in slightly different words. A library of 70 to 80 well-written, sourced answers covers the foundation for almost any questionnaire that lands in your inbox. With a mature library, completion drops from 8 to 20 hours to under one hour.

The most important structural decision is how you organize the library. Most teams organize it the way the last questionnaire was structured, which means it works for that format and breaks for the next one. Organize by control family, not by questionnaire format. Then map the format onto the library when a new questionnaire arrives.

Control family What to store Healthcare additions
Access control MFA policy, RBAC configuration, access review cadence PHI-scoped role definitions, quarterly review evidence
Encryption At-rest and in-transit specs, FIPS validation status AES-256 confirmation, TLS version detail
Incident response IR policy, notification timeline, escalation path PHI-specific breach notification timeline with execution evidence
Vendor management Sub-processor list with BAA status Named vendor list with BAA dates, HIPAA-eligibility confirmation
Business continuity RTO/RPO definitions Tested numbers with test date
Penetration testing Most recent pen test summary Third-party scope, methodology, remediation status
HIPAA-specific BAA template, training records Phishing failure rate, HIPAA-specific training module confirmation
SOC 2 and certifications SOC 2 Type II report under NDA, HITRUST status Report date, observation period, next renewal

Two principles keep the library honest. First, every entry links to a primary evidence source: the policy document, a configuration screenshot, the audit report. “Yes” without evidence is a guess that will fail when the health system asks for proof. Second, library answers decay. Set a quarterly review cadence, not annual. A SOC 2 (System and Organization Controls 2) report older than 18 to 24 months raises flags during procurement. A library that predates your last infrastructure change is a liability.

The delegation pattern

The default in early-stage healthtech is that the CTO gets the questionnaire, opens it, and starts answering. This is the most expensive possible staffing model for a task that is fundamentally retrieval and documentation.

The right owner is a security lead, a compliance manager, or a fractional CISO. That person conducts the initial pass through the library, identifies the healthcare-specific questions that require technical input, and coordinates the limited engineering review needed for them. The CTO should be reviewing the handful of decisions that actually require their judgment, not retrieving documentation. “Do we use AES-256 at rest?” does not need CTO judgment. “How do we handle PHI in our ML training pipeline?” might.

The model I use has three tiers:

  • Tier 1: library match, no review needed (70-80% of questions). The entry is current, sourced, and directly responsive. Answer and move on.
  • Tier 2: library match; spot review needed (10-15%). The entry exists, but the question has a healthtech-specific angle, involves a timeline commitment, or references a contractual obligation. Security lead reviews before submission.
  • Tier 3: exception, requires engineering input (5 to 10 percent). Architecture decisions, clinical data flows, EHR integration mechanics, or representations about a capability that has not been verified recently. These go to engineering with a specific ask (“confirm our FHIR token rotation process”), not “please answer this.”

Set the internal SLA at five business days from receipt. Three weeks is the traditional baseline without a library, and it also signals to procurement that a vendor does not have a compliance function. That signal costs more than the delay.

The questionnaire formats that health systems use

Knowing the format tells you which sections of your library to map first.

HECVAT (academic medical centers)

HECVAT was built by REN-ISAC (Research and Education Networking Information Sharing and Analysis Center), EDUCAUSE, and Internet2 for higher education. Version 4.1.5 (released February 10, 2025) has 321 questions across seven domains, including 69 on Privacy and 32 on Artificial Intelligence. Expect HECVAT if your customer is associated with an academic medical center (UCSF Medical Center, Mayo Clinic, Penn Medicine, Johns Hopkins Health System). Community hospitals and health plans typically do not use it.

SIG Core (large health systems with mature TPRM programs)

SIG Core comes from Shared Assessments. The 2025 edition of SIG Lite has 128 questions; SIG Core has 627. Large health systems with mature TPRM (third-party risk management) programs default to SIG Core. Budget 40 to 60 hours from scratch, or 5 to 8 hours with a mature library.

CAIQ (digital health platforms and tech-forward health plans)

CAIQ from the Cloud Security Alliance has 261 yes/no questions in v4. It is most common with technology-forward health plans and digital health platforms, but less so with traditional health systems.

Custom health system questionnaires (HCA, Ascension, CommonSpirit, Kaiser)

Custom health system questionnaires dominate the largest accounts. HCA Healthcare, Ascension, CommonSpirit, and Kaiser Permanente use proprietary questionnaires derived from NIST CSF (National Institute of Standards and Technology Cybersecurity Framework), the HIPAA Security Rule, and internal risk frameworks. These are the longest, with healthcare-specific sections that do not map neatly to SIG or CAIQ. Map them to your library’s control family structure. The format is unique. The underlying control domains are not.

Tools: build, buy, or use what you already have

If you already pay for Vanta, Drata, or Secureframe, the built-in questionnaire response functionality automatically fills in answers from live controls. For fewer than 20 questionnaires per quarter, that is enough, and it sits inside the $10 to $20K platform budget you already have.

Once volume passes 15 to 20 per quarter, a dedicated tool earns its keep. Conveyor starts around $4,800 per year and is accessible at Series A. SafeBase (now part of Drata) reports a 74%+ reduction in inbound questionnaires through its trust center. Loopio, Responsive, and Whistic occupy adjacent spots. Below 10 per quarter, a Notion or Google Sheets library by control family is fine.

The real cost is never the software. It is the CTO’s hours.

The pre-emptive package

The most effective questionnaire strategy I have seen is not faster answers. It is fewer questions.

A pre-emptive security package is a set of documents you send to a health system prospect before they send their questionnaire. The goal is to answer 40 to 60 percent of what they would have asked and shift the conversation from “do they understand HIPAA?” to “how do we adapt their existing controls?”

The package I would build for a Series A healthtech startup contains:

  • A current SOC 2 Type II report, under NDA, through a trust portal link. Getting to a Type II report at all takes the 12-week SOC 2 and HIPAA timeline to be planned correctly, and the auditor you choose matters too, which is why I wrote separately about choosing an auditor for a healthtech engagement.
  • A 1-2 page HIPAA security program summary. The security officer, safeguard categories, BAA process, breach notification timeline, and training cadence. Signals that you have a program, not just policies.
  • A network and data flow diagram showing where PHI enters, where it is stored, how it is transmitted, where it exits, and the encryption layers at each stage. Health system security teams evaluate this directly. A clear diagram answers 15 to 20 questions before they get asked.
  • A sub-processor list with BAA status. AWS services in scope, the compliance platform, analytics tools, and video infrastructure for telehealth. Named, dated, signed.
  • Your BAA template. Sending your own before they send theirs changes the negotiation dynamic, which I covered in the BAA structuring post.
  • A penetration test executive summary. Scope, dates, finding counts, and remediation status.
  • A security FAQ. Ten to fifteen questions and answers covering the things that come up repeatedly but do not appear in the formal frameworks.

A trust portal is the hosted version. SafeBase, Vanta’s Trust Center, Conveyor, and Whistic all do versions of it. For a Series A team, the built-in trust center on a platform you already pay for is usually enough. The goal is a shareable URL, not the most sophisticated portal. A properly organized Google Drive folder with access controls is better than no package at all.

The competitive signal is independent of the time savings. Health systems evaluate twenty to fifty vendors per quarter. A startup that arrives with a current SOC 2 report, a clean data flow diagram, and a sub-processor list occupies a different category than one that goes silent for two weeks after the questionnaire arrives. That category difference is what I keep coming back to when I think about compliance as a sales weapon. The pre-emptive package is what that thesis looks like in practice.

What this actually changes

The healthtech startups I see closing deals fastest are not the ones with the cleanest questionnaire answers. They are the ones whose process makes the questionnaire feel like a smaller part of the deal than it used to be. The CTO is not the bottleneck. The library is current. The pre-emptive package has already absorbed the easy questions. The format-specific work, HECVAT versus SIG versus custom, is map-and-translate.

You can spend 14 days reacting to each questionnaire forever, or you can spend 30 to 40 hours building the library and the package once, and have 70 percent of every future questionnaire pre-answered. The second path also produces a clear signal to the health system that you are a vendor, allowing them to move through procurement quickly.