In this year’s State of Healthcare Security Annual Report, we reveal that organizations are scoring the lowest in NIST’s Identify, Supply Chain category. In this CTEK Summer Series session, we dive deeper into to understanding why and what organizations can do to build a third-party risk management program, validate the effectiveness of the program, and how to include the privacy office as a part of this risk strategy.
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Rethink Third-Party Risk Management
1. CTEK SUMMER SERIES
Be Ready. Be Resilient. Validate.
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
2. Dave Bailey
V I C E P R E S I D E N T, S E C U R I T Y
S E R V I C E S
MEET OUR SPEAKERS
I N D U S T R Y T H O U G H T L E A D E R S
Andrew Mahler
D I R E C T O R , P R I VA C Y, C O M P L I A N C E , &
M A N A G E D S E R V I C E S
2
BE READY. BE RESILIENT. VALIDATE.
Ratana Kong DeLuca
I N F O R M AT I O N S E C U R I T Y
C O N S U LTA N T
3. POLL QUESTION
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
3
4. POLL QUESTION
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
4
5. POLL QUESTION
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
5
7. Supply Chain was the second lowest-scoring & least mature category overall,
scoring an average of 2.7 in our 2021 annual report.
Supply Chain attacks have risen by 42% in the first quarter of 2021. Cyber attacks
were increasing by 12% quarter-on-quarter with the number of individuals
affected by each breach increased by 564%
https://www.infoguardsecurity.com/supply-chain-cyber-attacks-see-a-troubling-rise/
8. 8
• 70 organizations with more than one assessment in four (4)
year period
• 64% of organizations are below a passing grade (80%
conformance)
• Each of the 23 CSF controls are assessed using the COBIT
Maturity Model (0-5 scale)
• Conformance is determined with a three (3) or higher
maturity rating
• At a minimum, a conforming control must have a process
that achieves its purpose and is well defined
NIST CSF CONFORMANCE
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
BE READY. BE RESILIENT. VALIDATE.
9. 9
• 75% of organizations improved since last
assessment
• 25% of organizations declined since last
assessment
• Industry is progressing but not enough
• High performing and low performing
categories were used to present a clearer
picture of the state of healthcare
PERFORMANCE BY CATEGORY
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
BE READY. BE RESILIENT. VALIDATE.
10. 10
NIST - IDENTIFY
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
BE READY. BE RESILIENT. VALIDATE.
• Lack of knowledge or control of all network connected devices
• Informal practices to address third party risk
• M&A impacts to mature practices
12. • Formal practices to evaluate vendors prior to procurement
• Risk appetite and tolerance
• Validating secure coding practices
SECURITY PERSPECTIVE
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
12
14. 80% of data breaches originated with a third party, and 29% of companies
have no visibility into the security of their third-party partners.
https://www.forbes.com/sites/forbestechcouncil/2021/03/09/controlling-the-controllables-in-
cybersecurity/?sh=423bfb64753f
15. 12% of business associates fulfilled the requirement to implement
appropriate risk management mechanisms. While few audited business
associates reported a breach of ePHI, those that did generally evidenced
minimal or negligible efforts to address audited requirements.
2016-2017 HIPAA AUDITS INDUSTRY REPORT
https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf
16. • A “business associate” is a person or entity that performs certain
functions or activities that involve the use or disclosure of protected
health information on behalf of, or provides services to, a covered entity.
• A covered entity’s contract or other written arrangement with its
business associate must contain certain required elements.
• Business associates can be vendors, but not all vendors are business
associates.
IMPORTANT TERM - BUSINESS ASSOCIATE
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
16
17. 1. All vendors are business associates.
2. We can't assess every business associate.
3. BAAs are always optional.
4. The Privacy Office is probably tracking all BAAs.
5. The only vendors I need to worry about are vendors with ePHI.
6. HIPAA only pertains to providers.
7. HIPAA is the only rule or law that provides requirements about vendors.
8. I have no responsibilities if a vendor experiences a breach.
9. HIPAA requires constant monitoring and assessment of vendors.
10. HIPAA requires an annual assessment of vendors.
10 MYTHS ABOUT VENDORS AND HIPAA
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
17
18. • Does your organization treat vendor and business associate
compliance differently?
• Implement clear, collaborative processes related to business associate
agreements
• Has the process ever been reviewed by a third party?
• Where are BAAs and who is responsible for ensuring compliance (template
approval, negotiation, etc.)?
• Review existing contracts/BAAs
• What about the individual rights? Is a vendor faciliating requests to access
PRIVACY PERSPECTIVE
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
18
19. OCR HIPAA AUDITS INDUSTRY REPORT
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
19
20. OCR HIPAA AUDITS INDUSTRY REPORT
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
20
21. • Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule
Violations
• On January 7, 2015, the U.S. Department of Veterans Affairs reported a
unsecured ePHI involving the VA’s Telehealth Services Program managed by
business associate, Authentidate Holding Corporation (AHC).
• Aetna Pays $1,000,000 to Settle Three HIPAA Breaches
• Two web services used to display plan-related documents to health plan
members allowed documents to be accessible without login credentials and
indexed by various internet search engines.
• Benefit notices were mailed using window envelopes.
• Research study mailing.
RECENT ENFORCEMENT
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
21
22. • HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health
Information of Over 6 million Individuals
• CHSPSC provides a variety of business associate services, including IT and health
information management, to hospitals and physician clinics. On April 10, 2014, an
Advanced Persistent Threat group compromised administrative credentials and
remotely accessed CHSPSC’s information system through its VPN.
• Health Care Provider Pays $100,000 Settlement to OCR
• OCR began investigating Dr. Porter’s medical practice after it filed a breach report
with OCR related to a dispute with a business associate. Elevation43, a business
associate of Dr. Porter's EHR company, was impermissibly using the Practice's
patients' ePHI' by blocking the Practice's access until Dr. Porter paid Elevation43
$50,000.
RECENT ENFORCEMENT
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
22
24. COMPLIANCE PERSPECTIVE
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
24
• Contract Due Diligence Reviews and Negotiation
• Accountability Enforcement
• Post-executionValidation Review
25. • Add requirements to RFPs (or renewals)`
• Review agreement/requirements with the vendor
• Assess the vendor
• Escalate to leadership
• Evaluate alternatives to the service
• Give notice/terminate the contract
WHAT ABOUT VENDOR NON-COMPLIANCE
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
25
27. • Formal pre-screening security assessment processes
• Third-party risk identification and management plan
• Comprehensive contract negotiation and review strategy
• Post-execution implementation plan
• Periodic contract performance and validation reviews
THIRD-PARTY RISK BEST PRACTICES
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
27
28. • Include vendor risk as part of the enterprise risk analysis
• Perform vendor security assessment on a routine basis and after incidents
• Utilize third-party to support with vendor oversight
• Implement processes around vendor contracts and BAAs (know the roles of each office)
THIRD-PARTY RISK BEST PRACTICES
A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
NOT INTENDED FOR PUBLIC RELEASE
28
29. 29
RESILIENCE VALIDATION™
S T A T E O F H E A LT H C A R E S E C U R I T Y & P R I V A C Y
• As threats evolve - - CynergisTek has evolved to help clients ensure they have an approach that responds every
day
• Understand security and privacy is about the journey - - not the destination
• Tailored program through our Assess, Build, Manage, Validate service offering to prepare, rehearse, and
validate security & privacy is working as expected
BE READY. BE RESILIENT. VALIDATE.
30. cynergistek.com
C Y N E R G I S T E K R E S O U R C E S : P O D C A S T | V I D E O S | B L O G
We are here to help!
Thank you.
D A V E . B A I L E Y @ C Y B E R G I S T E K . C O M
A N D R E W . M A H L E R @ C Y N E R G I S T E K . C O M
Editor's Notes
Yes
No
Only for vendors with access to IT systems
We have something, but its informal