SlideShare a Scribd company logo

Rethink Third-Party Risk Management

Download as PPTX, PDF
C
CTEKMarketing

In this year’s State of Healthcare Security Annual Report, we reveal that organizations are scoring the lowest in NIST’s Identify, Supply Chain category. In this CTEK Summer Series session, we dive deeper into to understanding why and what organizations can do to build a third-party risk management program, validate the effectiveness of the program, and how to include the privacy office as a part of this risk strategy.

Data & Analytics
1 of 30
CTEK SUMMER SERIES Be Ready. Be Resilient. Validate. A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
Dave Bailey V I C E P R E S I D E N T, S E C U R I T Y S E R V I C E S MEET OUR SPEAKERS I N D U S T R Y T H O U G H T L E A D E R S Andrew Mahler D I R E C T O R , P R I VA C Y, C O M P L I A N C E , & M A N A G E D S E R V I C E S 2 BE READY. BE RESILIENT. VALIDATE. Ratana Kong DeLuca I N F O R M AT I O N S E C U R I T Y C O N S U LTA N T
POLL QUESTION A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 3
POLL QUESTION A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 4
POLL QUESTION A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 5
SETTINGTHE SCENE
Supply Chain was the second lowest-scoring & least mature category overall, scoring an average of 2.7 in our 2021 annual report. Supply Chain attacks have risen by 42% in the first quarter of 2021. Cyber attacks were increasing by 12% quarter-on-quarter with the number of individuals affected by each breach increased by 564% https://www.infoguardsecurity.com/supply-chain-cyber-attacks-see-a-troubling-rise/
8 • 70 organizations with more than one assessment in four (4) year period • 64% of organizations are below a passing grade (80% conformance) • Each of the 23 CSF controls are assessed using the COBIT Maturity Model (0-5 scale) • Conformance is determined with a three (3) or higher maturity rating • At a minimum, a conforming control must have a process that achieves its purpose and is well defined NIST CSF CONFORMANCE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K BE READY. BE RESILIENT. VALIDATE.
9 • 75% of organizations improved since last assessment • 25% of organizations declined since last assessment • Industry is progressing but not enough • High performing and low performing categories were used to present a clearer picture of the state of healthcare PERFORMANCE BY CATEGORY A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K BE READY. BE RESILIENT. VALIDATE.
10 NIST - IDENTIFY A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K BE READY. BE RESILIENT. VALIDATE. • Lack of knowledge or control of all network connected devices • Informal practices to address third party risk • M&A impacts to mature practices
SECURITY PERSPECTIVE
• Formal practices to evaluate vendors prior to procurement • Risk appetite and tolerance • Validating secure coding practices SECURITY PERSPECTIVE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 12
DATA PRIVACY PERSPECTIVE
80% of data breaches originated with a third party, and 29% of companies have no visibility into the security of their third-party partners. https://www.forbes.com/sites/forbestechcouncil/2021/03/09/controlling-the-controllables-in- cybersecurity/?sh=423bfb64753f
12% of business associates fulfilled the requirement to implement appropriate risk management mechanisms. While few audited business associates reported a breach of ePHI, those that did generally evidenced minimal or negligible efforts to address audited requirements. 2016-2017 HIPAA AUDITS INDUSTRY REPORT https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf
• A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. • A covered entity’s contract or other written arrangement with its business associate must contain certain required elements. • Business associates can be vendors, but not all vendors are business associates. IMPORTANT TERM - BUSINESS ASSOCIATE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 16
1. All vendors are business associates. 2. We can't assess every business associate. 3. BAAs are always optional. 4. The Privacy Office is probably tracking all BAAs. 5. The only vendors I need to worry about are vendors with ePHI. 6. HIPAA only pertains to providers. 7. HIPAA is the only rule or law that provides requirements about vendors. 8. I have no responsibilities if a vendor experiences a breach. 9. HIPAA requires constant monitoring and assessment of vendors. 10. HIPAA requires an annual assessment of vendors. 10 MYTHS ABOUT VENDORS AND HIPAA A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 17
• Does your organization treat vendor and business associate compliance differently? • Implement clear, collaborative processes related to business associate agreements • Has the process ever been reviewed by a third party? • Where are BAAs and who is responsible for ensuring compliance (template approval, negotiation, etc.)? • Review existing contracts/BAAs • What about the individual rights? Is a vendor faciliating requests to access PRIVACY PERSPECTIVE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 18
OCR HIPAA AUDITS INDUSTRY REPORT A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 19
OCR HIPAA AUDITS INDUSTRY REPORT A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 20
• Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations • On January 7, 2015, the U.S. Department of Veterans Affairs reported a unsecured ePHI involving the VA’s Telehealth Services Program managed by business associate, Authentidate Holding Corporation (AHC). • Aetna Pays $1,000,000 to Settle Three HIPAA Breaches • Two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and indexed by various internet search engines. • Benefit notices were mailed using window envelopes. • Research study mailing. RECENT ENFORCEMENT A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 21
• HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals • CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics. On April 10, 2014, an Advanced Persistent Threat group compromised administrative credentials and remotely accessed CHSPSC’s information system through its VPN. • Health Care Provider Pays $100,000 Settlement to OCR • OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate. Elevation43, a business associate of Dr. Porter's EHR company, was impermissibly using the Practice's patients' ePHI' by blocking the Practice's access until Dr. Porter paid Elevation43 $50,000. RECENT ENFORCEMENT A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 22
COMPLIANCE PERSPECTIVE
COMPLIANCE PERSPECTIVE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 24 • Contract Due Diligence Reviews and Negotiation • Accountability Enforcement • Post-executionValidation Review
• Add requirements to RFPs (or renewals)` • Review agreement/requirements with the vendor • Assess the vendor • Escalate to leadership • Evaluate alternatives to the service • Give notice/terminate the contract WHAT ABOUT VENDOR NON-COMPLIANCE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 25
BEST PRACTICES
• Formal pre-screening security assessment processes • Third-party risk identification and management plan • Comprehensive contract negotiation and review strategy • Post-execution implementation plan • Periodic contract performance and validation reviews THIRD-PARTY RISK BEST PRACTICES A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 27
• Include vendor risk as part of the enterprise risk analysis • Perform vendor security assessment on a routine basis and after incidents • Utilize third-party to support with vendor oversight • Implement processes around vendor contracts and BAAs (know the roles of each office) THIRD-PARTY RISK BEST PRACTICES A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 28
29 RESILIENCE VALIDATION™ S T A T E O F H E A LT H C A R E S E C U R I T Y & P R I V A C Y • As threats evolve - - CynergisTek has evolved to help clients ensure they have an approach that responds every day • Understand security and privacy is about the journey - - not the destination • Tailored program through our Assess, Build, Manage, Validate service offering to prepare, rehearse, and validate security & privacy is working as expected BE READY. BE RESILIENT. VALIDATE.
cynergistek.com C Y N E R G I S T E K R E S O U R C E S : P O D C A S T | V I D E O S | B L O G We are here to help! Thank you. D A V E . B A I L E Y @ C Y B E R G I S T E K . C O M A N D R E W . M A H L E R @ C Y N E R G I S T E K . C O M

Recommended

CTEK Summer Series Session 3: Understanding CMMC Requirements for Healthcare ...
CTEK Summer Series Session 3: Understanding CMMC Requirements for Healthcare ...CTEK Summer Series Session 3: Understanding CMMC Requirements for Healthcare ...
CTEK Summer Series Session 3: Understanding CMMC Requirements for Healthcare ...CTEKMarketing
 
CTEK Summer Series: The State of Healthcare Security & Privacy | 2021’s Annua...
CTEK Summer Series: The State of Healthcare Security & Privacy | 2021’s Annua...CTEK Summer Series: The State of Healthcare Security & Privacy | 2021’s Annua...
CTEK Summer Series: The State of Healthcare Security & Privacy | 2021’s Annua...CTEKMarketing
 
CTEK Summer Series Session 4: Four Building Blocks to Stay One Step Ahead of ...
CTEK Summer Series Session 4: Four Building Blocks to Stay One Step Ahead of ...CTEK Summer Series Session 4: Four Building Blocks to Stay One Step Ahead of ...
CTEK Summer Series Session 4: Four Building Blocks to Stay One Step Ahead of ...CTEKMarketing
 
Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramPriyanka Aash
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDoug Copley
 
CynergisTek’s Ransomware Bootcamp
CynergisTek’s Ransomware BootcampCynergisTek’s Ransomware Bootcamp
CynergisTek’s Ransomware BootcampSophia Price
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenPriyanka Aash
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 

Recommended

CTEK Summer Series Session 3: Understanding CMMC Requirements for Healthcare ...
CTEK Summer Series Session 3: Understanding CMMC Requirements for Healthcare ...CTEK Summer Series Session 3: Understanding CMMC Requirements for Healthcare ...
CTEK Summer Series Session 3: Understanding CMMC Requirements for Healthcare ...CTEKMarketing
 
CTEK Summer Series: The State of Healthcare Security & Privacy | 2021’s Annua...
CTEK Summer Series: The State of Healthcare Security & Privacy | 2021’s Annua...CTEK Summer Series: The State of Healthcare Security & Privacy | 2021’s Annua...
CTEK Summer Series: The State of Healthcare Security & Privacy | 2021’s Annua...CTEKMarketing
 
CTEK Summer Series Session 4: Four Building Blocks to Stay One Step Ahead of ...
CTEK Summer Series Session 4: Four Building Blocks to Stay One Step Ahead of ...CTEK Summer Series Session 4: Four Building Blocks to Stay One Step Ahead of ...
CTEK Summer Series Session 4: Four Building Blocks to Stay One Step Ahead of ...CTEKMarketing
 
Building an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramBuilding an Effective Supply Chain Security Program
Building an Effective Supply Chain Security ProgramPriyanka Aash
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDoug Copley
 
CynergisTek’s Ransomware Bootcamp
CynergisTek’s Ransomware BootcampCynergisTek’s Ransomware Bootcamp
CynergisTek’s Ransomware BootcampSophia Price
 
Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenPriyanka Aash
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfAdaptive & Unified Approach to Risk Management & Compliance-via-ccf
Adaptive & Unified Approach to Risk Management & Compliance-via-ccfawish11
 
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security MetricsDoug Copley
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
 
2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity SurveyAdobe
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 
Customer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of MichiganCustomer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of MichiganAtlantic Training, LLC.
 
Measuring Marketing Effectiveness: What You Need To Know
Measuring Marketing Effectiveness: What You Need To Know Measuring Marketing Effectiveness: What You Need To Know
Measuring Marketing Effectiveness: What You Need To KnowSearch Engine Journal
 
Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...
Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...
Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...Sustainable Brands
 
7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategyMaarten BOONEN
 
Immediate Attention Required Deck.pptx
Immediate Attention Required Deck.pptxImmediate Attention Required Deck.pptx
Immediate Attention Required Deck.pptxMegan Williams
 
D&B onboard.pdf
D&B onboard.pdfD&B onboard.pdf
D&B onboard.pdfWilson Kao
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1jhietala
 
Ransomware Bootcamp with CTEK and GroupSense
Ransomware Bootcamp with CTEK and GroupSenseRansomware Bootcamp with CTEK and GroupSense
Ransomware Bootcamp with CTEK and GroupSenseSophiaPalmira1
 
Shaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityShaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityNoreen Whysel
 
Trends in Corporate Responsibility, 28.09.2016
Trends in Corporate Responsibility, 28.09.2016Trends in Corporate Responsibility, 28.09.2016
Trends in Corporate Responsibility, 28.09.2016The Business Council of Mongolia
 
Ten Tips to Ensue that Your Suppliers are Real
Ten Tips to Ensue that Your Suppliers are RealTen Tips to Ensue that Your Suppliers are Real
Ten Tips to Ensue that Your Suppliers are RealTradeshift
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
Vocera ir master_ february 2019 web
Vocera ir master_ february 2019 webVocera ir master_ february 2019 web
Vocera ir master_ february 2019 webvocera2016ir
 
Australian Medical Cannabis: Red Tape to Frustrate or Sustain
Australian Medical Cannabis: Red Tape to Frustrate or SustainAustralian Medical Cannabis: Red Tape to Frustrate or Sustain
Australian Medical Cannabis: Red Tape to Frustrate or SustainCameron Scadding
 
Fit for Service - A strategy for service organizations.
Fit for Service - A strategy for service organizations. Fit for Service - A strategy for service organizations.
Fit for Service - A strategy for service organizations. Michael Werneburg
 

More Related Content

What's hot

FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...West Monroe Partners
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security MetricsDoug Copley
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response SurveyFireEye, Inc.
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...FireEye, Inc.
 
2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity SurveyAdobe
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey FireEye, Inc.
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryPriyanka Aash
 

What's hot (7)

FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Com...
 
Improving Security Metrics
Improving Security MetricsImproving Security Metrics
Improving Security Metrics
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
SANS 2013 Report on Critical Security Controls Survey: Moving From Awareness ...
 
2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey2018 Adobe Cybersecurity Survey
2018 Adobe Cybersecurity Survey
 
SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey SANS 2013 Report: Digital Forensics and Incident Response Survey
SANS 2013 Report: Digital Forensics and Incident Response Survey
 
The Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your StoryThe Measure of Success: Security Metrics to Tell Your Story
The Measure of Success: Security Metrics to Tell Your Story
 

Similar to Rethink Third-Party Risk Management

Customer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of MichiganCustomer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of MichiganAtlantic Training, LLC.
 
Measuring Marketing Effectiveness: What You Need To Know
Measuring Marketing Effectiveness: What You Need To Know Measuring Marketing Effectiveness: What You Need To Know
Measuring Marketing Effectiveness: What You Need To KnowSearch Engine Journal
 
Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...
Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...
Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...Sustainable Brands
 
7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategyMaarten BOONEN
 
Immediate Attention Required Deck.pptx
Immediate Attention Required Deck.pptxImmediate Attention Required Deck.pptx
Immediate Attention Required Deck.pptxMegan Williams
 
D&B onboard.pdf
D&B onboard.pdfD&B onboard.pdf
D&B onboard.pdfWilson Kao
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1jhietala
 
Ransomware Bootcamp with CTEK and GroupSense
Ransomware Bootcamp with CTEK and GroupSenseRansomware Bootcamp with CTEK and GroupSense
Ransomware Bootcamp with CTEK and GroupSenseSophiaPalmira1
 
Shaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityShaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityNoreen Whysel
 
Ten Tips to Ensue that Your Suppliers are Real
Ten Tips to Ensue that Your Suppliers are RealTen Tips to Ensue that Your Suppliers are Real
Ten Tips to Ensue that Your Suppliers are RealTradeshift
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
Vocera ir master_ february 2019 web
Vocera ir master_ february 2019 webVocera ir master_ february 2019 web
Vocera ir master_ february 2019 webvocera2016ir
 
Australian Medical Cannabis: Red Tape to Frustrate or Sustain
Australian Medical Cannabis: Red Tape to Frustrate or SustainAustralian Medical Cannabis: Red Tape to Frustrate or Sustain
Australian Medical Cannabis: Red Tape to Frustrate or SustainCameron Scadding
 
Fit for Service - A strategy for service organizations.
Fit for Service - A strategy for service organizations. Fit for Service - A strategy for service organizations.
Fit for Service - A strategy for service organizations. Michael Werneburg
 
Vocera ir master_ april 2019 web
Vocera ir master_ april 2019 webVocera ir master_ april 2019 web
Vocera ir master_ april 2019 webvocera2016ir
 
Vocera ir master_ may 2019 web-converted
Vocera ir master_ may 2019 web-convertedVocera ir master_ may 2019 web-converted
Vocera ir master_ may 2019 web-convertedvocera2016ir
 
Communicating the ROI of UX from The Enterprise to The Streets (JD Buckley at...
Communicating the ROI of UX from The Enterprise to The Streets (JD Buckley at...Communicating the ROI of UX from The Enterprise to The Streets (JD Buckley at...
Communicating the ROI of UX from The Enterprise to The Streets (JD Buckley at...Rosenfeld Media
 
Big Data Privacy Standard Requirements
Big Data Privacy Standard RequirementsBig Data Privacy Standard Requirements
Big Data Privacy Standard RequirementsGerardus Blokdyk
 
A practical approach to 3TG risk assessment and mitigation in conflict affect...
A practical approach to 3TG risk assessment and mitigation in conflict affect...A practical approach to 3TG risk assessment and mitigation in conflict affect...
A practical approach to 3TG risk assessment and mitigation in conflict affect...RCS Global
 

Similar to Rethink Third-Party Risk Management (20)

Customer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of MichiganCustomer Services Standards Training by The State of Michigan
Customer Services Standards Training by The State of Michigan
 
Measuring Marketing Effectiveness: What You Need To Know
Measuring Marketing Effectiveness: What You Need To Know Measuring Marketing Effectiveness: What You Need To Know
Measuring Marketing Effectiveness: What You Need To Know
 
Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...
Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...
Top Risks in Global Supply Chains: Primary-Source Intelligence and Recommenda...
 
7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy7 steps to build an effective corporate compliance strategy
7 steps to build an effective corporate compliance strategy
 
Immediate Attention Required Deck.pptx
Immediate Attention Required Deck.pptxImmediate Attention Required Deck.pptx
Immediate Attention Required Deck.pptx
 
D&B onboard.pdf
D&B onboard.pdfD&B onboard.pdf
D&B onboard.pdf
 
Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1Avior Healthcare Security Compliance Webcast Final1
Avior Healthcare Security Compliance Webcast Final1
 
Ransomware Bootcamp with CTEK and GroupSense
Ransomware Bootcamp with CTEK and GroupSenseRansomware Bootcamp with CTEK and GroupSense
Ransomware Bootcamp with CTEK and GroupSense
 
Shaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital IdentityShaping the Future of Trusted Digital Identity
Shaping the Future of Trusted Digital Identity
 
Trends in Corporate Responsibility, 28.09.2016
Trends in Corporate Responsibility, 28.09.2016Trends in Corporate Responsibility, 28.09.2016
Trends in Corporate Responsibility, 28.09.2016
 
Ten Tips to Ensue that Your Suppliers are Real
Ten Tips to Ensue that Your Suppliers are RealTen Tips to Ensue that Your Suppliers are Real
Ten Tips to Ensue that Your Suppliers are Real
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
Vocera ir master_ february 2019 web
Vocera ir master_ february 2019 webVocera ir master_ february 2019 web
Vocera ir master_ february 2019 web
 
Australian Medical Cannabis: Red Tape to Frustrate or Sustain
Australian Medical Cannabis: Red Tape to Frustrate or SustainAustralian Medical Cannabis: Red Tape to Frustrate or Sustain
Australian Medical Cannabis: Red Tape to Frustrate or Sustain
 
Fit for Service - A strategy for service organizations.
Fit for Service - A strategy for service organizations. Fit for Service - A strategy for service organizations.
Fit for Service - A strategy for service organizations.
 
Vocera ir master_ april 2019 web
Vocera ir master_ april 2019 webVocera ir master_ april 2019 web
Vocera ir master_ april 2019 web
 
Vocera ir master_ may 2019 web-converted
Vocera ir master_ may 2019 web-convertedVocera ir master_ may 2019 web-converted
Vocera ir master_ may 2019 web-converted
 
Communicating the ROI of UX from The Enterprise to The Streets (JD Buckley at...
Communicating the ROI of UX from The Enterprise to The Streets (JD Buckley at...Communicating the ROI of UX from The Enterprise to The Streets (JD Buckley at...
Communicating the ROI of UX from The Enterprise to The Streets (JD Buckley at...
 
Big Data Privacy Standard Requirements
Big Data Privacy Standard RequirementsBig Data Privacy Standard Requirements
Big Data Privacy Standard Requirements
 
A practical approach to 3TG risk assessment and mitigation in conflict affect...
A practical approach to 3TG risk assessment and mitigation in conflict affect...A practical approach to 3TG risk assessment and mitigation in conflict affect...
A practical approach to 3TG risk assessment and mitigation in conflict affect...
 

Recently uploaded

Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxfirstjob4
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxolyaivanovalion
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...Suhani Kapoor
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfMarinCaroMartnezBerg
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionfulawalesam
 
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxEMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxthyngster
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiSuhani Kapoor
 
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一ffjhghh
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxolyaivanovalion
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Callshivangimorya083
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceSapana Sha
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxolyaivanovalion
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz1
 

Recently uploaded (20)

VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
VIP Call Girls Service Charbagh { Lucknow Call Girls Service 9548273370 } Boo...
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
Carero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptxCarero dropshipping via API with DroFx.pptx
Carero dropshipping via API with DroFx.pptx
 
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
VIP High Profile Call Girls Amravati Aarushi 8250192130 Independent Escort Se...
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptxEMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
EMERCE - 2024 - AMSTERDAM - CROSS-PLATFORM TRACKING WITH GOOGLE ANALYTICS.pptx
 
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service AmravatiVIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
VIP Call Girls in Amravati Aarohi 8250192130 Independent Escort Service Amravati
 
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
定制英国白金汉大学毕业证(UCB毕业证书) 成绩单原版一比一
 
Ravak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptxRavak dropshipping via API with DroFx.pptx
Ravak dropshipping via API with DroFx.pptx
 
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
꧁❤ Greater Noida Call Girls Delhi ❤꧂ 9711199171 ☎️ Hard And Sexy Vip Call
 
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Punjabi Bagh 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts ServiceCall Girls In Mahipalpur O9654467111 Escorts Service
Call Girls In Mahipalpur O9654467111 Escorts Service
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 
Invezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signalsInvezz.com - Grow your wealth with trading signals
Invezz.com - Grow your wealth with trading signals
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 

Rethink Third-Party Risk Management

  • 1. CTEK SUMMER SERIES Be Ready. Be Resilient. Validate. A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K
  • 2. Dave Bailey V I C E P R E S I D E N T, S E C U R I T Y S E R V I C E S MEET OUR SPEAKERS I N D U S T R Y T H O U G H T L E A D E R S Andrew Mahler D I R E C T O R , P R I VA C Y, C O M P L I A N C E , & M A N A G E D S E R V I C E S 2 BE READY. BE RESILIENT. VALIDATE. Ratana Kong DeLuca I N F O R M AT I O N S E C U R I T Y C O N S U LTA N T
  • 3. POLL QUESTION A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 3
  • 4. POLL QUESTION A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 4
  • 5. POLL QUESTION A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 5
  • 7. Supply Chain was the second lowest-scoring & least mature category overall, scoring an average of 2.7 in our 2021 annual report. Supply Chain attacks have risen by 42% in the first quarter of 2021. Cyber attacks were increasing by 12% quarter-on-quarter with the number of individuals affected by each breach increased by 564% https://www.infoguardsecurity.com/supply-chain-cyber-attacks-see-a-troubling-rise/
  • 8. 8 • 70 organizations with more than one assessment in four (4) year period • 64% of organizations are below a passing grade (80% conformance) • Each of the 23 CSF controls are assessed using the COBIT Maturity Model (0-5 scale) • Conformance is determined with a three (3) or higher maturity rating • At a minimum, a conforming control must have a process that achieves its purpose and is well defined NIST CSF CONFORMANCE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K BE READY. BE RESILIENT. VALIDATE.
  • 9. 9 • 75% of organizations improved since last assessment • 25% of organizations declined since last assessment • Industry is progressing but not enough • High performing and low performing categories were used to present a clearer picture of the state of healthcare PERFORMANCE BY CATEGORY A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K BE READY. BE RESILIENT. VALIDATE.
  • 10. 10 NIST - IDENTIFY A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K BE READY. BE RESILIENT. VALIDATE. • Lack of knowledge or control of all network connected devices • Informal practices to address third party risk • M&A impacts to mature practices
  • 12. • Formal practices to evaluate vendors prior to procurement • Risk appetite and tolerance • Validating secure coding practices SECURITY PERSPECTIVE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 12
  • 14. 80% of data breaches originated with a third party, and 29% of companies have no visibility into the security of their third-party partners. https://www.forbes.com/sites/forbestechcouncil/2021/03/09/controlling-the-controllables-in- cybersecurity/?sh=423bfb64753f
  • 15. 12% of business associates fulfilled the requirement to implement appropriate risk management mechanisms. While few audited business associates reported a breach of ePHI, those that did generally evidenced minimal or negligible efforts to address audited requirements. 2016-2017 HIPAA AUDITS INDUSTRY REPORT https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf
  • 16. • A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. • A covered entity’s contract or other written arrangement with its business associate must contain certain required elements. • Business associates can be vendors, but not all vendors are business associates. IMPORTANT TERM - BUSINESS ASSOCIATE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 16
  • 17. 1. All vendors are business associates. 2. We can't assess every business associate. 3. BAAs are always optional. 4. The Privacy Office is probably tracking all BAAs. 5. The only vendors I need to worry about are vendors with ePHI. 6. HIPAA only pertains to providers. 7. HIPAA is the only rule or law that provides requirements about vendors. 8. I have no responsibilities if a vendor experiences a breach. 9. HIPAA requires constant monitoring and assessment of vendors. 10. HIPAA requires an annual assessment of vendors. 10 MYTHS ABOUT VENDORS AND HIPAA A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 17
  • 18. • Does your organization treat vendor and business associate compliance differently? • Implement clear, collaborative processes related to business associate agreements • Has the process ever been reviewed by a third party? • Where are BAAs and who is responsible for ensuring compliance (template approval, negotiation, etc.)? • Review existing contracts/BAAs • What about the individual rights? Is a vendor faciliating requests to access PRIVACY PERSPECTIVE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 18
  • 19. OCR HIPAA AUDITS INDUSTRY REPORT A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 19
  • 20. OCR HIPAA AUDITS INDUSTRY REPORT A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 20
  • 21. • Clinical Laboratory Pays $25,000 to Settle Potential HIPAA Security Rule Violations • On January 7, 2015, the U.S. Department of Veterans Affairs reported a unsecured ePHI involving the VA’s Telehealth Services Program managed by business associate, Authentidate Holding Corporation (AHC). • Aetna Pays $1,000,000 to Settle Three HIPAA Breaches • Two web services used to display plan-related documents to health plan members allowed documents to be accessible without login credentials and indexed by various internet search engines. • Benefit notices were mailed using window envelopes. • Research study mailing. RECENT ENFORCEMENT A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 21
  • 22. • HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals • CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics. On April 10, 2014, an Advanced Persistent Threat group compromised administrative credentials and remotely accessed CHSPSC’s information system through its VPN. • Health Care Provider Pays $100,000 Settlement to OCR • OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate. Elevation43, a business associate of Dr. Porter's EHR company, was impermissibly using the Practice's patients' ePHI' by blocking the Practice's access until Dr. Porter paid Elevation43 $50,000. RECENT ENFORCEMENT A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 22
  • 24. COMPLIANCE PERSPECTIVE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 24 • Contract Due Diligence Reviews and Negotiation • Accountability Enforcement • Post-executionValidation Review
  • 25. • Add requirements to RFPs (or renewals)` • Review agreement/requirements with the vendor • Assess the vendor • Escalate to leadership • Evaluate alternatives to the service • Give notice/terminate the contract WHAT ABOUT VENDOR NON-COMPLIANCE A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 25
  • 27. • Formal pre-screening security assessment processes • Third-party risk identification and management plan • Comprehensive contract negotiation and review strategy • Post-execution implementation plan • Periodic contract performance and validation reviews THIRD-PARTY RISK BEST PRACTICES A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 27
  • 28. • Include vendor risk as part of the enterprise risk analysis • Perform vendor security assessment on a routine basis and after incidents • Utilize third-party to support with vendor oversight • Implement processes around vendor contracts and BAAs (know the roles of each office) THIRD-PARTY RISK BEST PRACTICES A C T I O N A B L E T A C T I C S T O R E T H I N K T H I R D - P A R T Y R I S K NOT INTENDED FOR PUBLIC RELEASE 28
  • 29. 29 RESILIENCE VALIDATION™ S T A T E O F H E A LT H C A R E S E C U R I T Y & P R I V A C Y • As threats evolve - - CynergisTek has evolved to help clients ensure they have an approach that responds every day • Understand security and privacy is about the journey - - not the destination • Tailored program through our Assess, Build, Manage, Validate service offering to prepare, rehearse, and validate security & privacy is working as expected BE READY. BE RESILIENT. VALIDATE.
  • 30. cynergistek.com C Y N E R G I S T E K R E S O U R C E S : P O D C A S T | V I D E O S | B L O G We are here to help! Thank you. D A V E . B A I L E Y @ C Y B E R G I S T E K . C O M A N D R E W . M A H L E R @ C Y N E R G I S T E K . C O M

Editor's Notes

  1. Yes No Only for vendors with access to IT systems We have something, but its informal