Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES
|
|
- Penelope Susanna Short
- 5 years ago
- Views:
Transcription
1 Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services 1 OBJECTIVES What should be done before you sign a contract with a vendor Your responsibilities throughout the relationship What every organization already has in place as a basis for a vendor management program The relationship between vendor and risk management Assessing vendor risk 2 3 1
2 Report: Average cost of health care data breach is $717K The annual 2017 NetDiligence Cyber Claims Study revealed that the health care and professional services sectors each represented 18% of total data breaches in 2017, with 27% of breaches attributed to hackers and 25% involving insiders. The average cost of a data breach for the health care industry was $717, which included crisis services, legal defense and legal settlement fees -- compared with the average cost of $394,000 across sectors. Becker's Hospital Review 4 Speaking at the National HIPAA Summit this year, Molly Crawford, the Chief of Staff for the FTC s privacy and identification division made the following points: Companies need to have contracts in place to specifically address privacy and security. It is estimated that almost 2/3rds of data breaches are tied to or directly caused by third-party vendors. It is a fact. More third party vendors mean a higher risk of a data breach. While a third party vendor management program is critical for managing vendor relationships, these programs must go beyond surveys and assessments. Companies need to hold vendors contractually liable for the actions and inactions with regard to their security. An effective way to do this is through a separate information security agreement (ISA) as an exhibit to the underlying procurement, master services or licensing agreement. The ISA should address technical issues (e.g. auditing, employee management, encryption), but also address legal issues associated with security, including provisions related to indemnification, liability, breach response and insurance. 5 Terminology Risk Assessment - Process of identifying and prioritizing risks to the confidentiality, integrity, and availability of PHI. Identification without analysis, followed up by a risk analysis. Risk Analysis - In-depth analysis of identified risks to determine the likelihood of occurrence and impact, then determining risk mitigation activities required to reduce the risk to an acceptable level. Business Associate/Third Party/Vendor/Contractor - A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Due Diligence - The process by which an organization or third party is evaluated to determine their suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire relationship. 6 2
3 2003 versus 2013 HIPAA Security Rule: CE must have a written contract with BA that requires BA to safeguard PHI and not use or disclose PHI other than as provided by the contract, which must also ensure that any subcontractors agree to these same restrictions BA not directly liable for violations, but contractually liable Post-HIPAA Omnibus: Contract between CE and BA required and the BA must comply with certain Privacy and Security Rule requirements and is directly liable for violations If CE delegates Privacy Rule obligation to BA, contract must require BA to perform in compliance with the HIPAA Rules If contract between BA and subcontractor is required, it must be as stringent as the CE- BA contract BA directly and contractually liable for violations of applicable provisions of HIPAA BAs are liable whether or not they have an agreement in place with the CE 7 Steps to Creating a Vendor Management Program 1. Identify your organization s third party relationships 2. Categorize third party relationships according to risk 3. Obtain satisfactory assurances that third party organizations have the appropriate security/privacy controls in place 4. Set expectations with third party organizations 5. Continuously monitor/reassess 6. Establish a third party risk management program Important Note: All third party relationships, regardless of HIPAA, present risk to the organization and information security. 8 Third Party Identification Contractors Consultants Auditors Attorneys Outsourced health care services (e.g. third party administratorclaims processing, independent medical transcriptionist, pharmacy benefits manager, etc.) Outsourced IT services (e.g. data center, cloud backup, technology support Technology vendor (e.g. EMR/EHR) Shredding companies, offsite storage, couriers, asset lending organizations (medical equipment, business machines, etc.) 9 3
4 Third Party Risk Classification (High/Medium/Low) WHERE: Access onsite only, offsite office, remote/telework, offsite processing/use, supervised/unsupervised WHAT: Amount of protected health information involved WHO: Supervised vs unsupervised, sub-contractors, etc. OTHER: Ongoing or limited access, assets used/ownership Incidental vs Practical exposure 10 Obtaining Satisfactory Assurances Closely related to identification and classification Checklist/Questionnaire Onsite assessment Self assessment Third party assessment Evidence (e.g. report vs attestation letter) Bottom line = Due Diligence 11 Setting Expectations with Third Parties Business Associate Agreements Service Level Agreements (SLA) Master Service Agreements (MSA) Information Security Agreement (ISA) Periodic service review meetings Annual review of SLA, MSA and ISA Advance communication of changes to services Maintain a security/privacy program with named security officer Ongoing training of employees Maintaining security governance (policies/procedures) Sanctions/penalties/termination of contract Incident management and breach notification (i.e. who is responsible) Annual risk assessment (i.e. self vs third party) Use of sub-contractors Risk mitigation - timeliness 12 4
5 Continuous Monitoring/Reassessment Review risk assessments, SOC 1/2 reports, etc. Periodically review service performance against agreements Perform periodic compliance reviews Schedule ongoing meetings with vendors don t wait until something bad happens 13 Vendor Management Program Vendor Management policy/procedure Required agreements (i.e. SLA, MSA, BAA, ISA) Defined workflows (i.e. onboarding/offboarding) Includes vendors, contractors, business associates, consultants, etc. Addresses entire vendor lifecycle (negotiation through contract termination) Based on risk management principles and program Defined penalties/sanctions/causes for termination of relationship Continuous monitoring/service level reviews 14 Key to Success Obtain organizational leadership support Early identification of third party organizations Collaborate with the procurement/contract office Know your responsibilities for complying with HIPAA Establish expectations with third party organizations Accept the fact that third party relationships are not all alike Establish a formal third party risk management program Know when to leverage outside help to assess third party risk Obtain senior leadership approval and support Champions (e.g. compliance, privacy, general counsel, board of directors/trustees, etc.) Beware of Shadow IT 15 5
6 16 Firm Statistics Headquarters: Milwaukee, Wisconsin Founded: 1930 (firm is 88 years old) FY17 Net Revenue: $275 million Number of associates (headcount - including partners): 2,000+ Number of partners: 245 partners Number of CPAs (firm wide): 671 Number of offices (firm wide): 51 offices 49 offices in the U.S. and 2 offices in India Number of states: 11 Number of clients: Over 60,000 businesses and individuals across the country Ranking: Top 20 CPA firm in the U.S. (based on revenue) #19 - Inside Public Accounting s 2017 IPA 100 August 2017 #21 - Accounting Today s Top 100 Firms March 2017 Our Mission To Contribute to the Success of our Associates and Clients.. 17 Wipfli Risk Advisory Services Key Services: Risk Compliance o HIPAA Security Risk Assessment o HIPAA Privacy Assessment o HITRUST Assessments o Emergency Preparedness Plan Development o 340B Compliance Review SOC 1 & 2 Audits Governance - Policy & Procedure Development Security Advisory Services (vciso) Security Education, Training & Awareness for the Workforce Information Security Risk Management Security Vulnerability Testing (cybersecurity) IT Audit Managed Services Business Continuity Planning 18 6
7 Rick Ensenbach, CISSP, CISA, CISM, ISSMP, CCSFP Senior Manager, Healthcare Risk Advisory Services 3703 Oakwood Hills Parkway, Eau Claire, WI C:
Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016
Managing the Business Associate Relationship: From Onboarding to Breaches March 27, 2016 HCCA s 21 st Annual Compliance Institute National Harbor, MD Today s Agenda Onboarding: Health care providers and
More informationREGULATORY HOT TOPIC Third Party IT Vendor Management
REGULATORY HOT TOPIC Third Party IT Vendor Management 1 Todays Outsourced Technology Services Core Processing Internet Banking Mobile Banking Managed Security Services Managed Data Center Services And
More informationHIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan. Chris Apgar, CISSP Ron Moser, CISA, CRISC
HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan Chris Apgar, CISSP Ron Moser, CISA, CRISC Overview The Culture of Compliance First Steps What are the risks? Making a plan Whatever You
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 2007-2016 1 What is HIPAA? HIPAA / HITECH Protect patient confidentiality while furthering innovation and patient care Omnibus (September
More informationStrengthening Vendor Risk Management Program
Strengthening Vendor Risk Management Program ACUIA Region 5 Fall Meeting Portsmouth, N.H. October 2017 PKF O Connor Davies Risk Advisory Services Governance & Regulations Cyber-Security Risk Management
More informationVENDOR RISK MANAGEMENT FCC SERVICES
VENDOR RISK MANAGEMENT FCC SERVICES Introductions Chris Tait, CISA, CFSA, CCSK, CCSFP Principal, Financial Services Baker Tilly Russ Sommers, CPA, CISA Senior Manager, Financial Services Baker Tilly Agenda
More informationDo You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?
Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi? Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com HCCA 2017 Compliance Institute
More informationDo You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?
Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi? Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com HCCA 2017 Compliance Institute
More informationHIPAA and Electronic Information
HIPAA and Electronic Information Are you still acting like it s a paper world? Rebecca Wahler, MS, CHPC, CHC Compliance & Privacy Officer, NMHIC, LCF Research, Albuquerque, NM Overall Goal Develop basic
More informationManaging Legal and Operational Risk in IT Agreements
Managing Legal and Operational Risk in IT Agreements Presented by: Donna Pond, Senior Director, Lead Counsel, Shire Pharmaceuticals Evan J. Foster, Partner, Saul Ewing LLP Agenda: Special issues in: Conventional
More informationSTEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference
STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS April 25, 2018 In-House Counsel Conference Presenters: Daniela Ivancikova, Assistant General Counsel, University of Delaware Evan
More informationEnsuring Organizational & Enterprise Resiliency with Third Parties
Ensuring Organizational & Enterprise Resiliency with Third Parties Geno Pandolfi Tuesday, May 17, 2016 Room 7&8 (1:30-2:15 PM) Session Review Objectives Approaches to Third Party Risk Management Core Concepts
More informationCollaboration with Business Associates on Compliance
Collaboration with Business Associates on Compliance HCCA Compliance Institute April 19, 2016 Balancing risk management, compliance responsibility and business growth Responsibility of entities as they
More informationHow to Stand Up a Privacy Program: Privacy in a Box
How to Stand Up a Privacy Program: Privacy in a Box Part III of III: Maturing a Privacy Program Presented by the IT, Privacy, & ecommerce global committee of ACC Thanks to: Nick Holland, Fieldfisher (ITPEC
More informationBuying IoT Technology: How to Contract Securely. By Nicholas R. Merker, Partner, Ice Miller LLP
Buying IoT Technology: How to Contract Securely By Nicholas R. Merker, Partner, Ice Miller LLP More and more products are shipping with sensors and network connectivity to capitalize on the currency of
More informationEmerging Technology and Security Update
Emerging Technology and Security Update February 13, 2015 Jordan Reed Managing Director Agenda 2015 Internal Audit Capabilities and Needs Survey 2014 IT Priorities Survey Results 2014 IT Security and Privacy
More informationNavigating the New Health Economy
Navigating the New Health Economy How non-traditional healthcare players are using the HITRUST CSF to drive their security programs forward Speakers Dennis Quandt Risk Assurance Director, PwC Boston, MA
More informationHIPAA PRIVACY RULE IMPLEMENTATION WHAT S UP AFTER 4/14/03?
HIPAA PRIVACY RULE IMPLEMENTATION WHAT S UP AFTER 4/14/03? 8 th National HIPAA Summit Baltimore, MD March 8, 2004 Lynda A. Russell, EdD, JD, RHIA Privacy Manager Cedars-Sinai Medical Center Los Angeles,
More informationISACA San Francisco Chapter
ISACA San Francisco Chapter The 2007 Privacy Panel Rena Mears, CISSP, CIPP, CPA, CISA Partner, Deloitte & Touche LLP March 23, 2007 San Francisco 0 What is Privacy and Why Now? Definition of PII The definition
More informationInternal Audit s Role in Third Party Risk Management (TPRM)
www.pwc.com Internal Audit s Role in Third (TPRM) Jon Pastore, Nick Fullmer Third (TPRM) Framework What is Third? Third Party risk management is focused on understanding and managing risks associated with
More informationThey re Back! Phase 2 OCR Audits Are Underway
They re Back! Phase 2 OCR Audits Are Underway Adam Greene, JD, MPH Partner, Davis Wright Tremaine LLP How You Get to Meet OCR 1. Complaint 2. Compliance Review 3. Breach Report 4. Audit 2 Background on
More informationEffects of GDPR and NY DFS on your Third Party Risk Management Program
Effects of GDPR and NY DFS on your Third Party Risk Management Program Please disable popup blocking software before viewing this webcast June 27, 2017 Grant Thornton LLP. All rights reserved. 1 CPE Reminders
More informationLegal Responsibilities for BHS System Board Members. G. Dan Neel Director-Saluda BHS
Legal Responsibilities for BHS System Board G. Dan Neel Director-Saluda BHS What is your role as a Board Member? All BHS organizations are legal entities All are governed by Boards of Directors or Advisory
More informationVendor Management Challenges and Expectations An Open Discussion April 13, 2017
1 Practical solutions driving tangible results Vendor Management Challenges and Expectations An Open Discussion April 13, 2017 Agenda Common Themes Discussion Expectations Overcoming Obstacles Common Comments
More informationEffective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:
This Training is Brought to you by ComplianceOnline. Effective Vendor Risk Management Presenter: Mario A. Mosse April 21, 2017 This training session is sponsored by 2014 ComplianceOnline www.complianceonlie.com
More informationOutline of the Discussion
IT Risk Supervision Outline of the Discussion Define IT Risk Identify Scope of an IT Examination Describe a Bank s Operating Environment Identify Risks Considered in IT Supervision Describe the IT Ratings
More informationPCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline
PCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline Presented by the Bryan Cave Payments Team and Special Guest Speaker Andi Baritchi Agenda Introduction
More informationInternal Audit Division FY 18 - Audit Plan Overview
Division FY 18 - Audit Plan Overview Our Value Proposition - Objective Insight and Catalyst for Positive Change delivers value-added services that are catalysts for positive institutional change in governance,
More informationUnified SaaS Solution for Cybersecurity and Risk. Curran Data Technologies
Unified SaaS Solution for Cybersecurity and Risk Curran Data Technologies 317-974-1009 www.currandata.com Solution Discover the effective simplicity of a unified RSC solution Discover Solution Diagnose
More informationIT Service Delivery And Support Week Seven: SLA. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery And Support Week Seven: SLA IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 Outsourcing Drivers Outsourced IT Works Outsourced IT Activity Samples Top Three Outsourcing
More informationOn the Alert: Incident Response Plan for Healthcare 111/13/2017
On the Alert: Incident Response Plan for Healthcare 111/13/2017 Presenter Introductions Nadia Fahim-Koster Managing Director, IT Risk Management Meditology Services Kevin Henry Senior Associate, IT Risk
More informationJohn D. Halamka, MD, MS
John D. Halamka, MD, MS The Lost Laptop The Compromised Radiology Workstation The Anonymous Attack The Phishing Experience The Boston Marathon Issues Office of Civil Rights Audits A recent visit from the
More informationSTRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017
STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES September 2017 Your presenters Nancy Aubrey Partner Boston, MA Nancy.aubrey@rsmus.com Rick Shriner Principal McLean, VA Rick.shriner@rsmus.com 2 Agenda
More informationUpdate on Supply Chain Risk Management [SCRM] Standard
Update on Supply Chain Risk Management [SCRM] Standard Dr. Joseph B. Baugh Senior Compliance Auditor, Cyber Security WECC Compliance Workshop Portland OR November 14, 2017 Speaker Credentials Electrical
More informationThird Party Vendor Management and FDR Compliance
Smart decisions. Lasting value. Third Party Vendor Management and FDR Compliance Healthcare Summit 2018: Simplifying Healthcare September 18, 2018 Jason Lackey, Cigna-HealthSpring Scott Gerard, Crowe Matt
More informationSALINAS VALLEY MEMORIAL HEALTHCARE SYSTEM. Compliance Program. March 2018
SALINAS VALLEY MEMORIAL HEALTHCARE SYSTEM Compliance Program March 2018 Salinas Valley Memorial Healthcare System, 450 East Romie Lane, Salinas, California, 93901 PROGRAM GOAL/PURPOSE The Salinas Valley
More informationYou Might Have a HIPAA Breach. Now What?
You Might Have a HIPAA Breach. Now What? Ann M. Curran O Connor & Thomas, PC Phuong D. Nguyen Compliance Manager HealthTexas Provider Network Introductions Phuong D. Nguyen Compliance Manager, HealthTexas
More informationYou Might Have a HIPAA Breach. Now What?
You Might Have a HIPAA Breach. Now What? Ann M. Curran O Connor & Thomas, PC Phuong D. Nguyen Compliance Manager HealthTexas Provider Network Introductions Phuong D. Nguyen Compliance Manager, HealthTexas
More informationThird Party Risk Management ( TPRM ) Transformation
Third Party Risk Management ( TPRM ) Transformation September 20, 2017 Internal use only An introduction to TPRM What is a Third Party relationship? A Third Party relationship is any business arrangement
More informationWill Your Company Pass a Privacy Audit?
Will Your Company Pass a Privacy Audit? by Tammi K. Franke The Issue - Companies that collect personal information are under increasing scrutiny by both consumers and governments in the United States and
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR), which takes effect in 2018, will bring changes
More informationFrom the Front Lines: Navigating the OCR Phase 2 HIPAA Audits
View the Replay From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits June 16, 2016 Executive Series Webinar Today s Speakers Carla Wagner, HCISPP Privacy Officer Beacon Health System Trish A.
More informationSECURITY ACCENTURE GROW DEMYSTIFYING THIRD PARTY RISK MANAGEMENT (TPRM) Sheldon Nailer, CISSP, CISA Accenture Latvia, Security Team Lead
GROW ACCENTURE SECURITY DEMYSTIFYING THIRD PARTY RISK MANAGEMENT (TPRM) October 09, 2018 Sheldon Nailer, CISSP, CISA Accenture Latvia, Security Team Lead AGENDA Background and Context Regulatory Landscape
More informationEGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Created for mike elfassi
Created for mike elfassi Bridging The Gap Between Healthcare & Hipaa Compliant Cloud Technology and outsource computing resources to external entities, would provide substantial relief to healthcare service
More informationUNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction
UNIVERSITY STANDARD Issuing Office Responsible University Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE PURPOSE Introduction This Standard to the Policy on Enterprise
More informationVENDOR MANAGEMENT 101
VENDOR MANAGEMENT 101 Enterprise Risk Management Vendor Management Business Continuity IT GRC Internal Audit Regulatory Compliance Manager Introduction to Vendor Management About Your Presenter Andrea
More informationOCR Audits: 2012 Results Overview
April 4 th, 2013 OCR Audits: 2012 Results Overview Presented by: Mac McMillan FHIMSS, CISM Name of Presentation CEO, CynergisTek www.cynergistek.com Advancing the Standard of Care Through Healthcare IT
More informationReport No. AHCA A February Agency Agreements EXECUTIVE SUMMARY
Report No. AHCA-1617-04-A February 2018 Office of Inspector General Internal Audit Agency Agreements EXECUTIVE SUMMARY As part of the Agency for Health Care Administration (Agency) fiscal year 2016-2017
More informationSchedule of Matters Reserved for the Board
Schedule of Matters Reserved for the Board Brambles Limited Instituted: 4 December 2006 Amended: 24 June 2009, 28 April 2011 and 1 July 2014 1. Board Responsibility 1.1 Management The Board is responsible
More informationMicrosoft Cloud Agreement Financial Services Amendment
Microsoft Cloud Agreement Financial Services Amendment This Financial Services Amendment ( Amendment ) is entered into between Customer and the Microsoft Affiliate who are parties to the Microsoft Cloud
More informationa physicians guide to security risk assessment
PAGE//1 a physicians guide to security risk assessment isalus healthcare isalus healthcare a physicians guide to security risk assessment table of contents INTRO 1 DO I NEED TO OUTSOURCE MY SECURITY RISK
More informationAssessments for Certified and Non-Certified Vendors
Assessments for Certified and Non-Certified Vendors 3rd party Vendors Security Risk Profile 63% of all 2016 data breaches resulted from third party vendor s risk Small companies are high risk - security
More information3 Situations, 2 Lawyers, 1 Corporation, and So Many Features
3 Situations, 2 Lawyers, 1 Corporation, and So Many Features Using Relativity in a Data Breach, an Investigation, and Litigation legalweekshow.com legaltechshow.com #Legalweek17 #Legaltech Cathleen Peterson,
More informationTypes of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA
Types of Systems Audit & Relevance Presented By: Prasad Pendse, CISA Agenda Systems Audit Categories & Types of Systems Audit, Relevance IT & Application Audits Security Audits Process Audits Advantages
More informationLeveraging Internal Audit and Corporate Compliance for Effective Risk Management
Leveraging Internal Audit and Corporate Compliance for Effective Risk Management April 18, 2016 Don Sinko Chief Integrity Officer Cleveland Clinic Agenda Cleveland Clinic Integrity Office Model The 3 Lines
More informationMoving ERP Systems to the Cloud
Moving ERP Systems to the Cloud Trends, Risks and Strategies for Successful Deals Rebecca Eisner Marina Aronchik Partner Senior Associate 312-701-8577 312-701-8168 reisner@mayerbrown.com maronchik@mayerbrown.com
More informationCITY UNIVERSITY OF HONG KONG
CITY UNIVERSITY OF HONG KONG (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information Officer in September 2015) PUBLIC Date of Issue:
More information2005 OIG Supplemental Compliance Guidance for Hospitals Focus on Culture & Leadership Hospitals with an organizational culture that values compliance
Tools for Documenting Compliance: Tracking Systems and Scorecards 2005 OIG Supplemental Compliance Guidance for Hospitals Focus on Culture & Leadership Hospitals with an organizational culture that values
More informationtable of contents INTRODUCTION...3 CHAPTER 1: WHAT IS HITRUST?...4 CHAPTER 2: THE BENEFITS OF USING HITRUST...6
HITRUST guide table of contents INTRODUCTION...3 CHAPTER 1: WHAT IS HITRUST?...4 CHAPTER 2: THE BENEFITS OF USING HITRUST...6 CHAPTER 3: THE CHALLENGES OF DEPLOYING THE HI- TRUST CSF...10 CHAPTER 4: THE
More informationPlatinum Business Services LLC. Capabilities Statement
Platinum Business Services LLC Capabilities Statement 1 Corporate Overview Founded in 2008 as a Maryland corporation and headquartered in the State of Maryland. DUNS: 828491410 Socio-economic status: SBA
More informationSAP and SAP Ariba Solution Support for GDPR Compliance
Frequently Asked Questions EXTERNAL The General Data Protection Regulation (GDPR) SAP Ariba Source-to-Settle Solutions SAP and SAP Ariba Solution Support for GDPR Compliance The European Union s General
More informationCRISP Azure Migration Consulting Services. All responses due no later than Friday, July 21 st, at 5pm EST
Request for Quote CRISP Azure Migration Consulting Services Friday, July 7th, 2017 All responses due no later than Friday, July 21 st, at 5pm EST 1 Request for Quote RFQ TO ALL RESPONDERS CRISP Azure Migration
More informationGallagher Healthcare Practice
Gallagher Healthcare Practice Keeping Your Organization in Good Health As the healthcare industry transitions from volume to value, you need a partner with access to a wide set of solutions that can be
More informationPreparing for an OCR Audit: What is Expected of You
Preparing for an OCR Audit: What is Expected of You Speakers Chuck Burbank CISO and Director of Managed Privacy Services FairWarning Robert Mireles, CIPM Sr. Healthcare Privacy Specialist for Managed Privacy
More informationCloud Computing Opportunities & Challenges
Cloud Computing Opportunities & Challenges AICPA & CPA/SEA Interchange State Regulatory & Legislative Affairs Emerging Technologies July 11, 2017 Presented by Donny C. Shimamoto, CPA.CITP, CGMA 1 Unless
More informationEU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018
. EU-GDPR and the cloud Heike Fiedler-Phelps January 13, 2018 Disclaimer SAP does not provide legal advice The following presentation is only about a high level discussion about GDPR. 2 EU-GDPR Summary
More informationAGA Gulf Region PDT COSO and the Green Book: An Enhanced Internal Control Framework
AGA Gulf Region PDT COSO and the Green Book: An Enhanced Internal Control Framework Isabelle Dikland, Director, MorganFranklin Consulting Timothy Grace, Director, MorganFranklin Consulting May 6, 2015
More informationOutsourcing and the Need for Supplier Audits
Outsourcing and the Need for Supplier Audits John A. Gatto Retired April 3, 2017 Agenda Why Audit Suppliers Outsourcing Supplier Risks Minimum Security Standards Audit Focus 2 1 Definitions Third Party
More informationLessons Learned in Streamlining the Third-party Risk Assessment Process
Lessons Learned in Streamlining the Third-party Risk Assessment Process Agenda Welcome & Introductions Overview of the Third Party Risk Management Lifecycle Three Unique Perspectives on: Third Party Inventories
More informationBig Data, Security and Privacy: The EHR Vendor View
Taking a step towards Big Data, Security and Privacy: proactive health + care The EHR Vendor View Bob Harmon, MD Physician Executive, Cerner Corporation Presented to Preventive Medicine 2016 Washington,
More informationProtecting Your Personal Data Globally
Protecting Your Personal Data Globally How ADP s Adoption of Binding Corporate Rules Helps Your Company Comply with the General Data Protection Regulation We re passionate about protecting the privacy
More informationABS GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS. FREQUENTLY ASKED QUESTIONS 15 June 2017.
ABS GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS FREQUENTLY ASKED QUESTIONS 15 June 2017 Contents 1. Objective and Benefits of the ABS Guidelines Page 2 2. Scope and Coverage
More informationHealth Solutions. Commercial Health Solutions Overview EXPANDING INSIGHT. ENSURING VALUE. IMPROVING OUTCOMES.
Health Solutions Commercial Health Solutions Overview EXPANDING INSIGHT. ENSURING VALUE. IMPROVING OUTCOMES. Expanding Insight. Ensuring Value. Improving Outcomes. Organizations look to experienced solutions
More informationGovernment Auditing Standards
United States Government Accountability Office GAO By the Comptroller General of the United States August 2011 Government Auditing Standards 2011 Internet Version CONTENTS CHAPTER 1... 1 GOVERNMENT AUDITING:
More informationGuidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Audit Committee March 2015 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance Audit Committee (the Guidance Note )
More informationSOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER
EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER ARRIVAL OF GDPR IN 2018 The European Union (EU) General Data Protection Regulation (GDPR) that takes effect in 2018 will bring changes for
More informationINTEGRITY COMPLIANCE GUIDELINES
AFRICAN DEVELOPMENT BANK GROUP African Development Bank Group Integrity and Anti-Corruption Department INTEGRITY COMPLIANCE GUIDELINES 1 1. Prohibition of Misconduct A clearly articulated and visible prohibition
More informationGuidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.
Guidance Note: Corporate Governance - Audit Committee January 2018 Ce document est aussi disponible en français. Applicability The Guidance Note: Corporate Governance Audit Committee (the Guidance Note
More informationTreasury and Risk- Vision 2009 March 25 th, 2009 Michele L. Turner- Sr. Manager Operations Enterprise Risk Management (OERM)
Treasury and Risk- Vision 2009 March 25 th, 2009 Michele L. Turner- Sr. Manager Operations Enterprise Risk Management (OERM) Microsoft Mission: At Microsoft, our mission and values are to help people and
More informationRamifications of the New COSO Framework & Recent PCAOB Actions
Ramifications of the New COSO Framework & Recent PCAOB Actions Panelists Moderator Bob Meyer, Senior Vice President of Finance & Corporate Controller, American Tower Joann Cangelosi, Partner, Grant Thornton
More informationChanges to The IIA Standards: What Board Members and Executive Management Need to Know
Changes to The IIA Standards: What Board Members and Executive Management Need to Know Introduction The Institute of Internal Auditors (IIA) is the leading standard- and guidance-setting body for the global
More informationVendor Management from an Auditor s Perspective
Vendor Management from an Auditor s Perspective Mike Morris Partner mmorris@pkm.com (404) 420-5669 Mary Beth Marchione Systems Manager mmarchione@pkm.com (404) 548-2825 April 25, 2017 Session Agenda Understand
More informationInternal Audit Division FY 17 - Audit Plan Overview
Division FY 17 - Audit Plan Overview Our Value Proposition - Objective Insight and Catalyst for Positive Change delivers value-added services that are catalysts for positive institutional change in governance,
More informationGeneral Data Privacy Regulation: It s Coming Are You Ready?
General Data Privacy Regulation: It s Coming Are You Ready? Presenters Tristan North Worldwide ERC Government Affairs Adviser, Moderator William R. Tehan General Counsel, Graebel Companies, Inc. Hank A.
More informationTech & Cloud Contract Management. A Small College Perspective
Tech & Cloud Contract Management A Small College Perspective The Problem: Vendors want to take NO responsibility Sales says You don t need the IT folks for this Even though you don t need the IT folks
More informationExecutive Summary THE OFFICE OF THE INTERNAL AUDITOR. Internal Audit Update
1 Page THE OFFICE OF THE INTERNAL AUDITOR The Office of Internal Audit focuses its attention on areas where it can contribute the most by working with the organization to reduce risk and increase operational
More informationInteroperability & Secure, Compliant Communications in Healthcare
Interoperability & Secure, Compliant Communications in Healthcare What s Inside 2 Repea t Offenders 3 HIP AA Compliance Issues 4 Business Associat e Agreement 6 Risks For Non- ompliance? 7 Abou 9 2 Risk
More informationAcquiring Cloud Services A Contracting Officer s perspective
Acquiring Cloud Services A Contracting Officer s perspective Scott M. Stewart Technical Director 16 May 2018 Agenda Service and deployment models and why they matter Security, data characterizations, and
More informationASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016
ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016 Charles J. Brennan Chief Information Officer Office of Innovation and Technology 1234 Market
More informationPutnam Valley Central School District. Information Technology Internal Audit Report August 2017
Putnam Valley Central School District Information Technology Internal Audit Report August 2017 August 30, 2017 Audit Committee Putnam Valley Central School District 146 Peekskill Hollow Road Putnam Valley,
More informationStacey Carr, Division Privacy Officer. Ram Ramadoss, Director, Privacy and Information Security oversight Catholic Health Initiatives
Stacey Carr, Division Privacy Officer Ram Ramadoss, Director, Privacy and Information Security oversight Catholic Health Initiatives 1 HIPAA & Healthcare Industry Overview Overview of Omnibus Rule Changes
More informationWHITE PAPER EU General Data Protection Regulation Compliance
WHITE PAPER EU General Data Protection Regulation Compliance Table of Contents 1. SAP is ready for GDPR 04 1.1. Data Protection Processes 04 1.2. Data Protection Thresholds 05 1.3. Technical & Organizational
More informationHITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance
The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance February 2017 Contents Background and Challenges.... 3 Improving Risk Management While Reducing Cost and Complexity...
More informationMODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING
MODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING 2 0 1 4 A Message From Our CEO and Compliance Officer At PacificSource, we pride ourselves on maintaining a culture of compliance and high ethical
More information2016 Architecture & Engineering
2016 Architecture & Engineering Market Outlook Survey The results are in... 1 Grassi & Co. and Zetlin & De Chiara LLP are pleased to announce the release of our 2016 Architecture & Engineering (A&E) Industry
More informationInformation governance for the real world
Information governance for the real world 1 2 Information governance is the activities and technologies that organizations employ to maximize the value of their information while minimizing associated
More informationTo the Point: Vendor Management PROFESSIONALS FORUM. initiative
To the Point: Vendor Management PROFESSIONALS FORUM an initiative Published by The Compliance Professionals Forum an ia Initiative 6010 Executive Blvd, Suite 802, Rockville, Maryland, 20850 editor@compliancepf.com
More informationAgreements Create Concern Guard against liability when someone else mishandles your practice s patient records.
Auditing/Compliance By Cheryl Toth, MBA photo by istockphoto LifeJourneys Redefined Business Associate Agreements Create Concern Guard against liability when someone else mishandles your practice s patient
More informationGovernment Enterprise Cloud Acquisition Practical Help for Contracting Professionals
Government Enterprise Cloud Acquisition Practical Help for Contracting Professionals Mun-Wai Hon, CISSP, CSSLP, PMP Session E10 Tuesday July 25, 2017 2 Noblis Inc. 2002 Edmund Halley Drive Reston, VA 20191
More informationPrivacy Officer s Guide to Evaluating Cloud Vendors
Privacy Officer s Guide to Evaluating Cloud Vendors Andrew Rodriguez, MSHI, HCISSP, CHPC, CHPS, CDP Corporate Privacy and Information Security Officer Shriners Hospitals for Children Adjunct Instructor
More information