Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES

Similar documents
Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

REGULATORY HOT TOPIC Third Party IT Vendor Management

HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan. Chris Apgar, CISSP Ron Moser, CISA, CRISC

The Relationship Between HIPAA Compliance and Business Associates

Strengthening Vendor Risk Management Program

VENDOR RISK MANAGEMENT FCC SERVICES

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

HIPAA and Electronic Information

Managing Legal and Operational Risk in IT Agreements

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

Ensuring Organizational & Enterprise Resiliency with Third Parties

Collaboration with Business Associates on Compliance

How to Stand Up a Privacy Program: Privacy in a Box

Buying IoT Technology: How to Contract Securely. By Nicholas R. Merker, Partner, Ice Miller LLP

Emerging Technology and Security Update

Navigating the New Health Economy

HIPAA PRIVACY RULE IMPLEMENTATION WHAT S UP AFTER 4/14/03?

ISACA San Francisco Chapter

Internal Audit s Role in Third Party Risk Management (TPRM)

They re Back! Phase 2 OCR Audits Are Underway

Effects of GDPR and NY DFS on your Third Party Risk Management Program

Legal Responsibilities for BHS System Board Members. G. Dan Neel Director-Saluda BHS

Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

Outline of the Discussion

PCI Data Breach Preparedness How To Prevent Your Organization From Becoming the Next Data Breach Headline

Internal Audit Division FY 18 - Audit Plan Overview

Unified SaaS Solution for Cybersecurity and Risk. Curran Data Technologies

IT Service Delivery And Support Week Seven: SLA. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

On the Alert: Incident Response Plan for Healthcare 111/13/2017

John D. Halamka, MD, MS

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

Update on Supply Chain Risk Management [SCRM] Standard

Third Party Vendor Management and FDR Compliance

SALINAS VALLEY MEMORIAL HEALTHCARE SYSTEM. Compliance Program. March 2018

You Might Have a HIPAA Breach. Now What?

You Might Have a HIPAA Breach. Now What?

Third Party Risk Management ( TPRM ) Transformation

Will Your Company Pass a Privacy Audit?

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

From the Front Lines: Navigating the OCR Phase 2 HIPAA Audits

SECURITY ACCENTURE GROW DEMYSTIFYING THIRD PARTY RISK MANAGEMENT (TPRM) Sheldon Nailer, CISSP, CISA Accenture Latvia, Security Team Lead

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Created for mike elfassi

UNIVERSITY STANDARD. Title UNIVERSITY OF NORTH CAROLINA AT CHAPEL HILL STANDARD ON ENTERPRISE DATA GOVERNANCE. Introduction

VENDOR MANAGEMENT 101

OCR Audits: 2012 Results Overview

Report No. AHCA A February Agency Agreements EXECUTIVE SUMMARY

Schedule of Matters Reserved for the Board

Microsoft Cloud Agreement Financial Services Amendment

a physicians guide to security risk assessment

Assessments for Certified and Non-Certified Vendors

3 Situations, 2 Lawyers, 1 Corporation, and So Many Features

Types of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA

Leveraging Internal Audit and Corporate Compliance for Effective Risk Management

Moving ERP Systems to the Cloud

CITY UNIVERSITY OF HONG KONG

2005 OIG Supplemental Compliance Guidance for Hospitals Focus on Culture & Leadership Hospitals with an organizational culture that values compliance

table of contents INTRODUCTION...3 CHAPTER 1: WHAT IS HITRUST?...4 CHAPTER 2: THE BENEFITS OF USING HITRUST...6

Platinum Business Services LLC. Capabilities Statement

SAP and SAP Ariba Solution Support for GDPR Compliance

CRISP Azure Migration Consulting Services. All responses due no later than Friday, July 21 st, at 5pm EST

Gallagher Healthcare Practice

Preparing for an OCR Audit: What is Expected of You

Cloud Computing Opportunities & Challenges

EU-GDPR and the cloud. Heike Fiedler-Phelps January 13, 2018

AGA Gulf Region PDT COSO and the Green Book: An Enhanced Internal Control Framework

Outsourcing and the Need for Supplier Audits

Lessons Learned in Streamlining the Third-party Risk Assessment Process

Big Data, Security and Privacy: The EHR Vendor View

Protecting Your Personal Data Globally

ABS GUIDELINES ON CONTROL OBJECTIVES & PROCEDURES FOR OUTSOURCED SERVICE PROVIDERS. FREQUENTLY ASKED QUESTIONS 15 June 2017.

Health Solutions. Commercial Health Solutions Overview EXPANDING INSIGHT. ENSURING VALUE. IMPROVING OUTCOMES.

Government Auditing Standards

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

INTEGRITY COMPLIANCE GUIDELINES

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Treasury and Risk- Vision 2009 March 25 th, 2009 Michele L. Turner- Sr. Manager Operations Enterprise Risk Management (OERM)

Ramifications of the New COSO Framework & Recent PCAOB Actions

Changes to The IIA Standards: What Board Members and Executive Management Need to Know

Vendor Management from an Auditor s Perspective

Internal Audit Division FY 17 - Audit Plan Overview

General Data Privacy Regulation: It s Coming Are You Ready?

Tech & Cloud Contract Management. A Small College Perspective

Executive Summary THE OFFICE OF THE INTERNAL AUDITOR. Internal Audit Update

Interoperability & Secure, Compliant Communications in Healthcare

Acquiring Cloud Services A Contracting Officer s perspective

ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

Putnam Valley Central School District. Information Technology Internal Audit Report August 2017

Stacey Carr, Division Privacy Officer. Ram Ramadoss, Director, Privacy and Information Security oversight Catholic Health Initiatives

WHITE PAPER EU General Data Protection Regulation Compliance

HITRUST CSF Assurance Program. The Common Healthcare Industry Approach for Assessing Security and Reporting Compliance

MODULE I: MEDICARE & MEDICAID GENERAL COMPLIANCE TRAINING

2016 Architecture & Engineering

Information governance for the real world

To the Point: Vendor Management PROFESSIONALS FORUM. initiative

Agreements Create Concern Guard against liability when someone else mishandles your practice s patient records.

Government Enterprise Cloud Acquisition Practical Help for Contracting Professionals

Privacy Officer s Guide to Evaluating Cloud Vendors

Transcription:

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services 1 OBJECTIVES What should be done before you sign a contract with a vendor Your responsibilities throughout the relationship What every organization already has in place as a basis for a vendor management program The relationship between vendor and risk management Assessing vendor risk 2 3 1

Report: Average cost of health care data breach is $717K The annual 2017 NetDiligence Cyber Claims Study revealed that the health care and professional services sectors each represented 18% of total data breaches in 2017, with 27% of breaches attributed to hackers and 25% involving insiders. The average cost of a data breach for the health care industry was $717,000 -- which included crisis services, legal defense and legal settlement fees -- compared with the average cost of $394,000 across sectors. Becker's Hospital Review 4 Speaking at the National HIPAA Summit this year, Molly Crawford, the Chief of Staff for the FTC s privacy and identification division made the following points: Companies need to have contracts in place to specifically address privacy and security. It is estimated that almost 2/3rds of data breaches are tied to or directly caused by third-party vendors. It is a fact. More third party vendors mean a higher risk of a data breach. While a third party vendor management program is critical for managing vendor relationships, these programs must go beyond surveys and assessments. Companies need to hold vendors contractually liable for the actions and inactions with regard to their security. An effective way to do this is through a separate information security agreement (ISA) as an exhibit to the underlying procurement, master services or licensing agreement. The ISA should address technical issues (e.g. auditing, employee management, encryption), but also address legal issues associated with security, including provisions related to indemnification, liability, breach response and insurance. 5 Terminology Risk Assessment - Process of identifying and prioritizing risks to the confidentiality, integrity, and availability of PHI. Identification without analysis, followed up by a risk analysis. Risk Analysis - In-depth analysis of identified risks to determine the likelihood of occurrence and impact, then determining risk mitigation activities required to reduce the risk to an acceptable level. Business Associate/Third Party/Vendor/Contractor - A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Due Diligence - The process by which an organization or third party is evaluated to determine their suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire relationship. 6 2

2003 versus 2013 HIPAA Security Rule: CE must have a written contract with BA that requires BA to safeguard PHI and not use or disclose PHI other than as provided by the contract, which must also ensure that any subcontractors agree to these same restrictions BA not directly liable for violations, but contractually liable Post-HIPAA Omnibus: Contract between CE and BA required and the BA must comply with certain Privacy and Security Rule requirements and is directly liable for violations If CE delegates Privacy Rule obligation to BA, contract must require BA to perform in compliance with the HIPAA Rules If contract between BA and subcontractor is required, it must be as stringent as the CE- BA contract BA directly and contractually liable for violations of applicable provisions of HIPAA BAs are liable whether or not they have an agreement in place with the CE 7 Steps to Creating a Vendor Management Program 1. Identify your organization s third party relationships 2. Categorize third party relationships according to risk 3. Obtain satisfactory assurances that third party organizations have the appropriate security/privacy controls in place 4. Set expectations with third party organizations 5. Continuously monitor/reassess 6. Establish a third party risk management program Important Note: All third party relationships, regardless of HIPAA, present risk to the organization and information security. 8 Third Party Identification Contractors Consultants Auditors Attorneys Outsourced health care services (e.g. third party administratorclaims processing, independent medical transcriptionist, pharmacy benefits manager, etc.) Outsourced IT services (e.g. data center, cloud backup, technology support Technology vendor (e.g. EMR/EHR) Shredding companies, offsite storage, couriers, asset lending organizations (medical equipment, business machines, etc.) 9 3

Third Party Risk Classification (High/Medium/Low) WHERE: Access onsite only, offsite office, remote/telework, offsite processing/use, supervised/unsupervised WHAT: Amount of protected health information involved WHO: Supervised vs unsupervised, sub-contractors, etc. OTHER: Ongoing or limited access, assets used/ownership Incidental vs Practical exposure 10 Obtaining Satisfactory Assurances Closely related to identification and classification Checklist/Questionnaire Onsite assessment Self assessment Third party assessment Evidence (e.g. report vs attestation letter) Bottom line = Due Diligence 11 Setting Expectations with Third Parties Business Associate Agreements Service Level Agreements (SLA) Master Service Agreements (MSA) Information Security Agreement (ISA) Periodic service review meetings Annual review of SLA, MSA and ISA Advance communication of changes to services Maintain a security/privacy program with named security officer Ongoing training of employees Maintaining security governance (policies/procedures) Sanctions/penalties/termination of contract Incident management and breach notification (i.e. who is responsible) Annual risk assessment (i.e. self vs third party) Use of sub-contractors Risk mitigation - timeliness 12 4

Continuous Monitoring/Reassessment Review risk assessments, SOC 1/2 reports, etc. Periodically review service performance against agreements Perform periodic compliance reviews Schedule ongoing meetings with vendors don t wait until something bad happens 13 Vendor Management Program Vendor Management policy/procedure Required agreements (i.e. SLA, MSA, BAA, ISA) Defined workflows (i.e. onboarding/offboarding) Includes vendors, contractors, business associates, consultants, etc. Addresses entire vendor lifecycle (negotiation through contract termination) Based on risk management principles and program Defined penalties/sanctions/causes for termination of relationship Continuous monitoring/service level reviews 14 Key to Success Obtain organizational leadership support Early identification of third party organizations Collaborate with the procurement/contract office Know your responsibilities for complying with HIPAA Establish expectations with third party organizations Accept the fact that third party relationships are not all alike Establish a formal third party risk management program Know when to leverage outside help to assess third party risk Obtain senior leadership approval and support Champions (e.g. compliance, privacy, general counsel, board of directors/trustees, etc.) Beware of Shadow IT 15 5

16 Firm Statistics Headquarters: Milwaukee, Wisconsin Founded: 1930 (firm is 88 years old) FY17 Net Revenue: $275 million Number of associates (headcount - including partners): 2,000+ Number of partners: 245 partners Number of CPAs (firm wide): 671 Number of offices (firm wide): 51 offices 49 offices in the U.S. and 2 offices in India Number of states: 11 Number of clients: Over 60,000 businesses and individuals across the country Ranking: Top 20 CPA firm in the U.S. (based on revenue) #19 - Inside Public Accounting s 2017 IPA 100 August 2017 #21 - Accounting Today s Top 100 Firms March 2017 Our Mission To Contribute to the Success of our Associates and Clients.. 17 Wipfli Risk Advisory Services Key Services: Risk Compliance o HIPAA Security Risk Assessment o HIPAA Privacy Assessment o HITRUST Assessments o Emergency Preparedness Plan Development o 340B Compliance Review SOC 1 & 2 Audits Governance - Policy & Procedure Development Security Advisory Services (vciso) Security Education, Training & Awareness for the Workforce Information Security Risk Management Security Vulnerability Testing (cybersecurity) IT Audit Managed Services Business Continuity Planning 18 6

Rick Ensenbach, CISSP, CISA, CISM, ISSMP, CCSFP Senior Manager, Healthcare Risk Advisory Services 3703 Oakwood Hills Parkway, Eau Claire, WI 54701 C: 651-587-1313 rensenbach@wipfli.com www.linkedin.com/in/rickensenbach www.wipfli.com/healthcare 19 7

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback