Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services 1 OBJECTIVES What should be done before you sign a contract with a vendor Your responsibilities throughout the relationship What every organization already has in place as a basis for a vendor management program The relationship between vendor and risk management Assessing vendor risk 2 3 1
Report: Average cost of health care data breach is $717K The annual 2017 NetDiligence Cyber Claims Study revealed that the health care and professional services sectors each represented 18% of total data breaches in 2017, with 27% of breaches attributed to hackers and 25% involving insiders. The average cost of a data breach for the health care industry was $717,000 -- which included crisis services, legal defense and legal settlement fees -- compared with the average cost of $394,000 across sectors. Becker's Hospital Review 4 Speaking at the National HIPAA Summit this year, Molly Crawford, the Chief of Staff for the FTC s privacy and identification division made the following points: Companies need to have contracts in place to specifically address privacy and security. It is estimated that almost 2/3rds of data breaches are tied to or directly caused by third-party vendors. It is a fact. More third party vendors mean a higher risk of a data breach. While a third party vendor management program is critical for managing vendor relationships, these programs must go beyond surveys and assessments. Companies need to hold vendors contractually liable for the actions and inactions with regard to their security. An effective way to do this is through a separate information security agreement (ISA) as an exhibit to the underlying procurement, master services or licensing agreement. The ISA should address technical issues (e.g. auditing, employee management, encryption), but also address legal issues associated with security, including provisions related to indemnification, liability, breach response and insurance. 5 Terminology Risk Assessment - Process of identifying and prioritizing risks to the confidentiality, integrity, and availability of PHI. Identification without analysis, followed up by a risk analysis. Risk Analysis - In-depth analysis of identified risks to determine the likelihood of occurrence and impact, then determining risk mitigation activities required to reduce the risk to an acceptable level. Business Associate/Third Party/Vendor/Contractor - A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Due Diligence - The process by which an organization or third party is evaluated to determine their suitability for a given task. Due diligence is an ongoing activity, including review, monitoring, and management communication over the entire relationship. 6 2
2003 versus 2013 HIPAA Security Rule: CE must have a written contract with BA that requires BA to safeguard PHI and not use or disclose PHI other than as provided by the contract, which must also ensure that any subcontractors agree to these same restrictions BA not directly liable for violations, but contractually liable Post-HIPAA Omnibus: Contract between CE and BA required and the BA must comply with certain Privacy and Security Rule requirements and is directly liable for violations If CE delegates Privacy Rule obligation to BA, contract must require BA to perform in compliance with the HIPAA Rules If contract between BA and subcontractor is required, it must be as stringent as the CE- BA contract BA directly and contractually liable for violations of applicable provisions of HIPAA BAs are liable whether or not they have an agreement in place with the CE 7 Steps to Creating a Vendor Management Program 1. Identify your organization s third party relationships 2. Categorize third party relationships according to risk 3. Obtain satisfactory assurances that third party organizations have the appropriate security/privacy controls in place 4. Set expectations with third party organizations 5. Continuously monitor/reassess 6. Establish a third party risk management program Important Note: All third party relationships, regardless of HIPAA, present risk to the organization and information security. 8 Third Party Identification Contractors Consultants Auditors Attorneys Outsourced health care services (e.g. third party administratorclaims processing, independent medical transcriptionist, pharmacy benefits manager, etc.) Outsourced IT services (e.g. data center, cloud backup, technology support Technology vendor (e.g. EMR/EHR) Shredding companies, offsite storage, couriers, asset lending organizations (medical equipment, business machines, etc.) 9 3
Third Party Risk Classification (High/Medium/Low) WHERE: Access onsite only, offsite office, remote/telework, offsite processing/use, supervised/unsupervised WHAT: Amount of protected health information involved WHO: Supervised vs unsupervised, sub-contractors, etc. OTHER: Ongoing or limited access, assets used/ownership Incidental vs Practical exposure 10 Obtaining Satisfactory Assurances Closely related to identification and classification Checklist/Questionnaire Onsite assessment Self assessment Third party assessment Evidence (e.g. report vs attestation letter) Bottom line = Due Diligence 11 Setting Expectations with Third Parties Business Associate Agreements Service Level Agreements (SLA) Master Service Agreements (MSA) Information Security Agreement (ISA) Periodic service review meetings Annual review of SLA, MSA and ISA Advance communication of changes to services Maintain a security/privacy program with named security officer Ongoing training of employees Maintaining security governance (policies/procedures) Sanctions/penalties/termination of contract Incident management and breach notification (i.e. who is responsible) Annual risk assessment (i.e. self vs third party) Use of sub-contractors Risk mitigation - timeliness 12 4
Continuous Monitoring/Reassessment Review risk assessments, SOC 1/2 reports, etc. Periodically review service performance against agreements Perform periodic compliance reviews Schedule ongoing meetings with vendors don t wait until something bad happens 13 Vendor Management Program Vendor Management policy/procedure Required agreements (i.e. SLA, MSA, BAA, ISA) Defined workflows (i.e. onboarding/offboarding) Includes vendors, contractors, business associates, consultants, etc. Addresses entire vendor lifecycle (negotiation through contract termination) Based on risk management principles and program Defined penalties/sanctions/causes for termination of relationship Continuous monitoring/service level reviews 14 Key to Success Obtain organizational leadership support Early identification of third party organizations Collaborate with the procurement/contract office Know your responsibilities for complying with HIPAA Establish expectations with third party organizations Accept the fact that third party relationships are not all alike Establish a formal third party risk management program Know when to leverage outside help to assess third party risk Obtain senior leadership approval and support Champions (e.g. compliance, privacy, general counsel, board of directors/trustees, etc.) Beware of Shadow IT 15 5
16 Firm Statistics Headquarters: Milwaukee, Wisconsin Founded: 1930 (firm is 88 years old) FY17 Net Revenue: $275 million Number of associates (headcount - including partners): 2,000+ Number of partners: 245 partners Number of CPAs (firm wide): 671 Number of offices (firm wide): 51 offices 49 offices in the U.S. and 2 offices in India Number of states: 11 Number of clients: Over 60,000 businesses and individuals across the country Ranking: Top 20 CPA firm in the U.S. (based on revenue) #19 - Inside Public Accounting s 2017 IPA 100 August 2017 #21 - Accounting Today s Top 100 Firms March 2017 Our Mission To Contribute to the Success of our Associates and Clients.. 17 Wipfli Risk Advisory Services Key Services: Risk Compliance o HIPAA Security Risk Assessment o HIPAA Privacy Assessment o HITRUST Assessments o Emergency Preparedness Plan Development o 340B Compliance Review SOC 1 & 2 Audits Governance - Policy & Procedure Development Security Advisory Services (vciso) Security Education, Training & Awareness for the Workforce Information Security Risk Management Security Vulnerability Testing (cybersecurity) IT Audit Managed Services Business Continuity Planning 18 6
Rick Ensenbach, CISSP, CISA, CISM, ISSMP, CCSFP Senior Manager, Healthcare Risk Advisory Services 3703 Oakwood Hills Parkway, Eau Claire, WI 54701 C: 651-587-1313 rensenbach@wipfli.com www.linkedin.com/in/rickensenbach www.wipfli.com/healthcare 19 7