Collaboration with Business Associates on Compliance

Similar documents
GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

Do You Know What Your Business Associates Subcontractors & Vendors Are Doing With Your PHI & ephi?

REGULATORY HOT TOPIC Third Party IT Vendor Management

Managing the Business Associate Relationship: From Onboarding to Breaches. March 27, 2016

Strengthening Vendor Risk Management Program

American Well Hosting Operations Guide for AmWell Customers. Version 7.0

Putnam Valley Central School District. Information Technology Internal Audit Report August 2017

HIPAA and Electronic Information

Outsourcing and the Need for Supplier Audits

ANNEX 2 Security Management Plan

Rick Ensenbach, CISSP-ISSMP, CISA, CISM, CCSFP Senior Manager, Wipfli Risk Advisory Services OBJECTIVES

C&H Financial Services. PCI and Tin Compliance Basics

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

Payment Card Industry Data Security Standard Compliance: Key Players and Relationships. By Jason Chan

Big Data, Security and Privacy: The EHR Vendor View

Tampa Bay Information Network TBIN Audit Plan

Telecommuting Program Manual

Supplier Security Directives

HIPAA Demystified: Strategies to Bullet Proof Your Compliance Plan. Chris Apgar, CISSP Ron Moser, CISA, CRISC

Standard Statement and Purpose

Liverpool Hope University

Payment Card Industry Compliance. May 12, 2011

ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

RSA ARCHER IT & SECURITY RISK MANAGEMENT

Sarbanes-Oxley Compliance Kit

Living Our Purpose and Core Values CODE. Code of Business Ethics and Conduct for Vendors

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

They re Back! Phase 2 OCR Audits Are Underway

06.0 Data and Access Classification

PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

falanx Cyber PCI-DSS: How can your organisation achieve and maintain compliance?

The Relationship Between HIPAA Compliance and Business Associates

2018 WTW General Industry Information Technology Compensation Survey Report - U.S.

External Supplier Control Obligations. Information Security

ACA COMPLIANCE PROVIDER REQUEST FOR PROPOSAL (RFP)

CREDIT CARD MERCHANT POLICY. All campuses served by Louisiana State University (LSU) Office of Accounting Services

Effective Data Governance & GDPR Compliance for the Nonprofit CFP

Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

Managing. Outsourced. Conversion Services. 38 july/august 2008

PERSONAL DATA SECURITY GUIDANCE FOR MICROENTERPRISES UNDER THE GDPR

Corporate Background and Experience: Financial Soundness: Project Staffing and Organization

your resume to Initial screening of candidates to occur no later than May 1, Position open until filled.

Ensuring Organizational & Enterprise Resiliency with Third Parties

Certified Identity Governance Expert (CIGE) Overview & Curriculum

Information Asset Management Procedure

Information Security Policy

PCI Toolkit

A Message for Brokers Letter And Security Guidelines for Brokers

Self-Assessment Questionnaire (SAQ) A and Attestation of Compliance Guidance Document. Self-Assessment Questionnaire A

PREDICTIVE INTELLIGENCE SECURITY, PRIVACY, AND ARCHITECTURE

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

CREDIT CARD MERCHANT PROCEDURES MANUAL. Effective Date: 04/29/2016

Buying IoT Technology: How to Contract Securely. By Nicholas R. Merker, Partner, Ice Miller LLP

Cloud Computing Opportunities & Challenges

A PRACTICAL GUIDE FOR A RECORDS AND INFORMATION MANAGEMENT RISK & CONTROL FRAMEWORK

UNDERSTANDING PCI COMPLIANT DESKTOPS

Drive Your Business. Four Ways to Improve Your Vendor Risk Program

AWS Life Sciences Competency Consulting Partner Validation Checklist

LogLogic. Open Log Management. LogLogic LX and LogLogic ST for Enterprise. LogLogic LX Enterprise- Class Log Data Capture and Processing

Managed IT Services. Eliminating technology pains in small businesses

PCI Information Session. May NCSU PCI Team

VENDOR RISK MANAGEMENT FCC SERVICES

1 P a g e. IT Tailored to Your Needs

PCI Requirements Office of Business and Finance Issued July 2015

Humber Information Sharing Charter

External Supplier Control Obligations. Records Management

Privacy Officer s Guide to Evaluating Cloud Vendors

Data Protection Policy

BPO Asia In ormation Security Domains & Controls

Prince George s County

Guidelines for Self-Assessment of HMIS Grantee Implementation and Operations. HMIS Grant Administration Programmatic Self-Monitoring Guide

PII0IP PCI10PHI Addressing User Data Risks In A Distributed Data World

John D. Halamka, MD, MS

London. November 27 th, Results. Lanesborough Hotel

Outline of the Discussion

Understanding GxP Regulations for Healthcare

EFFORTLESSCASE THE CASE FOR DESKTOP-AS-A-SERVICE

Position Description. Senior Systems Administrator. Purpose and Scope

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Created for mike elfassi

Internal Audit Department 350 South 5 th Street, Suite 302 Minneapolis, MN (612)

Outsourcing for Success. Moving from In-house to an FIS Outsourced Solution

IBM Payments Gateway

Harbinger Escrow Services Backup and Archiving Policy. Document version: 2.8. Harbinger Group Pty Limited Delivered on: 18 March 2015

Electronic I-9 Documentation Guardian Electronic I-9 and E-Verify Compliance with 8 CFR 274a.2

Personal Mobile Device Acceptable Use Policy Training Slideshow

IBM Cloud Service Description: IBM Kenexa Skills Manager on Cloud

Security Monitoring Service Description

Audio transcripts and lesson notes

THE FIVE ELEMENTS OF AN EFFECTIVE HIPAA AUDIT PREPARATION PROGRAM

PCI Requirements Office of Business and Finance Issued July 2015

ICT budget and staffing trends in Germany

ISACA San Francisco Chapter

A Guide to Building a Healthy Dental Practice. technology mistakes that can damage or destroy 7 your dental practice - and how to avoid them

City of Las Cruces MOUNTAINS OF OPPORTUNITY

Management System Policy and Procedure Manual. Based on the requirements of ISO17021, AS9104 and Associated ANAB Accreditation Rules

Visualize Your Compliance

CONSULTING & CYBERSECURITY SOLUTIONS

The Case for Outsourcing Accounts Payable

Request for Proposals (RFP) Shared Information Technology (IT) Services for Rural Communities of Scott County, Iowa

Transcription:

Collaboration with Business Associates on Compliance HCCA Compliance Institute April 19, 2016 Balancing risk management, compliance responsibility and business growth Responsibility of entities as they engage one another in business activities Due Diligence and satisfactory assurances to evaluate business risk Vendor Management to reduce or eliminate risks 1

Co-Mingled Responsibilities of the Covered Entity and Business Associate Privacy CE must comply with all requirements BA must comply with the requirements that pertain to the activities performed Security CE must comply with all requirements BA must comply with 164.308, 164.310, 164.312, 164.314 and 164.316 Balance of Corporate Goals and Objectives and Compliance Corporate Goals Compliance Finding Balance 2

When there is Conflict? Compliance Corporate Goals Compliance says yes! Compliance Concerns Non-compliance can lead to lost revenue, loss of market share, inability to grow in a controlled market Compliance as an asset Effective compliance practices can be an arrow in your quiver during the sales process Investment for compliance was seen as a cost with no return value Investment towards compliance can equal Opportunity Costs Offenders are reported publically for their lack of controls and inefficient compliance practices Reputation in a competitive market can make the difference for growth opportunities Adding and modifying products and services without consulting compliance can lead to faster product to market but risky for non-compliance All new products, new business opportunity can be enhanced with compliance to be more appealing to a buyer. 3

Control Review Team Control Review Team Compliance Review Team established for consistent monitoring and evaluation of policies, procedures and organization risk. Resolve conflict ensuring the adherence to corporate policy while reducing or eliminating risks for the organization. Ultimately the members of this team are the decision makers to determine when identified risk is acceptable risk and when decisions must be made to reduce or eliminate the risk that has been identified for existing or new operations. Summary of Responsibilities For all entities meeting the definition of a Covered Entity, Business Associate or Subcontractor general responsibilities we can all agree on would include: Protection of the confidentiality, integrity and availability of data; Ensure proper data security controls have been implemented appropriately; Obtain written satisfactory assurances (Business Associate Agreements); Prevention of fraud and abuse; Permitted and restricted uses and disclosures of PHI; Ensure PHI availability; Document policies and procedures; Training of staff, and as needed, business associates/subcontractors on Privacy, Security and Data Breach policies 4

Business Associate Agreements (written satisfactory assurances) I. Outlines the responsibilities of the business associate and covered entity in the partnership they have created (receipt, creation, transmission, modification and storage) of data; II. Defines the responsibilities to one another for notification, breach activity and security incidents that may put either organization at risk; III. IV. Details the acceptable practices for use and disclosure of PHI; Other addressed items in the agreements include, but is not limited to: I. Language around where the financial burden resides; II. III. IV. Cyber insurance requirements and financial limitations; Indemnification language; Freedom to perform an audit; V. PCI-DSS required language Additional Satisfactory Assurances 5

Vendor Assessment 1. Define the process that will be used to evaluate a potential or existing business associate, vendor or subcontractor. 2. Develop a consistent method for risk determination. 3. Identify alternative solutions. 4. Determine how the final decision on risk acceptance will be made and who the final approver is. 5. Document the process, results and decisions that are made. Pre-Contract Procedures Reputation or Reference Checks Company History how long have they been in business, industries or clients served, experience in the performance of the potential tasks; References other clients or businesses they may have provided the same or similar service to; Security Risk Analysis Due diligence to assess the risk of their systems, network, servers, transmission processes, storage of data etc. Evidence Company s certificate of insurance to ensure there is cyber protection; Ensure the insurance is appropriate for the level of activities the company would be performing Third Party Assessment SOC2; PCI-DSS; HI-TECH or equivalent security assessment 6

Pre-Contract Procedures, Cont.. Risk Mitigation Analyze the responses to the data security questionnaire to assess the level of risk to the organization and/or it s customers/clients. Remediation plan for identified or known risks Pre-Contract Data Sharing No data can be received, shared or transmitted without a formal written agreement. Define the Process for Vendor Evaluation 7

Identify Vendors for Risk Assessment Functions Performed Vendor performs activities without access to critical data Restricted access to internal documents only no client data Access to information Storage or Transmission of PHI/PII; support or maintenance of PHI/PII systems Level of Data at Risk Public Information Internal Use Confidential Privacy Restricted Probability of Risk None Information accessed would not cause significant harm to the organization (policies, procedures). Excludes financials, PHI, PII or CC data. Access to data that could cause harm to clients, the company or customers of our clients. Data at risk for breach or public exposure which may cause harm (financial or reputational) to the organization or its clients. Level of Assessment Needed Not Required Low-level assessment: Basic questions to determine if further risk assessment is necessary. Mid-level assessment: High level questions related to security controls, data processes and training for Staff. High-level assessment: Detailed level of questions related to security controls, back-up process, data processes and training of staff. Determine Level of Assessment Organize your assessment process: Name of Primary Function the Vendor Data 123 Data Center - Storage or Transmission of PHI/PII; DR 4U Disaster Recovery Site Level of Vendor Primary Primary Level of Data at Risk Privacy-Restricted; Critical (PHI/PII or Card Holder Data) Privacy-Restricted; Critical (PHI/PII or Card Holder Data) Level of Assessment High-level assessment High-level assessment ITSupport DeskTop Maintenance of PHI/PII systems - Network, Switches, Routers Computer installs; workstation maintenance Primary Privacy-Restricted; Critical (PHI/PII or Card Holder Data) High-level assessment Secondary Confidential Mid-level assessment 8

Assessment Categories All level assessments can include the same topics, each level can determine how much detail the assessment should explore based on the severity of the risk the vendor may present to the organization. Topics typically covered in most assessments include: General Company Information General demographics about the company s business including general description of the company, number of years in business, number of employees, address of additional locations. Formal Compliance Programs Review of the formal process in place to manage compliance at an enterprise level, review existing policies and procedures for changes, evaluate company risk and determine compliance impacts to the organization. Performance of security risk analysis, third party reviews/assessments. Vulnerability management, frequency of scans, audits, most recent results of third party assessments (i.e., SOC2, HIPAA, PCI-DSS, GBLA). Assigned responsibility for security. Network Management Review the existence of wireless access, components of the network, a network diagram to ensure proper controls, firewalls, routers, switches have been properly protected to decrease the risk of a breach or security incident. Assessment Categories Breaches and Security Incidents Identify the number of incidents/breaches that have occurred and the general reason for such an event: Technical failure, human error, uncontrollable event or other causes. Incidents involving more than 500 people. Access Control and Review Procedures for assigning access (role-based), review and maintenance of the authorized access, monitoring of the access that has been granted, timeliness of access termination, password strength requirements, frequency of password changes, and forced lock-outs. Device Security Encryption and access controls for devices such as laptops, mobile devices, workstations, USB drives, servers, routers, and switches. Installation of firewalls, patches and updates for anti-virus malware protection. Storage of information on mobile devices (same device or alternative storage). Physical and Environmental Security Perimeter security, camera locations, video tape availability, entry access (key, key fob, badge access), logs of the access, server room access, visitor procedures, escorted vendors and visitors, identification of equipment with privacy restricted data. 9

Assessment Categories Data Storage Review the company s back-up schedule, location of the backup, time for retrieval, testing of failed back-ups, frequency of the back-up process. Data retention policies. Disposal Review the disposal practices of the organization on-site storage until the information is destroyed. Audit and Monitoring Review Presence of internal monitoring and auditing of the organization s business practices, compliance practices and security controls. Assessment Level Descriptions High-Level Assessment: Vendors that put the organization most at risk for data breaches, security incidents, public exposure, financial hardship or reputational damage. We want the assessment to identify such risks prior to the contract or as early as possible within a current relationship. The high-level assessment would be the deepest dive into each of the Assessment Categories. Mid-Level Assessment: The level of data at risk is confidential and could provide a risk to proprietary information, insider information that may cause harm to the reputation of the organization, its clients or customers. Vendors slotted for a mid-level assessment would not have access to critical data elements that could result in data breach or noncompliance fines. Low-Level Assessment: This level of an assessment is a basic due diligence that would identify whether or not a deeper level of an assessment would be necessary. Information at risk would be internal information such as policies, procedures, contracts, etc. but information would not generally include Confidential or Privacy Restricted data. There may be a few exceptions to this for example a Shredding Company. 10

Develop Consistent Method for Risk Determination Methods for Assessment Survey Format Pros Topics that would provide space for a description of a process may reduce the number of questions that need to be asked in regards to that topic. Allows the vendor to answer the questions based on their specific situation versus having to select from a list of responses that may not apply to their business. Cons Variability in responses may make it difficult to compare one vendor to another. Additional questions within a category that would be present in another format may provide a clearer picture and leave less to interpretation by the organization completing the form. May slow down the responder since the majority of the responses will require a description versus, yes/no or N/A. 11

Methods for Assessment On-line Tool Pros Responses can be categorized and sorted to identify risks quickly. Responses can be easily compared across multiple vendors. Information received can be used to identify trends across all responders for review and modification of the assessment process. Historical response information for that vendor can be reviewed for progress or outstanding problems. Follow up and mitigation documentation could easily be handled in the same format. Cons Responses do not allow flexible answers when an answer doesn t quite fit. Responders may guess at which answer most closely reflects their response when an available answer doesn t provide what is needed. Responders may not be able to easily extract the questions and responses to disseminate to appropriate individuals for the proper information. Might be more costly to create, purchase and implement. Excel Workbook Pros Cons Marriage of the question/answer and on-line tool provides the standardization to the requestor but allows flexibility to the respondent for the answers. Excel expertise could provide to be an asset if the appropriate pivot tables, selections and gadgets of excel can be used to slice and dice information based on the function the vendor is performing on your behalf. Vendors would only need to complete the sections that pertain to the activities they are performing for or on your behalf. Most if not all businesses have the ability to open, modify and save in Excel. Evaluation of the risk may require higher level of excel knowledge. Development of the risk process may still be needed within Excel do the data can be tracked and evaluated. 12

Evaluation of Risk Risk status of a vendor may fall into the following categories: Critical High Low A third party risk analysis or security assessment has not been completed in more than two years. Risk posing a direct threat to data loss, theft or breach has not been mitigated. Annual security reviews are not conducted. Minimal controls are in place to prevent a threat, loss, threat or breach. Proof of acceptable third party assessments were made available. Appropriate controls and monitoring in place to manage the risk. Known security risks that create critical vulnerabilities to the organization s data. Progress on mitigation but did not address critical items first. Mitigation to known risks are handled promptly. Supporting downstream assurances have not been conducted. Listed on the OCR with breach over 500 and vendor has not corrected the issue. Downstream vendors do not have established compliance programs nor provide training. Policies and procedures are available but outdated. Established compliance program with annual reviews. Policies, procedures and training have been implemented. Risk Acceptance Acceptable Risk Unacceptable Risk 13

Revisiting Organization Balance Compliance Corporate Goals Remediation and/or Alternative Solutions What do you do when risk has been identified? 1. Obtain the corrected or remediated vendor documentation (policies, procedures, implementation plan, screen shots for proof of activity or any other documentation that may be necessary to remediate or prove remediation has been completed). 2. Schedule follow-up meetings with the subcontractor/vendor to ensure progress of the mitigation plan and documentation has been received. 3. Document the acceptable and unacceptable mitigation risks and determine whether or not the subcontractor/vendor can be kept or needs to be replaced. 4. Propose recommendations to the Control Review Team for the continuance or termination of the vendor for decision if remediation cannot be obtained; and/or 5. Follow up with the vendor until all remediation has been completed. 14

Final Decision 1. Determine the criteria that will make the decision a go or no go decision. 2. Develop a process for resolving conflict. 3. Identify the steps that will be needed to support a decision to move forward with a vendor that may bring additional risks to the organization. 4. Report the progress to the Executive Team as the remediation occurs 15

Contact Slide Christine Duprey, Caris Consulting, LLC 2951 Sunray Lane, Green Bay, WI 54313 (920) 639-6615 chris@carisinnovation.com www.carisinnovation.com 31 16

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback