NE HIMSS Vendor Risk October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C.
Does Vendor Management Feel Like This? 2
Vendor Risk Management Lifecycle 3
Agenda Vendor Management Lifecycle Risk Assessment Due Diligence Contract Vendor Selection Performance, Audit, and Monitoring 4
What needs to be included? Identify significant third party relationships: Complete inventory of Vendors Performs new functions or activities Material effect on the organizations ability to conduct business Perform critical functions Stores, accesses, transmits, or performs transactions on ephi 5
Common Pitfalls & Cybersecurity Weaknesses Planning Overall lack of or not existent planning Someone needs to own the process Contract Negotiation HAVING A BAA IS NOT ENOUGH!! Does not require Vendors to address ongoing monitoring activities Right to Audit clause does not require remediation Does not factor in minimal security standards (such as security event log retention requirements) Only requires notification of a breach of your data Does not require that the vendor is responsible for maintaining industry/best practice authentication and encryption standards Breach notification only applicable if your data is breached Termination clauses Insurance requirements and monetary reimbursement limited Subcontractors and oversight expectations 6
Common Pitfalls & Cybersecurity Weaknesses Ongoing Monitoring Annual questionnaire (security related) Security Reports - SOC, Penetration Testing, Vulnerability Assessments, PCI DSS ROC, BCP testing, code review Vendor cybersecurity monitoring security (NIST CSF) Subcontractors Annual review of internal audit plans Termination Termination clauses do not include breach Does not include decommission related costs 7
Assess Risk Common set of criteria Involve line management Assess the relationship, not the technology or function Develop a process to ensure new third parties are assessed Keep the end in mind 8
Risk Based Monitoring Program Monitoring Profiles High Risk Moderate Risk Low Risk 9
4 Additional Final Points 1. Vendor management should be a continuous process, not an annual event. 2. Vendor due diligence, audit, and monitoring should be risk based, and adaptable to ever changing circumstances. 3. Understand the supply chain for high risk vendors, and existence of offshore relationships. 4. Vendor management must be linked to other management programs: Information security and privacy, Business Continuity, and Enterprise Risk Management.
What is a SOC 2 Report? Service Organization Control (SOC) Report Offers independent third party attestation over controls in place at a service provider Not the same as a SAS 70 or SSAE 16 Report 11
Trust Services Principles Security System is protected against unauthorized access (both physical and logical). Availability System is available for operation and use as committed or agreed. Processing Integrity System process is complete, accurate, timely, and authorized. Confidentiality Information designed as confidential is protected as committed or agreed. Privacy - Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity s privacy notice, and with criteria set forth in GAPP. 12
What are the benefits of a SOC 2 audit for both CE s and BA s? SOC 2 Report includes an independent third party opinion on the service provider s controls One report can address both HIPAA and SOC 2 compliance requests Decrease time spent responding to customer security audits Standardized reporting format 13
Questions? Michael Kanarellis, Senior Manager IT Assurance Services Director of Healthcare IT Practice Phone: (617) 428-5408 Email: mkanarellis@wolfandco.com Twitter: @mkanarellis www.wolfandco.com 14