NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Similar documents
HITRUST Common Security Framework - Are you prepared?

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Exploring Emerging Cyber Attest Requirements

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

SOC Lessons Learned and Reporting Changes

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Understanding and Evaluating Service Organization Controls (SOC) Reports

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

HIPAA Privacy, Security and Breach Notification

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

IT Attestation in the Cloud Era

Vendor Security Questionnaire

University of Pittsburgh Security Assessment Questionnaire (v1.7)

SOC Reporting / SSAE 18 Update July, 2017

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

David Jenkins (QSA CISA) Director of PCI and Payment Services

The Relationship Between HIPAA Compliance and Business Associates

HIPAA Security and Privacy Policies & Procedures

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

SOC for cybersecurity

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

NYDFS Cybersecurity Regulations

HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

Optimising cloud security, trust and transparency

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Evaluating SOC Reports and NEW Reporting Requirements

Cybersecurity The Evolving Landscape

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Putting It All Together:

The HIPAA Omnibus Rule

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Achieving third-party reporting proficiency with SOC 2+

The SOC 2 Compliance Handbook:

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Avanade s Approach to Client Data Protection

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Google Cloud & the General Data Protection Regulation (GDPR)

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

10 Things Every Auditor Should Do Before Performing a Security Audit

Is Your Compliance Strategy Putting Your Business at Risk?

Data Processing Agreement for Oracle Cloud Services

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA Cloud Computing Guidance

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Model Approach to Efficient and Cost-Effective Third-Party Assurance

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

SECURITY & PRIVACY DOCUMENTATION

HIPAA-HITECH: Privacy & Security Updates for 2015

All Aboard the HIPAA Omnibus An Auditor s Perspective

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

Information Technology General Control Review

TRACKVIA SECURITY OVERVIEW

HP Standard for Information Protection and Security for Suppliers/Partners

HIPAA & Privacy Compliance Update

HITRUST CSF: One Framework

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

CSF to Support SOC 2 Repor(ng

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

ISACA Cincinnati Chapter March Meeting

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Privacy Breach Response and Reporting

Effective Strategies for Managing Cybersecurity Risks

SOC 3 for Security and Availability

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

HIPAA 101: What All Doctors NEED To Know

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

The Common Controls Framework BY ADOBE

Welcome ControlCase Conference. Kishor Vaswani, CEO

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

CLOUD COMPUTING APPLYING THIS NEW TECHNOLOGY TO YOUR PRACTICE

Best Practices & Lesson Learned from 100+ ITGRC Implementations

Information for entity management. April 2018

Compliance & Security in Azure. April 21, 2018

Protecting your data. EY s approach to data privacy and information security

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Introduction Privacy, Security and Risk Management. What Healthcare Organizations Need to Know

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

01.0 Policy Responsibilities and Oversight

DeMystifying Data Breaches and Information Security Compliance

Transcription:

NE HIMSS Vendor Risk October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C.

Does Vendor Management Feel Like This? 2

Vendor Risk Management Lifecycle 3

Agenda Vendor Management Lifecycle Risk Assessment Due Diligence Contract Vendor Selection Performance, Audit, and Monitoring 4

What needs to be included? Identify significant third party relationships: Complete inventory of Vendors Performs new functions or activities Material effect on the organizations ability to conduct business Perform critical functions Stores, accesses, transmits, or performs transactions on ephi 5

Common Pitfalls & Cybersecurity Weaknesses Planning Overall lack of or not existent planning Someone needs to own the process Contract Negotiation HAVING A BAA IS NOT ENOUGH!! Does not require Vendors to address ongoing monitoring activities Right to Audit clause does not require remediation Does not factor in minimal security standards (such as security event log retention requirements) Only requires notification of a breach of your data Does not require that the vendor is responsible for maintaining industry/best practice authentication and encryption standards Breach notification only applicable if your data is breached Termination clauses Insurance requirements and monetary reimbursement limited Subcontractors and oversight expectations 6

Common Pitfalls & Cybersecurity Weaknesses Ongoing Monitoring Annual questionnaire (security related) Security Reports - SOC, Penetration Testing, Vulnerability Assessments, PCI DSS ROC, BCP testing, code review Vendor cybersecurity monitoring security (NIST CSF) Subcontractors Annual review of internal audit plans Termination Termination clauses do not include breach Does not include decommission related costs 7

Assess Risk Common set of criteria Involve line management Assess the relationship, not the technology or function Develop a process to ensure new third parties are assessed Keep the end in mind 8

Risk Based Monitoring Program Monitoring Profiles High Risk Moderate Risk Low Risk 9

4 Additional Final Points 1. Vendor management should be a continuous process, not an annual event. 2. Vendor due diligence, audit, and monitoring should be risk based, and adaptable to ever changing circumstances. 3. Understand the supply chain for high risk vendors, and existence of offshore relationships. 4. Vendor management must be linked to other management programs: Information security and privacy, Business Continuity, and Enterprise Risk Management.

What is a SOC 2 Report? Service Organization Control (SOC) Report Offers independent third party attestation over controls in place at a service provider Not the same as a SAS 70 or SSAE 16 Report 11

Trust Services Principles Security System is protected against unauthorized access (both physical and logical). Availability System is available for operation and use as committed or agreed. Processing Integrity System process is complete, accurate, timely, and authorized. Confidentiality Information designed as confidential is protected as committed or agreed. Privacy - Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity s privacy notice, and with criteria set forth in GAPP. 12

What are the benefits of a SOC 2 audit for both CE s and BA s? SOC 2 Report includes an independent third party opinion on the service provider s controls One report can address both HIPAA and SOC 2 compliance requests Decrease time spent responding to customer security audits Standardized reporting format 13

Questions? Michael Kanarellis, Senior Manager IT Assurance Services Director of Healthcare IT Practice Phone: (617) 428-5408 Email: mkanarellis@wolfandco.com Twitter: @mkanarellis www.wolfandco.com 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback