Customer Data and Reputational Risk in the Pharmaceutical Industry

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Customer Data and Reputational Risk in the Pharmaceutical Industry"

Transcription

1 1 Customer Data and Reputational Risk in the Pharmaceutical Industry Sensitive Data: A Chain of Trust Organizations of all types, from banks to government agencies to healthcare providers, are taking steps to protect themselves against the potentially catastrophic loss of sensitive data, intellectual property and business intelligence. In this environment, pharmaceutical companies are becoming more aware of the distinct data-related risks they face. Consumers provide pharmaceutical companies with personal information for a number of reasons. Visitors to a company s website, for instance, often are asked to provide personal data potentially including their name, address, phone number, gender, age and medical conditions in order to receive newsletters, notifications of drug interactions or free samples from a physician; participate in discount programs; or interact with an online community who have the same medical condition. While pharmaceutical companies research and development activities tend to be protected by rigorous security frameworks, their customer-focused efforts are not subject to the same standards of protection. Sales and marketing projects commonly are outsourced to third-party vendors ranging from boutique marketing agencies to larger firms that provide shared services for multiple companies. Relationships with these service providers often involve the unregulated exchange of sensitive customer data. Just as customers typically do not know how their data is handled or protected by the pharmaceutical company, the handling company often is not fully aware of the dataprotection processes or security standards of the vendors it hires. The result is an uneasy chain of trust in which risks remain at least partially unknown and standards are not clearly defined. Reputational Risk While contracts with service providers may limit the pharmaceutical company s legal liability, they do little to protect the company against reputational risk, which has the potential to be even more damaging. In the case of a media story about a privacy violation or loss of sensitive data, few consumers will read the fine print and distinguish between the large, well-known company and the obscure service provider responsible for handling the data. An example occurred in September 2007, when clothing retailer Gap Inc. announced it had lost the unencrypted personal data, including Social Security numbers, of 800,000 job applicants. Buried in the details of the story and probably irrelevant to most consumers was the fact that it was an undisclosed, third-party, human resources service provider, not Gap, which actually lost the data. As consumers become more aware of identity theft and other fraud, continuing reports of new incidents fuel their growing suspicion. Even when blame for data loss can be assigned publicly to another well-known party such as when Citigroup blamed UPS for a 2005 loss of customer data reputational damage to both parties can be substantial. Unanswered Questions Other industries that handle large quantities of sensitive customer information, such as healthcare and financial services, are subject to regulatory scrutiny and specific data-handling 1 protiviti

2 guidelines. But pharmaceutical companies, beyond abiding by general regulations that affect all industries, are for the most part left to establish their own standards and procedures. Whether a project involves a large, onetime transfer of data to the service provider or an ongoing exchange, data can be compromised at multiple points. This raises data security questions, such as: What controls are in place to limit the likelihood or consequences of losing data during transmission to the service provider? What are the service provider s security-related procedures while using a company s data? What assurance is there that they are being followed? What happens to the data after the project s completion? This last susceptibility is often the source of the greatest uncertainty, as questions arise about who owns the data, how and when it must be destroyed, and certification of that destruction. While each contract may specify some of these matters, the accumulation of different contracts for different vendors leaves plenty of room for confusion and risk. What is missing is a model to limit risk. By establishing sound risk management practices, companies can greatly reduce ongoing reputational, financial and legal risks related to customer data, resulting in greater security and more efficient working relationships with service providers. Uncovering Current Practices Efforts to mitigate data risk should begin with a thorough examination of the ways in which data is processed and exchanged by the pharmaceutical company. Initial goals might include identifying all the business processes that handle sensitive data, the volume and exact type of data being shared, and the service providers involved in each process. These efforts cannot rest entirely on delineating official processes, however. Even if a detailed process flow already has been established, it is unlikely to tell the whole story about how data actually is handled. For example, an employee may routinely share data in response to informal requests, bypassing the protections inherent in standard procedures. Thorough interviews with sales and marketing personnel can reveal surprising gaps between official procedures and day-to-day habits. Electronic monitoring of server traffic which need not use state-of-the-art technology to be effective can augment these firsthand accounts with hard evidence of data leaks. Rooting Out Risk Once internal processes have become more transparent, the company can consider ways to limit data risks after it has been shared with the service provider. Perhaps the simplest and most powerful practice companies can implement is removing or de-identifying as much sensitive data as possible before sharing it with a third party, thereby eliminating complexities and concerns at the root. To do so, the company might begin by analyzing how much of the data each service provider actually needs in order to perform its work, and then compare it to the types of data the provider currently receives. Sales and marketing projects rarely require all the fields of customer data the pharmaceutical company possesses. 2 protiviti

3 In the case of a marketing study examining different age categories, for example, most of the customer data fields could be removed before the data is shared with the service provider. Even when a data field cannot be eliminated, it often can be de-identified. Specific information can be made more general; for instance, providing customers states of residence instead of street addresses. These measures may add an extra step to the data-handling process, making it more timeconsuming than simply sending the whole customer file. The mitigating effect they can have on risk, however, is worthwhile. Limiting the amount and type of shared data eases the burden on every other aspect of customer data security and vendor management, including end-ofproject procedures for destroying or returning data. Better Vendor Management By establishing standard procedures for assessing the security of all service providers currently engaged ones, as well as candidates for future projects pharmaceutical companies can improve data security and build more efficient, reliable vendor relationships. Using objective criteria to assess the customer data risks of doing business with both existing and potential vendors leads to better-informed decisions about whether or not to work with them. Generally, these criteria should include controls around security administration and change control. Without such criteria, these important decisions may be made on an ad hoc, subjective basis that leaves the company more vulnerable to unknown or insufficient security practices on the part of vendors. A consistently implemented procedure for vendor risk assessment can substantially reduce data risk on an ongoing basis. When evaluating potential vendors, the expected control items should be conveyed during the request for proposal (RFP) process so that candidates are not surprised by the expectations. If an RFP process is not used, the controls should be tested before the contract begins, which is the easiest time for a vendor to respond quickly to any required changes. Assessment of a vendor may result in any of the following measures: Provide less data or less identifiable data to reduce risk up front. If sensitive data must be shared, validate the vendor s security controls using a standardized process. Negotiate contract changes to shift burden of risk. Choose to stop doing business with the vendor. Some existing vendors may be reluctant to have their practices assessed or make changes in those processes, but most are likely to appreciate the benefits of being certified by the pharmaceutical company. By proving they can handle data in a manner that is in line with the company s standards, they have an inside track for future projects. While assessment measures may seem to add a layer of complexity to vendor relationships, they actually may have the opposite effect. If certain vendors do not meet security standards or are not willing to have their processes assessed, the pharmaceutical company ultimately may consolidate its active vendors down to a trusted few, simplifying overall vendor management. Whether or not such consolidation occurs, decisions about the companies entrusted with sensitive customer data become more objective and reliable. Pharmaceutical companies that actively address customer data risk, both internally and in their vendor relationships, position themselves to better protect both their customers and reputations. 3 protiviti

4 Learning from Other Industries Of course, the pharmaceutical industry is not the only one in which companies share significant amounts of customer information with vendors. However, unlike the pharmaceutical industry, other industries have regulations in place that specifically address the appropriate handling and protection of customer data. For example, in the banking industry, the Gramm-Leach-Bliley Act (GLBA) includes vendor management requirements that extend privacy and information security requirements to third-party agreements. In the healthcare industry, under the Health Insurance Portability and Accountability Act (HIPAA), service providers given access to patients protected health information must sign a Business Associate agreement that outlines appropriate handling of customer information, including the return or destruction of the data. These regulations share a similar approach: Identifying where a company has sensitive data, performing a risk assessment, and then implementing a structured plan to mitigate the risks. Pharmaceutical companies seeking to develop effective strategies to mitigate their own risk might find it valuable to learn more about these regulations in greater depth. They also should take note that individual states such as California are enacting their own distinct legislation. Even when processes are strictly regulated, each company must invest significant effort to interpret the rules and establish its own standards of discipline. Another development in the financial industry also may be worth watching. In 2006, a nonprofit financial industry consortium called BITS launched the Financial Institution Shared Assessments Program (FISAP) to establish industry-standard procedures that financial institutions should use to evaluate the security controls of their IT service providers. A primary goal of FISAP, which currently is gaining acceptance, is to reduce monitoring and compliance costs for both financial institutions and their service providers. 4 protiviti

5 About Protiviti Protiviti ( is a global consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. We help solve problems in finance, operations, technology, litigation, and governance, risk and compliance (GRC). Our highly trained, results-oriented professionals serve clients in the Americas, Asia- Pacific, Europe and the Middle East and provide a unique perspective on a wide range of critical business issues. Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. Protiviti s Pharmaceutical Services Practice Protiviti s practice includes professionals with deep industry experience in pharmaceutical/biotechnology and medical devices. Life sciences organizations are constantly challenged by their need to grow and profit while complying with a wide range of complex and rapidly evolving government regulations. Whether the top concern is internal audit, regulatory compliance, improving revenues, managing costs, evaluating and safeguarding intellectual property, or leveraging new technology, Protiviti brings industry knowledge and deep skills to help pharmaceutical, biotech and medical-device companies overcome risks and maintain their financial health. Protiviti views compliance requirements as an opportunity to improve an organization s operations and financial performance. Our solutions are designed to improve business performance while achieving compliance objectives. For additional information about the issues reviewed in this white paper or Protiviti s services, please contact: Edward J. Scheuer Managing Director John F. Bingham Director Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services Protiviti Inc. An Equal Opportunity Employer.

Internal Auditing is an Asset for Small Companies as well as Large Ones

Internal Auditing is an Asset for Small Companies as well as Large Ones Internal Auditing is an Asset for Small Companies as well as Large Ones The term internal audit usually inspires two immediate responses. The first is fear: Is something wrong in our organization? Have

More information

Payment Card Industry Data Security Standard (PCI DSS)

Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,

More information

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director High Value Audits: An Update on Information Technology Auditing Robert B. Hirth Jr., Managing Director The technology landscape and its impact on internal audit Technology is playing an ever-growing role

More information

Process Control Optimisation with SAP

Process Control Optimisation with SAP Process Control Optimisation with SAP The procure-to-pay cycle, which includes all activities from the procurement of goods and services to receiving invoices and paying vendors, is a basic business process.

More information

Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd.

Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd. Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd. Call them the twin peaks of continuity continuous auditing and continuous monitoring. There are certainly similarities

More information

Fraud Prevention and Detection in a Manufacturing Environment

Fraud Prevention and Detection in a Manufacturing Environment Fraud Prevention and Detection in a Manufacturing Environment Introduction The Association of Certified Fraud Examiners (ACFE) estimated in its 2008 Report to the Nation on Occupational Fraud and Abuse

More information

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing

Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

Easing the Burden of Healthcare Compliance

Easing the Burden of Healthcare Compliance Easing the Burden of Healthcare Compliance In This Paper Federal laws require that healthcare organizations that suspect a breach of sensitive data launch an investigation into the matter For many mid-sized

More information

Securing Critical Information Assets: A Business Case for Managed Security Services

Securing Critical Information Assets: A Business Case for Managed Security Services White Paper Securing Critical Information Assets: A Business Case for Managed Security Services Business solutions through information technology Entire contents 2004 by CGI Group Inc. All rights reserved.

More information

PROTIVITI FLASH REPORT

PROTIVITI FLASH REPORT PROTIVITI FLASH REPORT California Law Requires Companies to Disclose Efforts to Ensure Supply Chains Are Free of Slavery and Human Trafficking February 6, 2012 The California Transparency in Supply Chains

More information

Payment Card Industry Data Security Standards

Payment Card Industry Data Security Standards Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This

More information

The Shift to Behavioral Monitoring: A New Paradigm for Exception-Based Reporting

The Shift to Behavioral Monitoring: A New Paradigm for Exception-Based Reporting The Shift to Behavioral Monitoring: A New Paradigm for Exception-Based Reporting Introduction In the past 10 years, exception-based reporting (EBR) has become a widespread tool for loss prevention in retail

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Securing Your Business with Managed File Transfer

Securing Your Business with Managed File Transfer Why FTP/SFTP Solutions Are No Longer a Viable Option www.stonebranch.com Executive Summary This white paper sets out to explain the importance of a Managed File Transfer solution implementation within

More information

THE IMPORTANCE OF EMAIL ENCRYPTION IN THE HEALTHCARE INDUSTRY

THE IMPORTANCE OF EMAIL ENCRYPTION IN THE HEALTHCARE INDUSTRY THE IMPORTANCE OF EMAIL ENCRYPTION IN THE HEALTHCARE INDUSTRY EXECUTIVE SUMMARY Email is a critical business communications tool for organizations of all sizes. In fact, a May 2009 Osterman Research survey

More information

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes

More information

Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations

Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations Overview In late 2006 and 2007, Protiviti commissioned a study to gauge the fraud risk management (FRM)

More information

Point-of-Care Medication Administration: Internal Audit s Role in Ensuring Control

Point-of-Care Medication Administration: Internal Audit s Role in Ensuring Control Point-of-Care Medication Administration: Internal Audit s Role in Ensuring Control The Institute of Medicine (IOM) estimates that more than a million injuries and almost 100,000 deaths annually can be

More information

PROTIVITI FLASH REPORT

PROTIVITI FLASH REPORT PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity

More information

Managing data security and privacy risk of third-party vendors

Managing data security and privacy risk of third-party vendors Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected

More information

Facing Information Security Challenges

Facing Information Security Challenges AKTINA Event Information Security & Cloud Challenges March 17, 2016 Facing Information Security Challenges ISACA Cyprus Chapter Paschalis Pissarides CRISC, CISM, CISA Immediate Past President (2010-2014)

More information

THE IMPORTANCE OF EMAIL ENCRYPTION IN THE HEALTHCARE INDUSTRY

THE IMPORTANCE OF EMAIL ENCRYPTION IN THE HEALTHCARE INDUSTRY THE IMPORTANCE OF EMAIL ENCRYPTION IN THE HEALTHCARE INDUSTRY EXECUTIVE SUMMARY Email is a critical business communications tool for organizations of all sizes. In fact, a May 2009 Osterman Research survey

More information

Platform as a Service and PCI www.engineyard.com

Platform as a Service and PCI www.engineyard.com Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it

More information

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

HCCA Compliance Institute 2013 Privacy & Security

HCCA Compliance Institute 2013 Privacy & Security HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich Session

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA compliance audit: Lessons learned apply to dental practices HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers

More information

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP

IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP IT Audit Perspective on Continuous Auditing/Continuous Monitoring INTRODUCTION New demands from the board, senior organizational

More information

FINANCIAL SERVICES FLASH REPORT

FINANCIAL SERVICES FLASH REPORT FINANCIAL SERVICES FLASH REPORT OCC Updates Guidance on Third-Party Relationships December 2, 2013 Introduction On November 4, 2013, the Office of the Comptroller of the Currency (OCC) released Bulletin

More information

The Right Choice for Call Recording Call Recording and Regulatory Compliance

The Right Choice for Call Recording Call Recording and Regulatory Compliance Call Recording and Regulatory Compliance An OAISYS White Paper Table of Contents Increased Regulations in Response to Economic Crisis...1 The Sarbanes-Oxley Act...1 The Payment Card Industry Data Security

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

Impact of Healthcare Regulations on the Data Center

Impact of Healthcare Regulations on the Data Center Executive Report Impact of Healthcare Regulations on the Data Center Impact of Healthcare Regulations The HIPAA and HITECH acts, along with the Affordable Care Act, are changing the face of the healthcare

More information

SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS

SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS THE UNIVERSITY OF NEW MEXICO October 17, 2013 Audit Committee Members J.E. Gene Gallegos, Chair Lt. General Bradley Hosmer, Vice

More information

The promise and pitfalls of cyber insurance January 2016

The promise and pitfalls of cyber insurance January 2016 www.pwc.com/us/insurance The promise and pitfalls of cyber insurance January 2016 2 top issues The promise and pitfalls of cyber insurance Cyber insurance is a potentially huge but still largely untapped

More information

Keeping watch over your best business interests.

Keeping watch over your best business interests. Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

Business Conduct, Compliance and Ethics Program. important

Business Conduct, Compliance and Ethics Program. important Business Conduct, Compliance and Ethics Program important Table of Contents Letter from Troy Kirchenbauer As healthcare s first online direct contracting market, aptitude is committed to upholding the

More information

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the

More information

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Protecting your brand in the cloud Transparency and trust through enhanced reporting Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business

More information

External Penetration Assessment and Database Access Review

External Penetration Assessment and Database Access Review External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management

More information

Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability

Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability A Custom Technology Adoption Profile Commissioned By BitSight Technologies Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability Introduction As concerns around

More information

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT IS THIS ebook RIGHT FOR ME? Not sure if this is the right ebook for you? Check the following qualifications to make

More information

Secure in Transition and Secure behind the Network Page 1

Secure in Transition and Secure behind the Network Page 1 Secure in Transmission and Secure behind the Network A Review of Email Encryption Methods and How They Can Meet Your Company s Needs By ZixCorp www.zixcorp.com Secure in Transition and Secure behind the

More information

74% 2014 SIEM Efficiency Survey Report. Hunting out IT changes with SIEM

74% 2014 SIEM Efficiency Survey Report. Hunting out IT changes with SIEM 2014 SIEM Efficiency Survey Report Hunting out IT changes with SIEM 74% OF USERS ADMITTED THAT DEPLOYING A SIEM SOLUTION DIDN T PREVENT SECURITY BREACHES FROM HAPPENING Contents Introduction 4 Survey Highlights

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

Achieving Regulatory Compliance through Security Information Management

Achieving Regulatory Compliance through Security Information Management www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations

More information

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background

Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function,

More information

INFORMATION TECHNOLOGY FLASH REPORT

INFORMATION TECHNOLOGY FLASH REPORT INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release

More information

THE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS 2015-2016: CHANGE, CHALLENGES AND CHOICE

THE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS 2015-2016: CHANGE, CHALLENGES AND CHOICE THE STATE OF DATA SHARING FOR HEALTHCARE ANALYTICS 2015-2016: CHANGE, CHALLENGES AND CHOICE As demand for data sharing grows, healthcare organizations must move beyond data agreements and masking to achieve

More information

An Executive Overview of GAPP. Generally Accepted Privacy Principles

An Executive Overview of GAPP. Generally Accepted Privacy Principles An Executive Overview of GAPP Generally Accepted Privacy Principles Current Environment One of today s key business imperatives is maintaining the privacy of your customers personal information. As business

More information

Evolving Issues for Healthcare IT Contracting

Evolving Issues for Healthcare IT Contracting Evolving Issues for Healthcare IT Contracting By: Alan L. Friel This client advisory is based in part on an article appearing in FierceHealthIT. The emergence of mega-suite vendors, more use of the cloud,

More information

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16 NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The

More information

The HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia

More information

Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com

Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com WHITE PAPER Global Digital Security: The Human Element March 2014 Written by: Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com TABLE

More information

Information Security: A Perspective for Higher Education

Information Security: A Perspective for Higher Education Information Security: A Perspective for Higher Education A By Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose

More information

SEC FLASH REPORT. SEC Issues Rules for Implementing the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934

SEC FLASH REPORT. SEC Issues Rules for Implementing the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934 SEC FLASH REPORT SEC Issues Rules for Implementing the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934 May 25, 2011 Today, the Securities and Exchange Commission (SEC) voted

More information

the write choice: a primer on outsourcing transcription services

the write choice: a primer on outsourcing transcription services FEBRUARY 2006 healthcare financial management FEATURE STORY Bryan F. Smith the write choice: a primer on outsourcing transcription services Face it, medical transcription is not sexy. It s definitely not

More information

Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation

Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry

Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry IT leaders are battening down the hatches, according to Protiviti s latest

More information

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS Read the Marsh Risk Management Research Briefing: Cyber Risks Extend Beyond Data and Privacy Exposures To access the report, visit www.marsh.com.

More information

Closing the Security Gap Extending Microsoft SharePoint, OCS, and Exchange to Support Secure File Transfer

Closing the Security Gap Extending Microsoft SharePoint, OCS, and Exchange to Support Secure File Transfer AN ACCELLION WHITE PAPER Closing the Security Gap Extending Microsoft SharePoint, OCS, and Exchange to Support Secure File Transfer SECURITY COMPLIANCE EASE OF USE Accellion, Inc. Tel +1 650 485 4300 1804

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

www.shipmangoodwin.com Shipman & Goodwin LLP 2015. All rights reserved. @SGHealthLaw HARTFORD STAMFORD GREENWICH WASHINGTON, DC

www.shipmangoodwin.com Shipman & Goodwin LLP 2015. All rights reserved. @SGHealthLaw HARTFORD STAMFORD GREENWICH WASHINGTON, DC HIPAA Compliance and Non-Business Associate Vendors: Strategies and Best Practices July 14, 2015 William J. Roberts, Esq. Shipman & Goodwin LLP 2015. All rights reserved. HARTFORD STAMFORD GREENWICH WASHINGTON,

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Who s next after TalkTalk?

Who s next after TalkTalk? Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many

More information

Need Assistance selecting an EMR/EHR? OCR Launches Full Scale HIPAA Audits in 2013 Are you ready for a HIPAA Audit?

Need Assistance selecting an EMR/EHR? OCR Launches Full Scale HIPAA Audits in 2013 Are you ready for a HIPAA Audit? OCR Launches Full Scale HIPAA Audits in 2013 Are you ready for a HIPAA Audit? The results of the Office of Civil Rights (OCR) pilot audit program shows: Small covered entities had more issues than larger

More information

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I. International Chamber of Commerce The world business organization Policy Statement Employee privacy, data protection and human resources Prepared by the Commission on E-Business, IT and Telecoms I. Introduction

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

Nine Network Considerations in the New HIPAA Landscape

Nine Network Considerations in the New HIPAA Landscape Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

UF IT Risk Assessment Standard

UF IT Risk Assessment Standard UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting

More information

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand

More information

When to Upgrade: Balancing Benefits of New Systems with Costs to Upgrade

When to Upgrade: Balancing Benefits of New Systems with Costs to Upgrade When to Upgrade: Balancing Benefits of New Systems with Costs to Upgrade 800.982.2388 1 Introduction The decision on when to upgrade computer systems, such as calibration and maintenance management systems,

More information

Who s Got Your Data? Managing Vendor Risk. Chris Clymer, Advisory Services

Who s Got Your Data? Managing Vendor Risk. Chris Clymer, Advisory Services Who s Got Your Data? Managing Vendor Risk Chris Clymer, Advisory Services Any views or opinions presented are solely those of the author and do not necessarily represent those of SecureState LLC. Synopsis

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

High-Shrink Store Programs: Why Focusing Your Resources on the Worst Performing Stores Will Reap the Most Benefits

High-Shrink Store Programs: Why Focusing Your Resources on the Worst Performing Stores Will Reap the Most Benefits High-Shrink Store Programs: Why Focusing Your Resources on the Worst Performing Stores Will Reap the Most Benefits Introduction: Why shrink matters Retailers are used to managing a certain amount of shrink

More information

HIPAA Security Risk Analysis for Meaningful Use

HIPAA Security Risk Analysis for Meaningful Use HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA

More information

Identity Theft Security and Compliance: Issues for Business

Identity Theft Security and Compliance: Issues for Business Identity Theft Security and Compliance: Issues for Business The Facts Six Common Uses for Stolen Information Financial Criminal Medical DMV Social Security Terrorist The Facts A Chronology of Data Breaches

More information

Control Self-Assessment. The Future of Store Audits in Retail Stores

Control Self-Assessment. The Future of Store Audits in Retail Stores Control Self-Assessment The Future of Store Audits in Retail Stores Introduction According to the 2003 National Retail Security Survey, produced by Richard Hollinger at the University of Florida, retailers

More information

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

Question: 1 Which of the following should be the FIRST step in developing an information security plan? 1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan?

More information

HIPAA and HITRUST - FAQ

HIPAA and HITRUST - FAQ A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are

More information

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response

Cybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary

More information

Isaac Willett April 5, 2011

Isaac Willett April 5, 2011 Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

More information

Best Practices in HIPAA Security Risk Assessments

Best Practices in HIPAA Security Risk Assessments BUSINESS WHITE PAPER Best Practices in HIPAA Security Risk Assessments Safeguard your protected health information (PHI) and mitigate the risk of a data breach or loss. WHITEPAPER Best Practices in HIPAA

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

PROTIVITI FLASH REPORT

PROTIVITI FLASH REPORT PROTIVITI FLASH REPORT HHS Announces Plans to Reconsider Implementation Timeline for U.S. Healthcare Industry s Transition to ICD-10 February 17, 2012 On Wednesday, February 15, the Department of Health

More information

Securing The Cloud With Confidence. Opinion Piece

Securing The Cloud With Confidence. Opinion Piece Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery

More information

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH

DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and

More information

Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations

Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations Key Areas for Improvement Include Compliance, Information Security, Social Media and Quality Assurance INTRODUCTION Historic

More information

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management Leveraging Common Resources and Investments to Achieve Premium Levels of Security Summary The ecosystem of traditional

More information

Accenture Risk Management. Industry Report. Life Sciences

Accenture Risk Management. Industry Report. Life Sciences Accenture Risk Management Industry Report Life Sciences Risk management as a source of competitive advantage and high performance in the life sciences industry Risk management that enables long-term competitive

More information

White paper. Why Encrypt? Securing email without compromising communications

White paper. Why Encrypt? Securing email without compromising communications White paper Why Encrypt? Securing email without compromising communications Why Encrypt? There s an old saying that a ship is safe in the harbour, but that s not what ships are for. The same can be said

More information

Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary

Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK Executive Summary Core statements I. Cyber security is now too hard for enterprises The threat is increasing

More information