Intelligent Vendor Risk Management

Transcription

1 Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach Challenges with Current Approaches Developing an Intelligent Program Profiling Conducting Due Diligence Managing and Mitigating Risk Continuous Monitoring Questions and Answers 1

2 WHY IT S NEEDED Regulatory Requirements HIPAA (a)(1)(i) Requires BAAs be in place specifying the obligations of the BA with respect to privacy and security controls HIPAA (a)(1)(ii) Requires covered entities to take risk management action if the BA materially breaches its obligations under the contract PCI DSS Requires a program is maintained to monitor service providers' PCI DSS compliance status at least annually Breach Notification 47 states have security breach notification laws HITECH requires BAs to notify both the Covered Entity (HITECH 13402) and the affected individuals (HITECH (a)) 2

3 Regulatory Penalties Increased civil monetary penalties under HITECH Violation not known (despite due diligence): Remains at $100/violation to $25,000 maximum Violation due to reasonable cause: Increased to $1,000/violation to $100,000 maximum Violation due to willful neglect: Increased to $500,000/violation to $1.5 million maximum HITECH also granted State Attorneys General the ability to impose civil penalties It s already happening: Large hospital in the northeast was fined $750,000 by the State s Attorney General s office on May 24 th The breach directly implicated the hospital s BA when an unencrypted backup tape was stolen The hospital did not have a BAA with the vendor Healthcare Breaches Breaches have been on the rise since reporting became a requirement in September Based on HHS breach data: 28% of breaches implicated a BA ~60% of records breached implicated a BA The Ponemon Institute estimates the cost of a breach at $194/record ~$24.5M for the average organization Breaches >500 Reported to HHS No Business Associate Business Associate Involved 3

4 CHALLENGES WITH TODAY S APPROACHES The Wide Net Approach Under the wide net approach, each vendor undergoes some questionnaire or audit to evaluate risk Difficult to do at scale hours of internal analysis per questionnaire $20k - $30k in fees (real or based on internal resources time) per audit For an average organization of 100 vendors, ~1 FTE in managing questionnaires and $250k in audit fees of vendors per year Cost of monitoring existing vendors If you re not following up, how do you know when things change that affect risk? 4

5 No Transparency Vendors have their own vendors ( sub-contractors ) There is little to no transparency in each vendor s relationships What does the sub-contractor have access to? What does the vendor do to ensure adequate security and privacy? What is the risk of the sub-contractor? DEVELOPING AN INTELLIGENT PROGRAM 5

6 Effective 4-Step Approach Periodically reevaluate high risk vendors Profiling Classify vendors by inherent risk Continuous Monitoring Conducting Due Diligence Document and manage outstanding risks Mitigating Risk Focus time and money on the highest risks 1. Profiling OBJECTIVE To quickly and efficiently identify high risk vendors to either pre-emptively avoid the risk or focus the organizations limited resources on the risky vendors. IMPLEMENTATION Risk = Impact + Likelihood Likelihood Factors that increase the probability the vendor will experience or cause a breach Impact If the vendor experiences a breach, the loss (dollars, downtime) the organization can expect to incur 6

7 1. Profiling Likelihood Factors to consider: Size Measured by number of employees Companies with 1 to 100 employees experienced 60% of all reported data breaches from 2009 to *Verizon 2011 Data Breach Investigations Report Leadership Security leadership and team Linked in did not have a CIO or CISO prior to their breach Industry Classification *Verizon 2012 Data Breach Investigations Report The primary industry served by the organization Hospitality (40%), retail (25%) and financial services (22%) experience more breaches Verizon 2011 Data Breach Investigations Report Breach History The frequency and nature of previous breaches 95% of breaches were avoidable through simple or intermediate controls 74% of organizations that experienced two or more breaches experienced the second breach within 6 months Verizon 2011 Data Breach Investigations Report / HHS Breaches Affecting 500 or More Individuals 1. Profiling Impact Does the vendor access sensitive or confidential data (e.g., PII, PHI)? Does the vendor directly access (logically) the organization s internal systems? Does the vendor provide customer facing products or services? Does the vendor have direct physical access to the organization s property or facilities? How difficult is it to replace the solution or service at a later date? Does the vendor utilize offshore facilities? Longevity of solution or service (length of expected or current contract)? What is the total annual spend with the vendor? If there is a failure, what is the expected financial impact to the business for the year? 7

8 2. Conducting Due Diligence OBJECTIVE To focus additional due diligence efforts on the riskiest vendors through a tiered approach. IMPLEMENTATION Critical risk vendors undergo an on-site audit On site Audit Remote Review Questionnaire Risk of Business Associate Critical High Moderate High High risk vendors complete a questionnaire and provide supporting evidence via interviews and documentation reviews Moderate-high risk vendors complete a self-assessment questionnaire 2. Due Diligence Development Audit programs and questionnaires should be based on industry standards OCR HIPAA Audit Program (HIPAA Security, Breach Notification, Privacy) HITRUST CSF and Certification NIST ISO Example areas to address: Auditing and Logging Access Management Authentication BCP / DR Configuration Management Data Protection (i.e., Encryption) Malware Protection Network Security Third Party Management Vulnerability Management (e.g., Patching) 8

9 3. Mitigating Risk OBJECTIVE To take the appropriate action to manage and reduce the risk to the organization presented by the vendor. IMPLEMENTATION Develop and implement a process to review risks and agree to corrective actions Due Diligence Results End Yes Identify and Rank Control Gaps Request the BA to Correct Gaps Corrected No Request BA Develop Corrective Action Plan (CAP) Monitor Risk Complete Risk Acceptance for Term of CAP Items Agree to CAP Timeline and Milestones 3. Mitigating Risk CAP A corrective action plan (CAP) should be developed and agreed to between the organization and vendor for high risk gaps Gap description Remediation description Milestones Due date(s) Individual(s) responsible Resources required Formally document the acceptance of risk for the duration of the corrective actions The nature of the gap The risk to the business The vendor associated with the gap The risk manager responsible The business owner responsible The term of the acceptance A point of contact at the vendor 9

10 4. Continuous Monitoring OBJECTIVE To periodically re evaluate the vendor to ensure risks do not increase and milestones, if any, are being met. IMPLEMENTATION Based on the vendor s risk classification, determine if changes in risk have occurred since the last review Vendor Classification Moderate to Low risk Vendors Moderate High to Critical Vendors Monitoring Activities Re profile vendor for basic changes in inherent risk including: Recent breaches Financial performance Mergers and Acquisitions Re profile vendor for basic changes in inherent risk. Review the status of corrective actions to ensure deadlines and milestones are met. Monitoring Frequency Once per year or on notice of a major event Once per quarter to once per year depending on corrective actions or on notice of a major event 4. Continuous Monitoring Tracking Develop a schedule to track and manage the review activities for each vendor including: Vendor name Product or service provided The internal department The business owner The risk manager The vendor point of contact The risk profile as determined through the first step Due diligence taken (if any) Risk management actions agreed to (if any) The next review date The contract terms (start date, end date, and renewal terms) Ensure risk acceptance and CAP documentation is updated accordingly 10

11 Summary An effective vendor risk management program is comprised of four key steps: 1. Profile classify vendors by inherent risk (likelihood of a breach + impact to the organization) to determine where to focus 2. Conduct Due Diligence additional due diligence (selfassessment questionnaires, remote assessments, on-site audits) should be performed for high risk vendors 3. Mitigate Risk develop and agree to a corrective action plan with the vendor and formally document accepted risk 4. Monitor Risk periodically checkup on vendors to determine changes in risk Cliff Baker Meditology Services Cliff.baker@meditologyservices.com LeeAnn Foltz Wolters Kluwer Law & Business leeann.foltz@wolterskluwer.com Thank you for your time and attention. QUESTIONS AND ANSWERS 11