CORL Dodging Breaches from Dodgy Vendors

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "CORL Dodging Breaches from Dodgy Vendors"

Transcription

1 CORL Dodging Breaches from Dodgy Vendors Tackling Vendor Security Risk Management in Healthcare

2 Introductions Cliff Baker 20 Years of Healthcare Security experience PricewaterhouseCoopers, HITRUST, Meditology Focused exclusively on healthcare, in the area of security compliance and vendor risk management.

3 The Unlocked Backdoor to Healthcare Data Majority of healthcare vendors lack minimum security practices, well short of HIPAA standards Healthcare organizations are often unaware of how many of their vendors have access to protected health information There are an overwhelming number of small and niche healthcare vendors for organizations to manage Healthcare organizations do little to gain assurances or enforce security requirements for vendors Target CEO, CIO resign after massive breach caused by vendor

4 Vendor Risk Management versus Vendor Security Risk Management Vendor Risk Management (VRM) typically focuses on elements such as financial risk, legal risk, supply chain risk, etc. VRM is not focused on information security risk and does little to tell you about a vendor s ability to protect your confidential information. Vendor Security Risk Management (VSRM) service fills this gap with an objective security analysis of existing and prospective vendors. A robust VSRM provides organizations with a level of confidence in the ability of a vendor to protect their confidential information.

5 What is the exposure? Breach Risk Regulatory Risk Financial Risk Many vendors of your vendors have inadequate controls Cannot transfer notification and breach response risk Limited reasonable & appropriate assurance / willful neglect Vendors are inconsistently and infrequently assessed 50% or more of vendors do not have financial capability to handle breach notification Customer incurs brunt of financial and reputational impact

6 Org. resources cannot keep up Identify Vendor Contact Provide guidance to Business Negotiate with the Vendor Send and Explain Survey Validate the Responses Monitor Vendor Progress Review Response Follow-up for Clarification

7 Example Vendor Profiles with access to PHI Technology companies Business Services Clinical Technology Clinical services Enterprise Software EHR Portals Financial Hardware Network Servers Mobile Outsource Hosting Data storage Legal Audit Compliance Consulting Staff Aug. Debt Collection Business analytics Paper storage ECG Data Management ICU Management Population Health Quality Management Controlled Substance Management Systems Image Exchange Surgery Management Patient Engagement Anesthesia Cardiology Laboratory Pharmacy Food service Patient transport Blood & Tissue Transcription Health Information Exchange Home Health Imaging Pharmacy Registries Release of Information Decision Support Prescription Analytics Disease Management Laboratory Long-Term Care Medical Supplies Mental and Addiction Retirement and Disability Medical Supplies Many # of Vendors Few

8 Vendor Scenarios Scenario A The vendor product is on the Org. network (there is no vendor support). Scenario B The vendor product is on Org. network and is supported remotely by the vendor. Scenario C The vendor provides services by connecting remotely to the Org. network (e.g., medical coding) Scenario D Professional services/contractors (e.g., on-site, consulting, maintenance) with on-site access to Org. network Scenario E Org. sends data to vendor. Scenario F Cloud vendor provider.

9 Existing vendor security programs have significant blind spots Most healthcare organizations focus due diligence on their largest vendors BUT Healthcare Organization s Vendor Breakdown by Size VL 21% L 21% Breach data shows that over half of breaches are attributed to smaller companies S M L VL S 34% M 24% Smaller firms are also often attacked in attempt to get to bigger firms. The Washington Post

10 Vendors are not protecting healthcare data Vendor Score Definitions Vendor Score Breakdown A - High confidence that vendor demonstrates a strong culture of security B - Moderate confidence that vendor demonstrates a culture of security C - Indeterminate confidence that vendor demonstrates a culture of security D - Lack of confidence based on demonstrated weaknesses with vendor s culture of security F - No confidence in vendor s ability to protect information D- 24% D+ 8% F 8% A 1% A+ 3% B 7% D 26% B- 3% B+ 6% C+ 5% C 8% C- 1%

11 Understanding Risk F Different types of vendor organizations require different strategies VSRM programs adapt risk strategies to the size and capabilities of the vendor s organization 30 F F F 20 D D D D C 10 C C B B 0 C A B B A S M L VL S , M , L , VL

12 Healthcare organizations are not holding vendors accountable for meeting minimum acceptable security standards Security Certifications Security certifications provide third party validation of security practices Examples for the industry include: HITRUST AICPA SOC 2 and 3 reports ISO FedRAMP Important for organizations to understand the scope and baseline criteria used for certifications Yes 32% No 68%

13 Resource constraints with traditional approaches produce minimal results Identify Risky Vendors Review Vendor Questionnaire Response Validate Questionnaire Response Perform Audit Risk Strategy (improve security practices, insurance, limit access, accept, no additional business) 15-20% of vendors

14 Resources by the Numbers Process = 3-5 days/vendor Process = $1,500- $2,000/ Vendor Process = / Vendors / FTE Process = / Organization Process = 7-10 FTEs / Organization

15 15 Life-cycle capabilities existing methods Understand Risk Manage Risk Apply Risk Monitor Risk

16 Assurance from vendors that access PHI Typical Health Org Profile 16 Managing Risk Total Vendors 1%4% 5% 15% No understanding of risk 75% New Contracts Existing vendors with a recent assessment Existing vendors with no assessment Contract Renewals Existing vendors with an outdated assessment

17 17 Life-cycle capabilities Understand Risk Manage Risk Apply Risk Monitor Risk

18 18 Life-cycle capabilities (Yr2) Understand Risk Manage Risk Apply Risk Strategy Monitor Risk

19 19 Life-cycle capabilities (Yr3) Understand Risk Manage Risk Apply Risk Strategy Monitor Risk

20 20 Example Vendor Profiles with access to PHI Technology companies Business Services Clinical Technology Clinical services Enterprise Software EHR Portals Financial Hardware Network Servers Mobile Outsource Hosting Data storage Legal Audit Compliance Consulting Staff Aug. Debt Collection Business analytics Paper storage ECG Data Management ICU Management Population Health Quality Management Controlled Substance Management Systems Image Exchange Surgery Management Patient Engagement Anesthesia Cardiology Laboratory Pharmacy Food service Patient transport Blood & Tissue Transcription Health Information Exchange Home Health Imaging Pharmacy Registries Release of Information Decision Support Prescription Analytics Disease Management Laboratory Long-Term Care Medical Supplies Mental and Addiction Retirement and Disability Medical Supplies Many # of Vendors Few

21 21 Example Vendor Profiles with access to PHI Technology companies Business Services Clinical Technology Clinical services Enterprise Software EHR Portals Financial Hardware Network Servers Mobile Outsource Hosting Data storage Legal Audit Compliance Consulting Staff Aug. Debt Collection Business analytics Paper storage ECG Data Management ICU Management Population Health Quality Management Controlled Substance Management Systems Image Exchange Surgery Management Patient Engagement Anesthesia Cardiology Laboratory Pharmacy Food service Patient transport Blood & Tissue Transcription Health Information Exchange Home Health Imaging Pharmacy Registries Release of Information Decision Support Prescription Analytics Disease Management Laboratory Long-Term Care Medical Supplies Mental and Addiction Retirement and Disability Medical Supplies Managing Risk No Risk Strategy

22 22 Comprehensive Lifecycle Approach Profile Risk Monitor Risk Fundamental Components Understand Risk Manage Risk

23 23 Fundamental Practices Clear Objectives Leadership Reporting Negotiation Objectives Clearly established goals and objectives for the VSRM program Consistent communication plan/process to inform leadership of vendor risk exposure Clearly defined outcomes and options Vendor Communication Processes for the consistent and clear communication of expectations Stakeholder Collaboration Communication among key stakeholders to provide insight into current and upcoming vendor products, risk exposure, and scheduled audits. Risk Model Model to consistently assess, prioritize and measure vendor risk Tools Tools to support data gathering, analysis, reporting and process workflow. People Clear accountability and responsibility for vendor security risk management

24 24 Risk Model Providing the same focus and management for all vendors is not practical from a resource, cost and organizational perspective. A risk model for vendor security will enable an organization to methodically prioritize and focus resources on vendors that present the highest risk to the organization. Vendor Security Risk is a function of the likelihood that a vendor will experience a breach and the impact of that breach on the organization. Determining Likelihood The factors that increase the likelihood of a vendor breach are based on some inherent characteristics of the company (e.g., size and geographic scope), and, more importantly, the robustness of their security program. The following are criteria that should be considered in determining likelihood of risk. Control Environment 1. Presence of a security program 2. Presence of key security controls 3. Quality of Security Team 4. Quality of Security Leadership 5. Breach History 6. Data at Rest Security 7. Subcontractors Inherent Characteristics 1. Business Description 2. Size 3. Geographic Scope 4. Year Founded 5. Industry Sectors 6. Annual Sales 7. Client Industry(s) Serviced 8. Data Processed/Stored 9. Experience with Org

25 25 Profile Identify Vendors Comprehensive source of vendors with access to Org. network or data. Profile Vendors (Risk Rank) Classification of vendors based on their impact and likelihood.

26 Initial Risk Profile Method for profiling and prioritizing vendor security risk Leveraging sophisticated data analytics and industry research Based on standards based methodologies

27 27 Understand Risk Gather Information Routine processes to collect valuable data for making risk management decisions. Validate Information Consistent process to gain reasonable assurance about the control environment. Analyze Risk Consistent process to gain reasonable assurance about the control environment.

28 28 Breach Risk versus Security Program Maturity HIGH Breach Risk MED LOW Ad-hoc / informal Security Policies, Procedures, Tech Controls Policies, Procedures, Tech Controls for Key Controls Security Leadership & Capable Resources Security Program Executive led information protection programs Security Program Maturity

29 29 Breach Risk versus Assurance Options HIGH Breach Risk MED LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Certification of Vendor s Security Program Periodic Customer Verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance

30 30 Assurance Costs versus Assurance Options HIGH Assurance Cost MED LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Certification of Vendor s Security Program Periodic Customer verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance

31 31 Breach Risk versus Assurance Costs versus Assurance Options HIGH Breach Risk & Assurance Cost MED LOW Contractual Obligations Vendor attestation of Controls 3rd Party Verification of Key Controls Customer Verification of Key Controls Periodic 3rd Party Verification of Vendor s Security Program Periodic Customer Verification of Security Program Continuous Monitoring of Vendor's Security Program Vendor Security Assurance

32 32 Risk Strategy Define Risk Strategy Options Analyze the vendor risk to determine the appropriate action needed to reduce potential impact. Communicate and Negotiate with Vendor Process to communicate with vendors when contractual terms are not met. Implement Strategy Execution of appropriate action when vendors consistently fail to meet contractual terms.

33 33 Risk Strategies OVERALL VENDOR SECURITY RISK Vendor Implements Security Controls AVOID RISK Contract Terms Vendor carrying Cyber-risk insurance Only allow inhouse implemented solution Temporarily accepting risk and tracking a RAF Terminate the Contract

34 Residual Risk Profile Management Reports Clear vision of vendor security risk management objectives Executive level communication Program effectiveness

35 35 Monitoring Tracking and Reporting Vendor Progress Process to inspect vendor progress over time and report details to leadership. Identifying Changes in Vendor Risk Examine vendor compliance progress and determine if vendor s overall risk has improved or deteriorated.

36 On-going Monitoring Many organizations rarely revisit their initial vendor assessments to determine if the risk profile has improved or deteriorated An organizations should provide a mechanism for on-going monitoring and updates of vendor risk profiles The VSRM function should notify the organization of events, such as breaches or expiration of a security certification Community Input Report Updates Alerts

37 CORL VSRM Corl s Vendor Security Risk Management (VSRM) service combines risk intelligence with responsibly shared input from the community to help you manage vendor risk. Meaningful input responsibly shared by peers. Continuous & proactive monitoring by data analytics engine & research analysts Research analysts supported by off-shore resources provide scalable and on-demand managed services Innovative scoring & intelligence reporting

38 CORL is engineered to deliver information for risk strategies as efficiently as possible 38 Corl Initial Risk Profile Review Vendor Questionnaire Response Corl Scores Validate Questionnaire Response Perform Audit Risk Strategy (improve security practices, insurance, limit access, accept, no additional business) 80+% of vendors

39 Thank You Cliff Baker CEO, CORL Technologies

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare

Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Dodging Breaches from Dodgy Vendors: Tackling Vendor Risk Management in Healthcare Strengthening Cybersecurity Defenders #ISC2Congress Healthcare and Security "Information Security is simply a personal

More information

Intelligent Vendor Risk Management

Intelligent Vendor Risk Management Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use Securing Patient Portals What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use September 2013 Table of Contents Abstract... 3 The Carrot and the Stick: Incentives and Penalties for Securing

More information

SECURITY RISK MANAGEMENT

SECURITY RISK MANAGEMENT SECURITY RISK MANAGEMENT ISACA Atlanta Chapter, Geek Week August 20, 2013 Scott Ritchie, Manager, HA&W Information Assurance Services Scott Ritchie CISSP, CISA, PCI QSA, ISO 27001 Auditor Manager, HA&W

More information

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview

More information

Information Security Management System for Microsoft s Cloud Infrastructure

Information Security Management System for Microsoft s Cloud Infrastructure Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Managing data security and privacy risk of third-party vendors

Managing data security and privacy risk of third-party vendors Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected

More information

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire

Compliance, Security and Risk Management Relationship Advice. Andrew Hicks, Director Coalfire Compliance, Security and Risk Management Relationship Advice Andrew Hicks, Director Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control panel on

More information

Assessment Process. 2013 HITRUST, Frisco, TX. All Rights Reserved.

Assessment Process. 2013 HITRUST, Frisco, TX. All Rights Reserved. Assessment Process Assessment Process Define Scope The assessment scope gives context to the security controls and those organizations and individuals relying on the results Organization scope defines

More information

The HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia

More information

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement

More information

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 IT Vendor Due Diligence Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014 Carolinas HealthCare System (CHS) Second largest not-for-profit healthcare system

More information

What can HITRUST do for me?

What can HITRUST do for me? What can HITRUST do for me? Dr. Bryan Cline CISO & VP, CSF Development & Implementation Bryan.Cline@HITRUSTalliance.net Jason Taule Chief Security & Privacy Officer Jason.Taule@FEIsystems.com Introduction

More information

Five Steps to Managing Business Associate (BA) Risk. James Christiansen, Optiv Vice President, Information Risk Management, Office of the CISO

Five Steps to Managing Business Associate (BA) Risk. James Christiansen, Optiv Vice President, Information Risk Management, Office of the CISO Five Steps to Managing Business Associate (BA) Risk James Christiansen, Optiv Vice President, Information Risk Management, Office of the CISO Conflict of Interest James Christiansen, BS, MBA Has no real

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

2014 HIMSS Analytics Cloud Survey

2014 HIMSS Analytics Cloud Survey 2014 HIMSS Analytics Cloud Survey June 2014 2 Introduction Cloud services have been touted as a viable approach to reduce operating expenses for healthcare organizations. Yet, engage in any conversation

More information

Best Practices in Contract Migration

Best Practices in Contract Migration ebook Best Practices in Contract Migration Why You Should & How to Do It Introducing Contract Migration Organizations have as many as 10,000-200,000 contracts, perhaps more, yet very few organizations

More information

2016 OCR AUDIT E-BOOK

2016 OCR AUDIT E-BOOK !! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that

More information

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures?

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures? SOLUTION BRIEF: CA IT ASSET MANAGER How can I reduce IT asset costs to address my organization s budget pressures? CA IT Asset Manager helps you optimize your IT investments and avoid overspending by enabling

More information

Metrics that Matter Security Risk Analytics

Metrics that Matter Security Risk Analytics Metrics that Matter Security Risk Analytics Rich Skinner, CISSP Director Security Risk Analytics & Big Data Brinqa rskinner@brinqa.com April 1 st, 2014. Agenda Challenges in Enterprise Security, Risk

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff

Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff Whitepaper Data Governance Roadmap for IT Executives Valeh Nazemoff The Challenge IT Executives are challenged with issues around data, compliancy, regulation and making confident decisions on their business

More information

Secure HIPAA Compliant Cloud Computing

Secure HIPAA Compliant Cloud Computing BUSINESS WHITE PAPER Secure HIPAA Compliant Cloud Computing Step-by-step guide for achieving HIPAA compliance and safeguarding your PHI in a cloud computing environment Step-by-Step Guide for Choosing

More information

agility made possible

agility made possible SOLUTION BRIEF CA IT Asset Manager how can I manage my asset lifecycle, maximize the value of my IT investments, and get a portfolio view of all my assets? agility made possible helps reduce costs, automate

More information

CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES

CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES CYBER AND PRIVACY INSURANCE: LOSS MITIGATION SERVICES How can you better prepare and respond to cyber risks? ACE developed Loss Mitigation Services to help policyholders understand and gauge various areas

More information

2014 Vendor Risk Management Benchmark Study

2014 Vendor Risk Management Benchmark Study 2014 Vendor Risk Management Benchmark Study Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party

More information

8 Key Requirements of an IT Governance, Risk and Compliance Solution

8 Key Requirements of an IT Governance, Risk and Compliance Solution 8 Key Requirements of an IT Governance, Risk and Compliance Solution White Paper: IT Compliance 8 Key Requirements of an IT Governance, Risk and Compliance Solution Contents Introduction............................................................................................

More information

3 rd Party Vendor Risk Management

3 rd Party Vendor Risk Management 3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

IT Insights. Managing Third Party Technology Risk

IT Insights. Managing Third Party Technology Risk IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate

More information

RSA ARCHER OPERATIONAL RISK MANAGEMENT

RSA ARCHER OPERATIONAL RISK MANAGEMENT RSA ARCHER OPERATIONAL RISK MANAGEMENT 87% of organizations surveyed have seen the volume and complexity of risks increase over the past five years. Another 20% of these organizations have seen the volume

More information

Isaac Willett April 5, 2011

Isaac Willett April 5, 2011 Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act

More information

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT

KLC Consulting, Inc. All Rights Reserved. 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT 1 THIRD PARTY (VENDOR) SECURITY RISK MANAGEMENT About Kyle Lai 2 Kyle Lai, CIPP/G/US, CISSP, CISA, CSSLP, BSI Cert. ISO 27001 LA President of KLC Consulting, Inc. Over 20 years in IT and Security Security

More information

Managing Open Source Code Best Practices

Managing Open Source Code Best Practices Managing Open Source Code Best Practices September 24, 2008 Agenda Welcome and Introduction Eran Strod Open Source Best Practices Hal Hearst Questions & Answers Next Steps About Black Duck Software Accelerate

More information

Enterprise Risk Management in Colleges and Universities

Enterprise Risk Management in Colleges and Universities Enterprise Risk Management in Colleges and Universities Cherry Bekaert & Holland, L.L.P. Neal Beggan, CISA, CRISC Shane Hester, CPA, CISA Cherry, Bekaert & Holland, L.L.P. The Firm of Choice. 1 Cherry,

More information

Understanding the VENDOR MANAGEMENT LIFECYCLE. Securing Personal Information in the Hands of Third Parties

Understanding the VENDOR MANAGEMENT LIFECYCLE. Securing Personal Information in the Hands of Third Parties Understanding the VENDOR MANAGEMENT LIFECYCLE Securing Personal Information in the Hands of Third Parties INTRODUCTION As organizations struggle to keep up with service demands, adopt new technologies,

More information

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased

More information

Sustainability: Achieving Clinical and Financial Benefits Through the Use of an EHR

Sustainability: Achieving Clinical and Financial Benefits Through the Use of an EHR Sustainability: Achieving Clinical and Financial Benefits Through the Use of an EHR Bert Reese SVP and CIO of Sentara Healthcare Sentara Healthcare October 6, 2014 1 Sentara Healthcare 126-year not-for-profit

More information

Our Commitment to Information Security

Our Commitment to Information Security Our Commitment to Information Security What is HIPPA? Health Insurance Portability and Accountability Act 1996 The HIPAA Privacy regulations require health care providers and organizations, as well as

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute April 8, 2015 4/8/2015 1 1 Who is M-CEITA?

More information

Vendor Management Challenge Doing More with Less

Vendor Management Challenge Doing More with Less Vendor Management Challenge Doing More with Less Megan Hertzler Assistant General Counsel Director of Data Privacy Xcel Energy Boris Segalis Partner InfoLawGroup LLP Session ID: GRC-402 Insert presenter

More information

Third-Party Vendor Compliance Programs: The Value, the Need, the Risk

Third-Party Vendor Compliance Programs: The Value, the Need, the Risk Third-Party Vendor Compliance Programs: The Value, the Need, the Risk HCCA Compliance Institute Session 602 Tuesday, April 19, 2016 1:00-2:00 PM HCCA CI - 2016 1 Presenters Corey M. Perman, JD Vice President,

More information

Cybersecurity Reporting: A Backgrounder

Cybersecurity Reporting: A Backgrounder Cybersecurity Reporting: A Backgrounder September 2016 2016 American Institute of CPAs. All rights reserved. DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion

More information

FINRA Publishes its 2015 Report on Cybersecurity Practices

FINRA Publishes its 2015 Report on Cybersecurity Practices Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February

More information

Comparing the CSF, ISO/IEC and NIST SP Why Choosing the CSF is the Best Choice

Comparing the CSF, ISO/IEC and NIST SP Why Choosing the CSF is the Best Choice Comparing the CSF, ISO/IEC 27001 and NIST SP 800-53 Why Choosing the CSF is the Best Choice June 2014 Why Choosing the CSF is the Best Choice Introduction Many healthcare organizations realize it is in

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

Secure Email & File Transfer Practices in Healthcare 2014 / Sponsored by DataMotion

Secure Email & File Transfer Practices in Healthcare 2014 / Sponsored by DataMotion In late 2014, DataMotion conducted its annual survey of more than 700 IT and business professionals across the United States to gain insight into corporate email and file transfer policies. This report

More information

fs viewpoint www.pwc.com/fsi

fs viewpoint www.pwc.com/fsi fs viewpoint www.pwc.com/fsi June 2013 02 11 16 21 24 Point of view Competitive intelligence A framework for response How PwC can help Appendix It takes two to tango: Managing technology risk is now a

More information

Health Data Analytics (HDA) Build the organizational capabilities to create value from HDA

Health Data Analytics (HDA) Build the organizational capabilities to create value from HDA Health Data Analytics (HDA) Build the organizational capabilities to create value from HDA Health Data Analytics (HDA) Webinar Presenter Celwyn Evans Moderator Joe Crandall Objective: Review a pragmatic

More information

Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation

Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and

More information

Gilead Clinical Operations Risk Management Program

Gilead Clinical Operations Risk Management Program Gilead Clinical Operations Risk Management Program Brian J Nugent, Associate Director 1 Agenda Risk Management Risk Management Background, Benefits, Framework Risk Management Training and Culture Change

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions The rise of third party relationships means rise in risk and regulation Non-compliance is risky business for financial institutions Increasing dependency on third parties by banks has resulted in mandatory

More information

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6 to Assess Cybersecurity Preparedness 1 of 6 Introduction Long before the signing in February 2013 of the White House Executive Order Improving Critical Infrastructure Cybersecurity, HITRUST recognized

More information

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014 IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

Services. Hospital Solutions: Integrated Healthcare IT and Business Process Solutions that Achieve Breakthrough Results

Services. Hospital Solutions: Integrated Healthcare IT and Business Process Solutions that Achieve Breakthrough Results Services Hospital Solutions: Integrated Healthcare IT and Business Process Solutions that Achieve Breakthrough Results Hospital Solutions Overview Hospital Solutions Backed by more than 20 years of strength

More information

Managing IT Security with Penetration Testing

Managing IT Security with Penetration Testing Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to

More information

Accenture Risk Management. Industry Report. Life Sciences

Accenture Risk Management. Industry Report. Life Sciences Accenture Risk Management Industry Report Life Sciences Risk management as a source of competitive advantage and high performance in the life sciences industry Risk management that enables long-term competitive

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

What does HIPAA Compliant mean? Session 137 April 15, 2015

What does HIPAA Compliant mean? Session 137 April 15, 2015 What does HIPAA Compliant mean? Session 137 April 15, 2015 Dana DeMasters, MN, RN, CHPS Privacy/Security Officer Liberty Hospital Tom Walsh, CISSP President & CEO tw-security DISCLAIMER: The views and

More information

IT Governance. What is it and how to audit it. 21 April 2009

IT Governance. What is it and how to audit it. 21 April 2009 What is it and how to audit it 21 April 2009 Agenda Can you define What are the key objectives of How should be structured Roles and responsibilities Key challenges and barriers Auditing Scope Test procedures

More information

Healthcare Information Security Today

Healthcare Information Security Today Healthcare Information Security Today 2015 Survey Analysis: Evolving Threats and Health Info Security Efforts WHITE PAPER SURVEY BACKGROUND The Information Security Media Group conducts an annual Healthcare

More information

Preemptive security solutions for healthcare

Preemptive security solutions for healthcare Helping to secure critical healthcare infrastructure from internal and external IT threats, ensuring business continuity and supporting compliance requirements. Preemptive security solutions for healthcare

More information

HIPAA and HITRUST - FAQ

HIPAA and HITRUST - FAQ A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14 www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved A smarter way to protect your brand Minimizing Compliance Risks of Proactive OCR HIPAA Audits Copyright 2012 Compliance 360 All Rights Reserved Compliance 360 at a Glance Compliance, Risk and Audit Solutions

More information

Best Practices in IT Support Systems IMPROVING HELP DESK PERFORMANCE AND SUPPORT

Best Practices in IT Support Systems IMPROVING HELP DESK PERFORMANCE AND SUPPORT Best Practices in IT Support Systems IMPROVING HELP DESK PERFORMANCE AND SUPPORT 12 Building the Case Creating a Robust Help Desk Environment As organizations increasingly rely on integrated electronic

More information

Obtaining CSF Certification Lessons Learned and Why Do It

Obtaining CSF Certification Lessons Learned and Why Do It Obtaining CSF Certification Lessons Learned and Why Do It Aaron Miri, Chief Technology Officer, Children s medical Center of Dallas Ryan Sawyer, Director, Technology Risk and Identity Governance, WellPoint

More information

IBM Smartcloud Managed Backup

IBM Smartcloud Managed Backup IBM Smartcloud Managed Backup Service Definition 1 1. Summary 1.1 Service Description The IBM SmartCloud Managed Backup service provides public, private and hybrid cloudbased data protection solutions

More information

Identifying and Managing Third Party Data Security Risk

Identifying and Managing Third Party Data Security Risk Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:

More information

The following outlines an effective, proven process for assuring your practice makes the best, most well informed EHR system and vendor decision:

The following outlines an effective, proven process for assuring your practice makes the best, most well informed EHR system and vendor decision: Tips for Success Evaluating and Selecting an EHR System The number, variety and complexity of EHR systems in today s market has made the search for a system complex and sometimes intimidating for many

More information

Third-Party Risk Management for Life Sciences Companies

Third-Party Risk Management for Life Sciences Companies April 2016 Third-Party Risk Management for Life Sciences Companies Five Leading Practices for Data Protection By Mindy Herman, PMP, and Michael Lucas, CISSP Audit Tax Advisory Risk Performance Crowe Horwath

More information

How to prepare your organization for an OCR HIPAA audit

How to prepare your organization for an OCR HIPAA audit How to prepare your organization for an OCR HIPAA audit Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. Technical Assistance: 978-674-8121 or Amanda.Howell@iatric.com Audio Options: Telephone

More information

Managing the Shadow Cloud

Managing the Shadow Cloud Managing the Shadow Cloud Integrating cloud governance into your existing compliance program August 2014 Shadow IT is not a new concept and organizations are well aware of the risks associated with unauthorized

More information

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP The Challenges of Applying HIPAA to the Cloud Adam Greene, Partner Davis Wright Tremaine LLP AGENDA Key Concepts Under HIPAA HIPAA Obligations for a BA Questions Remain Reaching Answers Resources KEY CONCEPTS

More information

Cyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP

Cyber Security. Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Cyber Security Moderator: Marla J. Kreindler, Partner, Morgan, Lewis & Bockius LLP Speakers: Keith Overly, Executive Director, Ohio Deferred Compensation Program Raj Patel, Partner, Plante & Moran, PLLC

More information

Data Privacy & Security in the Cloud: Legal Basics and New Developments

Data Privacy & Security in the Cloud: Legal Basics and New Developments Data Privacy & Security in the Cloud: Legal Basics and New Developments Lawrence R. Freedman Partner, Edwards Wildman Palmer LLP lfreedman@edwardswildman.com (202) 939-7923 1 The Basics Two basic data

More information

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05. Cyber Risk Management Guidance. Purpose FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-05 Cyber Risk Management Guidance Purpose This advisory bulletin provides Federal Housing Finance Agency (FHFA) guidance on cyber risk management.

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Customer Success Story. Central Logic. Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance.

Customer Success Story. Central Logic. Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance. Customer Success Story Central Logic Comprehensive SRA helps healthcare software provider safeguard its customer s PHI and ensure HIPAA compliance. Page 2 of 6 Central Logic Comprehensive SRA helps healthcare

More information

SECURETexas Health Information Privacy & Security Certification Program FAQs

SECURETexas Health Information Privacy & Security Certification Program FAQs What is the relationship between the Texas Health Services Authority (THSA) and the Health Information Trust Alliance (HITRUST)? The THSA and HITRUST have partnered to help improve the protection of healthcare

More information

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012 The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why

More information

Demonstrating Meaningful Use of EHRs: The top 10 compliance challenges for Stage 1 and what s new with 2

Demonstrating Meaningful Use of EHRs: The top 10 compliance challenges for Stage 1 and what s new with 2 Demonstrating Meaningful Use of EHRs: The top 10 compliance challenges for Stage 1 and what s new with 2 Today s discussion A three-stage approach to achieving Meaningful Use Top 10 compliance challenges

More information

Navigating the Waters of Incident Response and Recovery

Navigating the Waters of Incident Response and Recovery Navigating the Waters of Incident Response and Recovery Lee Kim, Esq. Tucker Arensberg, P.C. CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 2013 Lee Kim

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

case study Denver Health & Hospital Authority IT as a Change Agent in the Transformation of Healthcare Summary Introductory Overview ORGANIZATION:

case study Denver Health & Hospital Authority IT as a Change Agent in the Transformation of Healthcare Summary Introductory Overview ORGANIZATION: The Computerworld Honors Program Denver, Colorado, United States Summary For the past nine years, has partnered with Siemens Medical Solutions to further its mission as a safety net city-wide hospital

More information

Improve Dictation and Transcription Workflow by Leaps and Bounds

Improve Dictation and Transcription Workflow by Leaps and Bounds Improve Dictation and Transcription Workflow by Leaps and Bounds Enterprise Voice Capture and Centralized Document Management Solution Part of the integrated M*Modal transcription solution, M*Modal Fluency

More information

Current Challenges in Managing Contract Lifecycle Management

Current Challenges in Managing Contract Lifecycle Management Current Challenges in Managing Lifecycle Management s are the bloodline of your business. Due to increased pressure in volume, complexity and regulatory compliance, contracts have evolved from a simple

More information

How Cisco IT Standardizes the Acquisition Integration Process

How Cisco IT Standardizes the Acquisition Integration Process How Cisco IT Standardizes the Acquisition Integration Process Cisco IT develops standards for assimilating newly acquired companies rapidly, consistently, and with minor disruption Cisco IT Case Study

More information

Cloud Computing An Auditor s Perspective

Cloud Computing An Auditor s Perspective Cloud Computing An Auditor s Perspective Sailesh Gadia, CPA, CISA, CIPP sgadia@kpmg.com December 9, 2010 Discussion Agenda Introduction to cloud computing Types of cloud services Benefits, challenges,

More information

Protecting your brand in the cloud Transparency and trust through enhanced reporting

Protecting your brand in the cloud Transparency and trust through enhanced reporting Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business

More information