Third&Party&Risk&Management&Policy&

Transcription

1 Third&Party&Risk&Management&Policy& Version( Approval(Date( Owner( 1.0 July28,2015 DanielWilt 1.Purpose& ThepurposeofthispolicyistoestablishthemethodsbywhichHealthShareExchangeof SoutheasternPennsylvania,Inc.(HSX)willmanagesecurityrisksthatareintroducedby thirdparties,includingcontractedvendorserviceprovidersandmembers/participants. TheintentistoensurethatthesecurityofHSX'sinformationandinformationassetsare notreducedwhensharinginformationwiththirdpartiesorbytheintroductionofthird partyproductsorservicesintothehsxenvironment. Thispolicyalsodescribeswhatprocessesmustbeinplacebeforeprotectedhealth information(phi)canbereleasedtobusinessassociates,andthemechanismfor developingandmaintainingcontractualagreementswithbusinessassociatesregarding theirresponsibilitiesunderhipaaregulations. 2.Scope& Thispolicyappliestoallthirdpartyarrangements,includingthosewithBusiness Associates. 3.Policy& HSXshallestablishthirdpartyriskmanagementfunctionswiththepurposeofgoverning securityrisksofthirdpartyorganizationsthathaveaccesstoenterprisedata,orprovide productsorservicesforhsx. Responsibilitiesforthethirdpartyriskmanagementfunctionshallinclude: o IdentifyingallHSXBusinessAssociates,accordingtotheHIPAASecurity andprivacyrules. o Vettingthesecuritycontrolsofthirdpartiesbeforeestablishingathird partycontractrelationship. o EnsuringanapprovedandupXtoXdateHSXBusinessAssociateAgreement (BAA)isinplaceandhasbeensignedbyeverythirdparty. Third Party Risk Management Policy FINAL v docx 1

2 o MaintainingacurrentandaccuratelistingofallHSXbusinessassociates. o MonitoringthirdpartiesforadherencetoprovisionswithinBAAs(where applicable),servicelevelagreements(slas),andcontractualsecurity requirements. o PerformingonXgoingorcontinuousreviewsofsecuritymeasures implementedbythirdpartyserviceproviders. o Ensuringtheadherencetoallotherprovisionswithinthispolicy. ThirdPartyRiskIdentification: ThepotentialriskstoHSXinformationassetsfrombusinessprocessesinvolving thirdpartiesshallbeidentified,andappropriatecontrolsshallbeimplementedto mitigatetheserisksbeforegrantingaccess. ThirdpartiesshallonlybegrantedaccesstoHSX sinformationassetsafterdue diligencehasbeenconducted,appropriatecontrolshavebeenimplemented,anda writtencontractdefiningthetermsofaccesshasbeensigned. DuediligencebyHSXtodetermineriskshallincludeinterviews,andreviewsof documents,checklists,andcertifications. ThirdPartySecurityRequirements: Ifappropriate,ariskassessmentshallbeconductedofthethirdpartytodetermine thespecificsecurityrequirementsnecessarytosecuretheirsystemstoalevelof riskacceptabletohsx. Allidentifiedthirdpartysecurityrequirementsshallbeaddressedandvalidated beforegrantingthirdpartyaccesstohsx'sinformationorinformationassets. ThirdPartyAgreements: Agreementswiththirdpartiesinvolvingaccessing,processing,communicatingor managinghsx'sinformationassets,oraddingproductsorservicestoinformation assetsmustcoverallrelevantsecurityrequirementsandshallincludeallrequired securityandprivacycontrolsinaccordancewithhsx ssecurityandprivacypolicies. Thespecificlimitationsofaccess,arrangementsforcomplianceauditing,penalties, andtherequirementfornotificationwithrespecttorelevantthirdpartypersonnel transfersandterminationsshallbeidentifiedinthethirdpartyagreements. AstandardBAAshallbedefined.ThestandardBAAshallbefoundontheHSX intranet. TheBAAshallincludeprovisionsforbreachnotificationandterminationupon breach. TheBAAshalldefinethedispositionofPHIonterminationoftheagreement. Third Party Risk Management Policy FINAL v docx 2

3 ThirdPartyAccessControlRequirements: HSXshallonlyallowthirdpartiestocreate,receive,maintain,ortransmitPHIonits behalfaftertheorganizationobtainssatisfactorywrittenassurancethatthethird partywillappropriatelymaintainandenforcetheprivacyandsecurityofthe enterprisedata,including,whererelevant,protectingphiviathestandardbaa. ThirdpartyaccessshallbebasedontheprinciplesofneedXtoXknowandleast privilege. Thirdpartyaccessshallbegrantedonlyforthedurationrequired. RemoteaccessconnectionsbetweenHSXandthirdpartiesmustbeencrypted. Remoteaccessconnectionswiththirdpartiesshallbemonitoredonanongoing basis. ThirdPartyServiceDelivery: HSXshallrequirethatthirdpartiesmeetindustrybestpracticesandregulatory requirementsforsecurityandprivacycontrolsandthattheyareimplemented, operatedandenforced. SLAs,orcontractswithanagreedservicearrangement,shalladdressliability, servicedefinitions,securitycontrols,andotheraspectsofservicesmanagement. HSXshalldevelop,disseminateandupdateatleastannuallyalistofcurrentservice providers. HSXshalladdressinformationsecurityandotherbusinessconsiderationswhen acquiringsystemsorservicesincludingmaintainingsecurityduringtransitionsand businesscontinuityfollowingafailureordisaster. ThirdPartyServiceProvidersMonitoringandReview: Theservices,reportsandrecordsprovidedbythethirdpartyServiceProvidershall bemonitoredandreviewedonanannualbasis,andauditsshallbecarriedoutto ensurecompliancewiththethirdpartyserviceprovideragreementsismaintained. TheresultsofmonitoringactivitiesofthirdpartyServiceProviderservicesshallbe comparedagainsttheslaorcontractsatleastannually. RegularprogressmeetingsshallbeconductedasrequiredbytheSLAorcontractto reviewreports,audittrails,securityevents,operationalissues,failuresand disruptions,andensureidentifiedissuesareinvestigatedandresolvedaccordingly. NetworkconnectionswiththirdpartyServiceProvidersshallbeperiodically auditedtoensurethattheyhaveimplementedanyrequiredsecurityfeaturesand meetallrequirementsagreedtowithhsx. ThirdPartyMemberandParticipantMonitoringandReview: Third Party Risk Management Policy FINAL v docx 3

4 HSXshallrequireMembersandParticipantstorespondtoaPrivacyandSecurity Statementpriortocontractexecutionandeligibilitytoexchangeinformationor accesstheexchange. HSXshallrevieweachprivacyandsecuritystatementforcompliancewithHSX requirements HSXshalldenymembershiporparticipationunlessMemberorParticipanthas resubmittedtheirprivacyandsecuritystatementreflectingremediationofall identifiedgaps MembersandParticipantsarerequiredtonotifyHSXintheeventthattheyhave identifiedanyareaofnonxcompliancewiththispolicy. HSXwillconductanannualPrivacyandSecuritysurveyforasubsetofthe Members/Participantsandreviewforcomplianceandtakeappropriateactions,if any,deemednecessary ThirdPartyChangeManagement: Changestotheprovisionofservices,includingmaintainingandimprovingexisting informationsecuritypolicies,proceduresandcontrols,shallbemanaged,takinginto accountthecriticalityofbusinesssystemsandprocessesinvolvedandrex assessmentofrisks. Thirdpartiesshallberequiredtocoordinate,manageandcommunicatechanges thatwillhaveanimpacttohsxinformation,systemsorprocesses. Thirdpartychangesshallbeevaluatedtoidentifythepotentialimpactsbefore implementation. 4.Enforcement& TheCISOandPrivacyOfficershallberesponsibleforenforcingcompliancewiththis policyunderthedirectionoftheexecutivedirector. TheMemberorParticipantshallberesponsibleforenforcingcompliancewiththis policyatminimumwithintheirorganization. 5.Definitions& Foracompletelistofdefinitions,refertotheGlossary. 6.References& RegulatoryReferences: Third Party Risk Management Policy FINAL v docx 4

5 HIPAARegulatoryReference:HIPAA (a)(3)(ii)(A),HIPAA (a)(4)(ii)(B),HIPAA (b)(1),HIPAA (b)(3),HIPAA (a)(1),HIPAA (a)(2)(i),HIPAA (a)(2)(ii),HIPAA (b)(1),HIPAA (b)(2)(i),HIPAA (b)(2)(ii),HIPAA (b)(2)(iii),HIPAA (b)(2)(iv),HIPAA (b),HIPAA (a)(1),HIPAA (a)(2),HIPAA (b),HIPAA (c)(1), HIPAA (c)(2),HIPAA (b) HITRUSTReference:05.iIdentificationofRisksRelatedtoExternalParties,05.j AddressingSecurityWhenDealingwithCustomers,05.kAddressingSecurityin ThirdPartyAgreements,09.eServiceDelivery,09.fMonitoringandReviewofThird PartyServices,09.gManagingChangestoThirdPartyServices PCIRegulatoryReference:PCIDSSv32.6,PCIDSSv312.8,PCIDSSv ,PCI DSSv ,PCIDSSv ,PCIDSSv ,PCIDSSv ,PCIDSSv PAeHealthReference:9.0.PatientAuditingandAccountingofDisclosures Policy(Owner( DanielWilt Contact( Approved(By( Board Approval(Date( July28,2015 HSXManagement Team Date(Policy(In( Effect( 5X13X2015 Version(#( 1 Original(Issue(Date( 5X13X2015 Last(Review(Date(( Related( Documents( BusinessAssociateAgreementTemplate(BAA) Glossary ServiceLevelAgreementTemplate(SLA) Third Party Risk Management Policy FINAL v docx 5