Customer Data and Reputational Risk in the Pharmaceutical Industry
|
|
- Jessie Cameron
- 8 years ago
- Views:
Transcription
1 1 Customer Data and Reputational Risk in the Pharmaceutical Industry Sensitive Data: A Chain of Trust Organizations of all types, from banks to government agencies to healthcare providers, are taking steps to protect themselves against the potentially catastrophic loss of sensitive data, intellectual property and business intelligence. In this environment, pharmaceutical companies are becoming more aware of the distinct data-related risks they face. Consumers provide pharmaceutical companies with personal information for a number of reasons. Visitors to a company s website, for instance, often are asked to provide personal data potentially including their name, address, phone number, gender, age and medical conditions in order to receive newsletters, notifications of drug interactions or free samples from a physician; participate in discount programs; or interact with an online community who have the same medical condition. While pharmaceutical companies research and development activities tend to be protected by rigorous security frameworks, their customer-focused efforts are not subject to the same standards of protection. Sales and marketing projects commonly are outsourced to third-party vendors ranging from boutique marketing agencies to larger firms that provide shared services for multiple companies. Relationships with these service providers often involve the unregulated exchange of sensitive customer data. Just as customers typically do not know how their data is handled or protected by the pharmaceutical company, the handling company often is not fully aware of the dataprotection processes or security standards of the vendors it hires. The result is an uneasy chain of trust in which risks remain at least partially unknown and standards are not clearly defined. Reputational Risk While contracts with service providers may limit the pharmaceutical company s legal liability, they do little to protect the company against reputational risk, which has the potential to be even more damaging. In the case of a media story about a privacy violation or loss of sensitive data, few consumers will read the fine print and distinguish between the large, well-known company and the obscure service provider responsible for handling the data. An example occurred in September 2007, when clothing retailer Gap Inc. announced it had lost the unencrypted personal data, including Social Security numbers, of 800,000 job applicants. Buried in the details of the story and probably irrelevant to most consumers was the fact that it was an undisclosed, third-party, human resources service provider, not Gap, which actually lost the data. As consumers become more aware of identity theft and other fraud, continuing reports of new incidents fuel their growing suspicion. Even when blame for data loss can be assigned publicly to another well-known party such as when Citigroup blamed UPS for a 2005 loss of customer data reputational damage to both parties can be substantial. Unanswered Questions Other industries that handle large quantities of sensitive customer information, such as healthcare and financial services, are subject to regulatory scrutiny and specific data-handling 1 protiviti
2 guidelines. But pharmaceutical companies, beyond abiding by general regulations that affect all industries, are for the most part left to establish their own standards and procedures. Whether a project involves a large, onetime transfer of data to the service provider or an ongoing exchange, data can be compromised at multiple points. This raises data security questions, such as: What controls are in place to limit the likelihood or consequences of losing data during transmission to the service provider? What are the service provider s security-related procedures while using a company s data? What assurance is there that they are being followed? What happens to the data after the project s completion? This last susceptibility is often the source of the greatest uncertainty, as questions arise about who owns the data, how and when it must be destroyed, and certification of that destruction. While each contract may specify some of these matters, the accumulation of different contracts for different vendors leaves plenty of room for confusion and risk. What is missing is a model to limit risk. By establishing sound risk management practices, companies can greatly reduce ongoing reputational, financial and legal risks related to customer data, resulting in greater security and more efficient working relationships with service providers. Uncovering Current Practices Efforts to mitigate data risk should begin with a thorough examination of the ways in which data is processed and exchanged by the pharmaceutical company. Initial goals might include identifying all the business processes that handle sensitive data, the volume and exact type of data being shared, and the service providers involved in each process. These efforts cannot rest entirely on delineating official processes, however. Even if a detailed process flow already has been established, it is unlikely to tell the whole story about how data actually is handled. For example, an employee may routinely share data in response to informal requests, bypassing the protections inherent in standard procedures. Thorough interviews with sales and marketing personnel can reveal surprising gaps between official procedures and day-to-day habits. Electronic monitoring of server traffic which need not use state-of-the-art technology to be effective can augment these firsthand accounts with hard evidence of data leaks. Rooting Out Risk Once internal processes have become more transparent, the company can consider ways to limit data risks after it has been shared with the service provider. Perhaps the simplest and most powerful practice companies can implement is removing or de-identifying as much sensitive data as possible before sharing it with a third party, thereby eliminating complexities and concerns at the root. To do so, the company might begin by analyzing how much of the data each service provider actually needs in order to perform its work, and then compare it to the types of data the provider currently receives. Sales and marketing projects rarely require all the fields of customer data the pharmaceutical company possesses. 2 protiviti
3 In the case of a marketing study examining different age categories, for example, most of the customer data fields could be removed before the data is shared with the service provider. Even when a data field cannot be eliminated, it often can be de-identified. Specific information can be made more general; for instance, providing customers states of residence instead of street addresses. These measures may add an extra step to the data-handling process, making it more timeconsuming than simply sending the whole customer file. The mitigating effect they can have on risk, however, is worthwhile. Limiting the amount and type of shared data eases the burden on every other aspect of customer data security and vendor management, including end-ofproject procedures for destroying or returning data. Better Vendor Management By establishing standard procedures for assessing the security of all service providers currently engaged ones, as well as candidates for future projects pharmaceutical companies can improve data security and build more efficient, reliable vendor relationships. Using objective criteria to assess the customer data risks of doing business with both existing and potential vendors leads to better-informed decisions about whether or not to work with them. Generally, these criteria should include controls around security administration and change control. Without such criteria, these important decisions may be made on an ad hoc, subjective basis that leaves the company more vulnerable to unknown or insufficient security practices on the part of vendors. A consistently implemented procedure for vendor risk assessment can substantially reduce data risk on an ongoing basis. When evaluating potential vendors, the expected control items should be conveyed during the request for proposal (RFP) process so that candidates are not surprised by the expectations. If an RFP process is not used, the controls should be tested before the contract begins, which is the easiest time for a vendor to respond quickly to any required changes. Assessment of a vendor may result in any of the following measures: Provide less data or less identifiable data to reduce risk up front. If sensitive data must be shared, validate the vendor s security controls using a standardized process. Negotiate contract changes to shift burden of risk. Choose to stop doing business with the vendor. Some existing vendors may be reluctant to have their practices assessed or make changes in those processes, but most are likely to appreciate the benefits of being certified by the pharmaceutical company. By proving they can handle data in a manner that is in line with the company s standards, they have an inside track for future projects. While assessment measures may seem to add a layer of complexity to vendor relationships, they actually may have the opposite effect. If certain vendors do not meet security standards or are not willing to have their processes assessed, the pharmaceutical company ultimately may consolidate its active vendors down to a trusted few, simplifying overall vendor management. Whether or not such consolidation occurs, decisions about the companies entrusted with sensitive customer data become more objective and reliable. Pharmaceutical companies that actively address customer data risk, both internally and in their vendor relationships, position themselves to better protect both their customers and reputations. 3 protiviti
4 Learning from Other Industries Of course, the pharmaceutical industry is not the only one in which companies share significant amounts of customer information with vendors. However, unlike the pharmaceutical industry, other industries have regulations in place that specifically address the appropriate handling and protection of customer data. For example, in the banking industry, the Gramm-Leach-Bliley Act (GLBA) includes vendor management requirements that extend privacy and information security requirements to third-party agreements. In the healthcare industry, under the Health Insurance Portability and Accountability Act (HIPAA), service providers given access to patients protected health information must sign a Business Associate agreement that outlines appropriate handling of customer information, including the return or destruction of the data. These regulations share a similar approach: Identifying where a company has sensitive data, performing a risk assessment, and then implementing a structured plan to mitigate the risks. Pharmaceutical companies seeking to develop effective strategies to mitigate their own risk might find it valuable to learn more about these regulations in greater depth. They also should take note that individual states such as California are enacting their own distinct legislation. Even when processes are strictly regulated, each company must invest significant effort to interpret the rules and establish its own standards of discipline. Another development in the financial industry also may be worth watching. In 2006, a nonprofit financial industry consortium called BITS launched the Financial Institution Shared Assessments Program (FISAP) to establish industry-standard procedures that financial institutions should use to evaluate the security controls of their IT service providers. A primary goal of FISAP, which currently is gaining acceptance, is to reduce monitoring and compliance costs for both financial institutions and their service providers. 4 protiviti
5 About Protiviti Protiviti ( is a global consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. We help solve problems in finance, operations, technology, litigation, and governance, risk and compliance (GRC). Our highly trained, results-oriented professionals serve clients in the Americas, Asia- Pacific, Europe and the Middle East and provide a unique perspective on a wide range of critical business issues. Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. Protiviti s Pharmaceutical Services Practice Protiviti s practice includes professionals with deep industry experience in pharmaceutical/biotechnology and medical devices. Life sciences organizations are constantly challenged by their need to grow and profit while complying with a wide range of complex and rapidly evolving government regulations. Whether the top concern is internal audit, regulatory compliance, improving revenues, managing costs, evaluating and safeguarding intellectual property, or leveraging new technology, Protiviti brings industry knowledge and deep skills to help pharmaceutical, biotech and medical-device companies overcome risks and maintain their financial health. Protiviti views compliance requirements as an opportunity to improve an organization s operations and financial performance. Our solutions are designed to improve business performance while achieving compliance objectives. For additional information about the issues reviewed in this white paper or Protiviti s services, please contact: Edward J. Scheuer Managing Director ed.scheuer@protiviti.com John F. Bingham Director john.bingham@protiviti.com Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services Protiviti Inc. An Equal Opportunity Employer.
Internal Auditing is an Asset for Small Companies as well as Large Ones
Internal Auditing is an Asset for Small Companies as well as Large Ones The term internal audit usually inspires two immediate responses. The first is fear: Is something wrong in our organization? Have
More informationPayment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard (PCI DSS) WARNING: Your company may be in noncompliance with the Payment Card Industry Data Security Standard (PCI DSS), placing it at risk of brand damage,
More informationHigh Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director
High Value Audits: An Update on Information Technology Auditing Robert B. Hirth Jr., Managing Director The technology landscape and its impact on internal audit Technology is playing an ever-growing role
More informationProcess Control Optimisation with SAP
Process Control Optimisation with SAP The procure-to-pay cycle, which includes all activities from the procurement of goods and services to receiving invoices and paying vendors, is a basic business process.
More informationFraud Prevention and Detection in a Manufacturing Environment
Fraud Prevention and Detection in a Manufacturing Environment Introduction The Association of Certified Fraud Examiners (ACFE) estimated in its 2008 Report to the Nation on Occupational Fraud and Abuse
More informationSecuring Critical Information Assets: A Business Case for Managed Security Services
White Paper Securing Critical Information Assets: A Business Case for Managed Security Services Business solutions through information technology Entire contents 2004 by CGI Group Inc. All rights reserved.
More informationContinuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd.
Continuous Monitoring and Auditing: What is the difference? By John Verver, ACL Services Ltd. Call them the twin peaks of continuity continuous auditing and continuous monitoring. There are certainly similarities
More informationCloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing
Cloud Security Keeping Data Safe in the Boundaryless World of Cloud Computing Executive Summary As cloud service providers mature, and expand and refine their offerings, it is increasingly difficult for
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT California Law Requires Companies to Disclose Efforts to Ensure Supply Chains Are Free of Slavery and Human Trafficking February 6, 2012 The California Transparency in Supply Chains
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationPayment Card Industry Data Security Standards
Payment Card Industry Data Security Standards Discussion Objectives Agenda Introduction PCI Overview and History The Protiviti Difference Questions and Discussion 2 2014 Protiviti Inc. CONFIDENTIAL: This
More informationEasing the Burden of Healthcare Compliance
Easing the Burden of Healthcare Compliance In This Paper Federal laws require that healthcare organizations that suspect a breach of sensitive data launch an investigation into the matter For many mid-sized
More informationThe Shift to Behavioral Monitoring: A New Paradigm for Exception-Based Reporting
The Shift to Behavioral Monitoring: A New Paradigm for Exception-Based Reporting Introduction In the past 10 years, exception-based reporting (EBR) has become a widespread tool for loss prevention in retail
More informationPreventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations
Preventing Fraud: Assessing the Fraud Risk Management Capabilities of Today s Largest Organizations Overview In late 2006 and 2007, Protiviti commissioned a study to gauge the fraud risk management (FRM)
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationPresentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy
Presentation for : The New England Board of Higher Education Hot Topics in IT Security and Data Privacy October 22, 2010 Rocco Grillo, CISSP Managing Director Protiviti Inc. Quote of the Day "It takes
More informationSecuring Your Business with Managed File Transfer
Why FTP/SFTP Solutions Are No Longer a Viable Option www.stonebranch.com Executive Summary This white paper sets out to explain the importance of a Managed File Transfer solution implementation within
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity
More informationIT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP
IT Audit Perspective on Continuous Auditing/ Continuous Monitoring KPMG LLP IT Audit Perspective on Continuous Auditing/Continuous Monitoring INTRODUCTION New demands from the board, senior organizational
More informationHIPAA compliance audit: Lessons learned apply to dental practices
HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationFINANCIAL SERVICES FLASH REPORT
FINANCIAL SERVICES FLASH REPORT OCC Updates Guidance on Third-Party Relationships December 2, 2013 Introduction On November 4, 2013, the Office of the Comptroller of the Currency (OCC) released Bulletin
More informationTHE IMPORTANCE OF EMAIL ENCRYPTION IN THE HEALTHCARE INDUSTRY
THE IMPORTANCE OF EMAIL ENCRYPTION IN THE HEALTHCARE INDUSTRY EXECUTIVE SUMMARY Email is a critical business communications tool for organizations of all sizes. In fact, a May 2009 Osterman Research survey
More informationTHE IMPORTANCE OF EMAIL ENCRYPTION IN THE HEALTHCARE INDUSTRY
THE IMPORTANCE OF EMAIL ENCRYPTION IN THE HEALTHCARE INDUSTRY EXECUTIVE SUMMARY Email is a critical business communications tool for organizations of all sizes. In fact, a May 2009 Osterman Research survey
More informationSecurity Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background
Security Survey 2009: Privileged User Management It s Time to Take Control Frequently Asked Questions and Background What is a privileged user? A privileged user is an individual who, by virtue of function,
More informationThe promise and pitfalls of cyber insurance January 2016
www.pwc.com/us/insurance The promise and pitfalls of cyber insurance January 2016 2 top issues The promise and pitfalls of cyber insurance Cyber insurance is a potentially huge but still largely untapped
More informationWhite Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI
White Paper Achieving PCI Data Security Standard Compliance through Security Information Management White Paper / PCI Contents Executive Summary... 1 Introduction: Brief Overview of PCI...1 The PCI Challenge:
More informationBusiness Conduct, Compliance and Ethics Program. important
Business Conduct, Compliance and Ethics Program important Table of Contents Letter from Troy Kirchenbauer As healthcare s first online direct contracting market, aptitude is committed to upholding the
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationContinuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability
A Custom Technology Adoption Profile Commissioned By BitSight Technologies Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability Introduction As concerns around
More informationSecure in Transition and Secure behind the Network Page 1
Secure in Transmission and Secure behind the Network A Review of Email Encryption Methods and How They Can Meet Your Company s Needs By ZixCorp www.zixcorp.com Secure in Transition and Secure behind the
More informationPoint-of-Care Medication Administration: Internal Audit s Role in Ensuring Control
Point-of-Care Medication Administration: Internal Audit s Role in Ensuring Control The Institute of Medicine (IOM) estimates that more than a million injuries and almost 100,000 deaths annually can be
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationMatthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com
WHITE PAPER Global Digital Security: The Human Element March 2014 Written by: Matthew Howes Senior Vice President, Strategic Services inventiv Digital+Innovation Matthew.Howes@inVentivHealth.com TABLE
More informationSEC FLASH REPORT. SEC Issues Rules for Implementing the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934
SEC FLASH REPORT SEC Issues Rules for Implementing the Whistleblower Provisions of Section 21F of the Securities Exchange Act of 1934 May 25, 2011 Today, the Securities and Exchange Commission (SEC) voted
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationKeeping watch over your best business interests.
Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation
More informationPlatform as a Service and PCI www.engineyard.com
Engine Yard White Paper Platform as a Service and PCI www.engineyard.com Purpose Achieving PCI compliance can be a complex, time-consuming, and expensive undertaking, but the right approach can make it
More informationClosing the Security Gap Extending Microsoft SharePoint, OCS, and Exchange to Support Secure File Transfer
AN ACCELLION WHITE PAPER Closing the Security Gap Extending Microsoft SharePoint, OCS, and Exchange to Support Secure File Transfer SECURITY COMPLIANCE EASE OF USE Accellion, Inc. Tel +1 650 485 4300 1804
More informationHCCA Compliance Institute 2013 Privacy & Security
HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich Session
More informationAmid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry
Amid Ongoing Transformation and Compliance Challenges, Cybersecurity Represents Top IT Concern in Financial Services Industry IT leaders are battening down the hatches, according to Protiviti s latest
More informationPolicy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.
International Chamber of Commerce The world business organization Policy Statement Employee privacy, data protection and human resources Prepared by the Commission on E-Business, IT and Telecoms I. Introduction
More informationWho s next after TalkTalk?
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
More informationImpact of Healthcare Regulations on the Data Center
Executive Report Impact of Healthcare Regulations on the Data Center Impact of Healthcare Regulations The HIPAA and HITECH acts, along with the Affordable Care Act, are changing the face of the healthcare
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationProtecting your brand in the cloud Transparency and trust through enhanced reporting
Protecting your brand in the cloud Transparency and trust through enhanced reporting Third-party Assurance November 2011 At a glance Cloud computing has unprecedented potential to deliver greater business
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT
ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT IS THIS ebook RIGHT FOR ME? Not sure if this is the right ebook for you? Check the following qualifications to make
More informationSAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS
SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS THE UNIVERSITY OF NEW MEXICO October 17, 2013 Audit Committee Members J.E. Gene Gallegos, Chair Lt. General Bradley Hosmer, Vice
More informationINFORMATION TECHNOLOGY FLASH REPORT
INFORMATION TECHNOLOGY FLASH REPORT Understanding PCI DSS Version 3.0 Key Changes and New Requirements November 8, 2013 On November 7, 2013, the PCI Security Standards Council (PCI SSC) announced the release
More informationWhen to Upgrade: Balancing Benefits of New Systems with Costs to Upgrade
When to Upgrade: Balancing Benefits of New Systems with Costs to Upgrade 800.982.2388 1 Introduction The decision on when to upgrade computer systems, such as calibration and maintenance management systems,
More information74% 2014 SIEM Efficiency Survey Report. Hunting out IT changes with SIEM
2014 SIEM Efficiency Survey Report Hunting out IT changes with SIEM 74% OF USERS ADMITTED THAT DEPLOYING A SIEM SOLUTION DIDN T PREVENT SECURITY BREACHES FROM HAPPENING Contents Introduction 4 Survey Highlights
More informationAchieving Regulatory Compliance through Security Information Management
www.netforensics.com NETFORENSICS WHITE PAPER Achieving Regulatory Compliance through Security Information Management Contents Executive Summary The Compliance Challenge Common Requirements of Regulations
More informationEvolving Issues for Healthcare IT Contracting
Evolving Issues for Healthcare IT Contracting By: Alan L. Friel This client advisory is based in part on an article appearing in FierceHealthIT. The emergence of mega-suite vendors, more use of the cloud,
More informationInformation Security: A Perspective for Higher Education
Information Security: A Perspective for Higher Education A By Introduction On a well-known hacker website, individuals charged students $2,100 to hack into university and college computers for the purpose
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationToday s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation
Today s Financial Services IT Organization Delivering Security, Value and Performance Amid Major Transformation Assessing the Financial Services Industry Results from Protiviti s 2014 IT Priorities and
More informationQuestion: 1 Which of the following should be the FIRST step in developing an information security plan?
1 ISACA - CISM Certified Information Security Manager Exam Set: 1, INFORMATION SECURITY GOVERNANCE Question: 1 Which of the following should be the FIRST step in developing an information security plan?
More informationHIPAA Business Associate Contract. Definitions
HIPAA Business Associate Contract Definitions Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule. Examples of specific definitions:
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationThe Right Choice for Call Recording Call Recording and Regulatory Compliance
Call Recording and Regulatory Compliance An OAISYS White Paper Table of Contents Increased Regulations in Response to Economic Crisis...1 The Sarbanes-Oxley Act...1 The Payment Card Industry Data Security
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationWRITTEN TESTIMONY OF JENNIFER BARRETT-GLASGOW GLOBAL PRIVACY OFFICER ACXIOM CORPORATION
WRITTEN TESTIMONY OF JENNIFER BARRETT-GLASGOW GLOBAL PRIVACY OFFICER ACXIOM CORPORATION BEFORE THE UNITED STATES HOUSE COMMITTEE ON ENERGY AND COMMERCE SUBCOMMITTEE ON COMMERCE, MANUFACTURING AND TRADE
More informationDATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationUF IT Risk Assessment Standard
UF IT Risk Assessment Standard Authority This standard was enacted by the UF Senior Vice President for Administration and the UF Interim Chief Information Officer on July 10, 2008 [7]. It was approved
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationWhite paper. Why Encrypt? Securing email without compromising communications
White paper Why Encrypt? Securing email without compromising communications Why Encrypt? There s an old saying that a ship is safe in the harbour, but that s not what ships are for. The same can be said
More informationGALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
More informationNeed Assistance selecting an EMR/EHR? OCR Launches Full Scale HIPAA Audits in 2013 Are you ready for a HIPAA Audit?
OCR Launches Full Scale HIPAA Audits in 2013 Are you ready for a HIPAA Audit? The results of the Office of Civil Rights (OCR) pilot audit program shows: Small covered entities had more issues than larger
More informationWhite Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA
White Paper Achieving HIPAA Compliance through Security Information Management White Paper / HIPAA Contents Executive Summary... 1 Introduction: Brief Overview of HIPAA... 1 The HIPAA Challenge: Protecting
More informationCapital Projects and Construction: Building in Risk Management and Project Controls
Capital Projects and Construction: Building in Risk Management and Project Controls Making Every Dollar Count The global economic crisis sparked by the subprime mortgage debacle, the collapse of the securitized
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationKeep Your Data Secure in the Cloud Using encryption to ensure your online data is protected from compromise
Protection as a Priority TM Keep Your Data Secure in the Cloud to ensure your online data is protected from compromise Abstract The headlines have been dominated lately with massive data breaches exposing
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationA Guide to Minimizing the Risk of IT Asset Disposition
A Guide to Minimizing the Risk of IT Asset Disposition Who is concerned about risk? They may not think about it terms of risk, but almost everyone at your organization is worried about the chinks in its
More informationThe 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance
Date: 07/19/2011 The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance PCI and HIPAA Compliance Defined Understand
More informationAlienVault for Regulatory Compliance
AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have
More informationExternal Penetration Assessment and Database Access Review
External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management
More informationAddressing IT governance, risk and compliance (GRC) to meet regulatory requirements and reduce operational risk in financial services organizations
White Paper September 2009 Addressing IT governance, risk and compliance (GRC) to meet regulatory requirements and reduce operational risk in financial services organizations Page 2 Contents 2 Executive
More informationBy Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
More informationIdentity Theft Security and Compliance: Issues for Business
Identity Theft Security and Compliance: Issues for Business The Facts Six Common Uses for Stolen Information Financial Criminal Medical DMV Social Security Terrorist The Facts A Chronology of Data Breaches
More informationAn Executive Overview of GAPP. Generally Accepted Privacy Principles
An Executive Overview of GAPP Generally Accepted Privacy Principles Current Environment One of today s key business imperatives is maintaining the privacy of your customers personal information. As business
More information10 Steps to Establishing an Effective Email Retention Policy
WHITE PAPER: 10 STEPS TO EFFECTIVE EMAIL RETENTION 10 Steps to Establishing an Effective Email Retention Policy JANUARY 2009 Eric Lundgren INFORMATION GOVERNANCE Table of Contents Executive Summary SECTION
More informationHIPAA Security Risk Analysis for Meaningful Use
HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA
More informationBest Practices in HIPAA Security Risk Assessments
BUSINESS WHITE PAPER Best Practices in HIPAA Security Risk Assessments Safeguard your protected health information (PHI) and mitigate the risk of a data breach or loss. WHITEPAPER Best Practices in HIPAA
More informationHigh-Shrink Store Programs: Why Focusing Your Resources on the Worst Performing Stores Will Reap the Most Benefits
High-Shrink Store Programs: Why Focusing Your Resources on the Worst Performing Stores Will Reap the Most Benefits Introduction: Why shrink matters Retailers are used to managing a certain amount of shrink
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationNCUA LETTER TO CREDIT UNIONS
NCUA LETTER TO CREDIT UNIONS NATIONAL CREDIT UNION ADMINISTRATION 1775 Duke Street, Alexandria, VA 22314 DATE: October 2001 LETTER NO.: 01-CU-12 TO: SUBJ: Federally Insured Credit Unions e-commerce Insurance
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationOCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013
ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationHIPAA and HITRUST - FAQ
A COALFIRE WHITE PAPER HIPAA and HITRUST - FAQ by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead Coalfire February 2013 Introduction Organizations are
More informationCybersecurity: Emerging Exposures for Technology Companies. October 7, 2010
Cybersecurity: Emerging Exposures for Technology Companies October 7, 2010 Your panelists David Allred, Head of the Technology Segment for North America Commercial at Zurich Liesyl Franz, Vice President
More informationCompliance Management, made easy
Compliance Management, made easy LOGPOINT SECURING BUSINESS ASSETS SECURING BUSINESS ASSETS LogPoint 5.1: Protecting your data, intellectual property and your company Log and Compliance Management in one
More informationAccenture Risk Management. Industry Report. Life Sciences
Accenture Risk Management Industry Report Life Sciences Risk management as a source of competitive advantage and high performance in the life sciences industry Risk management that enables long-term competitive
More informationSecuring The Cloud With Confidence. Opinion Piece
Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery
More informationTop Priorities for Internal Auditors in U.S. Healthcare Provider Organizations
Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations Key Areas for Improvement Include Compliance, Information Security, Social Media and Quality Assurance INTRODUCTION Historic
More informationPROTIVITI FLASH REPORT
PROTIVITI FLASH REPORT HHS Announces Plans to Reconsider Implementation Timeline for U.S. Healthcare Industry s Transition to ICD-10 February 17, 2012 On Wednesday, February 15, the Department of Health
More information