Awareness of Third Party Requirements
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello again and welcome to
00:00
the HCISPP Certification Course with Cybrary,
00:00
Awareness of Third-Party Requirements.
00:00
My name is Schlaine Hutchins and I'm your instructor.
00:00
In this video, we're going to
00:00
cover information flow mapping and scope,
00:00
data classification, privacy and security requirements,
00:00
and risks associated with third-parties.
00:00
The world in which healthcare entities
00:00
operate today requires
00:00
information sharing to coordinate
00:00
care and provide enhanced offerings to individuals.
00:00
Security professionals are paramount to helping to
00:00
identify risks in the flow of information.
00:00
Where it starts, where it travels,
00:00
where it is stored, and how it's used.
00:00
Information security professionals can
00:00
identify risks associated with
00:00
various technologies and make
00:00
recommendations on minimizing the risk to the data.
00:00
To be able to correctly assess
00:00
risks surrounding the data,
00:00
it is important that
00:00
the primary entity understands the value of its data.
00:00
It would seem easy to declare
00:00
that all information is sensitive.
00:00
But a solid data classification system
00:00
can help to make decisions
00:00
that can influence decisions
00:00
about how to protect the processing,
00:00
transmission, and storage of the data.
00:00
As an example, simple names and
00:00
addresses of patients may be
00:00
protected at a different level than
00:00
a database of patients with identified mental illnesses.
00:00
Privacy is really the what in this question,
00:00
it dictates what needs to be protected.
00:00
Sensitivity in value of the data play an important role.
00:00
As discussed earlier, not all data is created equal.
00:00
Some elements are more valuable than others,
00:00
while others offer value when
00:00
combined with additional data elements.
00:00
It is important to consider
00:00
the rights of the data owner when
00:00
a primary entity enters into
00:00
a relationship with a third party.
00:00
For example, if the data belongs to patients,
00:00
what risks are introduced to
00:00
the data by entrusting it to a third party?
00:00
Security is the how.
00:00
It goes hand in hand with the privacy,
00:00
because it determines what
00:00
protections need to be in place to
00:00
guard data based on its sensitivity in value,
00:00
as well as the risk of exposure.
00:00
It is the primary entities responsibility to perform
00:00
due diligence to determine the level of
00:00
risk introduced by a vendor.
00:00
This activity should occur not only
00:00
prior to engaging in a relationship with the vendor,
00:00
but also throughout the duration of the contract.
00:00
Especially because technology, business processes,
00:00
and regulations continue to evolve over time.
00:00
The risk assessment should take into
00:00
account the nature of the work performed by the vendor,
00:00
the amount of sensitive data that will be handled,
00:00
the frequency of the contact with the data and
00:00
the criticality of the vendor to
00:00
the primary entity's business operations.
00:00
During the course of the vendor relationship,
00:00
it is important for the primary entity to
00:00
oversee and assess the controls
00:00
that the vendor has implemented.
00:00
A primary entity has to determine
00:00
how much oversight is the appropriate amount.
00:00
For example, if the vendor
00:00
invests in audits like a SOC 2 type 2,
00:00
and certifications like ISO that appear to
00:00
provide a high level of
00:00
competence in its control environment,
00:00
the primary entity may be able to place
00:00
more reliance on assessments
00:00
performed by external entities.
00:00
Yet, it's always a good practice
00:00
to ask questions specific
00:00
to the business relationship and to
00:00
inspect facilities where work is being performed.
00:00
For example, when I was in the risk management role,
00:00
I had the experience of performing
00:00
an onsite assessment of a vendor,
00:00
who didn't really have a physical location.
00:00
We ended up conducting
00:00
the assessment in a hotel conference room.
00:00
Needless to say, that relationship ended up changing.
00:00
It's time for another knowledge check.
00:00
Information flow mapping includes all except,
00:00
a, what elements are included in the data,
00:00
b, where the data is stored, c,
00:00
how the data is used,
00:00
or d, where the data starts.
00:00
The answer is a,
00:00
what elements are included. True or false?
00:00
Privacy is how data needs to be
00:00
protected and security is
00:00
what data needs to be protected.
00:00
That answer is false.
00:00
Privacy is what data needs to be protected,
00:00
and security is the how the data needs to be protected.
00:00
In summary, we've covered
00:00
information flow mapping and scope,
00:00
data classification, privacy and security requirements,
00:00
and risks associated with third parties.
00:00
Thank you for taking this journey with me.
00:00
Please continue to leverage
00:00
the supplemental materials as you prepare for your exam.
00:00
I wish you much success in achieving your certification.
00:00
[NOISE]
