Maintain a List of Third Party Organizations
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello again and welcome to
00:00
the HCISPP certification course with Cybrarians.
00:00
Maintain a list of third-party organizations.
00:00
I'm your instructor, Schlaine Hutchins.
00:00
In today's video, we're going to discuss
00:00
health information use, process,
00:00
storage, and transmission and we will review
00:00
third-party roles and
00:00
relationships with the organization.
00:00
Let's get started. A key responsibility
00:00
of the primary entity
00:00
is to know who its vendors are and
00:00
what function or functions they
00:00
perform on behalf of the organization.
00:00
The information security professionals should establish
00:00
a collaborative and ongoing relationship with
00:00
the areas of the organization
00:00
responsible for procurement,
00:00
contracting, and accounts payable.
00:00
Those areas have a definite need for
00:00
maintaining an inventory of vendors.
00:00
Once there is an inventory,
00:00
the information security professional can begin to
00:00
pair that with other information to
00:00
create an overall picture of a vendor and identify
00:00
specific types of risks that may be introduced.
00:00
For example, the criticality
00:00
of the vendor to health care delivery,
00:00
the amount and type of data
00:00
to which the vendor has access,
00:00
and the frequency with which the data is
00:00
shared with the vendor and the way in which
00:00
the vendor accesses sensitive data are all
00:00
valuable inputs in determining risk calculation.
00:00
Because healthcare data is so personal to
00:00
an individual and highly regulated,
00:00
it's imperative that the primary entity spell out for
00:00
third-party vendor the terms and
00:00
conditions under which the data may be used,
00:00
how it must be protected for transmission,
00:00
and where and how it can be accessed and stored.
00:00
A key ally for
00:00
the security professional is
00:00
the primary entity business owner,
00:00
who will maintain
00:00
the day-to-day relationship with the vendors.
00:00
This individual can become the eyes and ears in terms of
00:00
changes at the vendor that
00:00
could impact security controls.
00:00
This does require investment
00:00
on the part of the security professional
00:00
to ensure that the business owner
00:00
understands major security risks.
00:00
Also, the relationship that the primary entity has,
00:00
what the vendor is important to watch because it can help
00:00
a security professional understand potential risks.
00:00
For example, is the relationship established or not?
00:00
Is the vendor performing
00:00
a core service in parallel with the primary entity,
00:00
or has the primary entity elected to
00:00
completely outsource a core service?
00:00
Is the vendor meeting expectations of the business owner
00:00
in regards to SLAs or service level agreements?
00:00
What other considerations can
00:00
help you identify potential risks?
00:00
Well, some other considerations could be,
00:00
how long has the vendor been in business
00:00
performing these functions as a company?
00:00
How financially sound is the vendor?
00:00
What is the vendors employee retention rate?
00:00
What certifications or attestations,
00:00
such as the SOC 2 type 2 report
00:00
or a SOC 1 report does the vendor have?
00:00
This diagram demonstrates the need for
00:00
the HCISPP professional to understand the business
00:00
of health care and how security can help to minimize
00:00
risks while allowing delivery of care to succeed.
00:00
Security professionals who can make
00:00
the connection between the business and
00:00
technology and communicate well
00:00
are in the best position to articulate risk.
00:00
Legal professionals provide legal counsel
00:00
regarding regulatory and contractual matters.
00:00
Procurement, negotiates with third-party vendors
00:00
and understand the vendor landscape.
00:00
The primary business owner maintains
00:00
the operational relationship with Third-Party vendor.
00:00
In summary, what we talked about today
00:00
was health information use, process,
00:00
storage, and transmission and
00:00
the third-party roles in
00:00
relationships with the organizations.
00:00
Stay tuned for the next video.
Up Next
