Managing Third Party Relationships

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello again and welcome to
00:00
the HCISPP certification course with
00:00
Cybrary, managing third-party relationships.
00:00
I'm your instructor, Schlaine Hutchins.
00:00
In today's video, we're going to talk about
00:00
relationship management
00:00
and comprehending compliance requirements.
00:00
Once the decision has been
00:00
made to engage a third-party vendor,
00:00
a contract becomes the key tool.
00:00
As we talked about before,
00:00
contracts with third parties are
00:00
a critical component to the vendor management life cycle.
00:00
Under HIPAA, third-party vendors are
00:00
classified as business associates and must
00:00
execute a business associate agreement that spells
00:00
out privacy and security compliance expectations.
00:00
On the HHS website,
00:00
template language is provided for
00:00
the provisions that belong
00:00
in a business associate agreement.
00:00
In addition to the BAA,
00:00
many primary entities also would like to have
00:00
additional contractual provisions to
00:00
be more specific about security requirements.
00:00
Contracts should also articulate the terms that cover
00:00
the primary entities expectations
00:00
regarding the following.
00:00
Compliance with applicable privacy and
00:00
security laws and regulations.
00:00
Consideration for administrative,
00:00
physical, and technical controls.
00:00
How much notice a primary entity has
00:00
to give before conducting an audit.
00:00
What time frame must the vendor adhere to for
00:00
notifying the primary entity in the event of a breach.
00:00
Will the entity notify its customers
00:00
or will that be the responsibility of the vendor?
00:00
Additionally, terms should be drafted
00:00
concerning where the data will be accessed,
00:00
processed, or stored.
00:00
It's important to know
00:00
the specific locations and ensure that
00:00
the vendor will notify
00:00
the primary entity if there is a need to add,
00:00
change, or remove a location.
00:00
It's important to set the expectation upfront as to
00:00
whether an activity can be
00:00
performed in another country or not.
00:00
Understanding which countries are
00:00
on the sanctions list for
00:00
conducting transactions is also important.
00:00
Understanding if a vendor has
00:00
a location in other countries or if your data will
00:00
be routed to or stored in a data center in
00:00
a different country is important to identify upfront.
00:00
Whether the data will be returned
00:00
or destroyed when the contract is terminated,
00:00
should be defined in the terms of agreement.
00:00
If the data will not be returned,
00:00
the expectation is that
00:00
the third party will protect the data
00:00
at the same level as under an in-force contract.
00:00
The primary entity should know whether
00:00
the vendor will be using its own employees,
00:00
contracted labor, or a combination of both.
00:00
They should also know what's included
00:00
in the background check.
00:00
For example, a criminal history,
00:00
credit history, drug testing, or educational background.
00:00
The expectation of the employee training should
00:00
be in the terms of agreement as well for how
00:00
the vendor provides specific training regarding
00:00
special considerations for the handling
00:00
of health care information,
00:00
and how often is the refresher training mandated.
00:00
Additional considerations are the ability
00:00
of the vendor to subcontract work.
00:00
The primary entity may require that it pre-approves
00:00
any subcontractor that the vendor wishes to
00:00
use to carry out the entities work.
00:00
If the primary entity is unaware of these relationships,
00:00
it can introduce unnecessary risk.
00:00
Business continuity and disaster
00:00
recovery plans should also be in the terms of agreement.
00:00
They are terms to define what time frame must
00:00
the vendor's function be
00:00
recovered in the event of a disaster.
00:00
How will the vendor notify
00:00
the primary entity if a major outage or disaster
00:00
occurs and is the vendor prepared to
00:00
move the work if its facility is unavailable?
00:00
In the event that a vendor relationship
00:00
crosses international borders,
00:00
it is important to understand the laws under which
00:00
both the primary entity and the vendor
00:00
operate and how it
00:00
affects the protection of health information.
00:00
In addition, primary entities will want to
00:00
consider under whose laws they will be held to.
00:00
In the event that an incident occurs that requires
00:00
law enforcement to investigate
00:00
or prompts some sort of legal action.
00:00
It's also important to consider the attitudes
00:00
about security and privacy in other countries.
00:00
Do those attitudes and
00:00
societal norms match those
00:00
of the primary entity's country?
00:00
Is the country's political system favorable or
00:00
unfavorable towards security and
00:00
privacy of personal information?
00:00
It's time for a knowledge check.
00:00
True or false?
00:00
Third-party agreements should include rights to audit.
00:00
[NOISE] That answer is true.
00:00
The blank is most responsible to perform
00:00
due diligence to determine the level of
00:00
risk introduced by a vendor or third party.
00:00
Is the answer a,
00:00
a sub-vendor, b,
00:00
a third-party assessor, c,
00:00
a business associate,
00:00
or d, the primary entity?
00:00
[NOISE] That's d,
00:00
the primary entity.
00:00
True or false.
00:00
Employee background checks should
00:00
be included in third-party agreements?
00:00
[NOISE] Once again,
00:00
that answer is true.
00:00
In summary, what we covered were
00:00
relationship management
00:00
and comprehending compliance requirements.
00:00
Stay tuned for the next video.
Up Next