HCISPP

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello again and welcome to the H C I S P P certification course with Sai Buri.
00:06
Third party assessment and controls. My name is Shalane Hutchins
00:13
in this video will cover the topics of information asset protection controls,
00:19
compliance with protection controls,
00:22
communication of findings.
00:28
Although regulations generally provide guidance on the healthcare data elements that must be protected.
00:35
Health care is unique in that it brings together a host of personal information, including not only true healthcare elements
00:43
but also personal and financial information.
00:47
According to a 2019 Trust Leave Global Security Report,
00:52
a health care record may be valued at up to $250 per record on the black market,
00:59
compared to $5.40 for the next highest value record, a credit card.
01:06
This creates a temptation for fraud.
01:10
The FBI estimates that health care fraud costs about $80 billion annually.
01:18
According to a recent study by IBM, the average cost of a health care data breach is $7.13 million which is up 10% from last year.
01:30
Health care organizations continue to have the highest costs associated with data breaches.
01:37
Lost business costs include increased customer turnover
01:41
lost revenue due to system downtime
01:44
in the increasing cost of acquiring new business. Due to diminish reputation,
01:51
the primary entity must determine the level of assessment it will undertake boards for pretty vendors.
01:57
For example,
01:59
will it rely on responses to due diligence questionnaire,
02:02
interview the representatives at the fair party and or performing onside assessment
02:09
for party controls must be at least equal to those that the entity applies to the data covering the administrative, technical and physical controls.
02:27
When a primary entity or its designated assessor finds issues at a third party,
02:32
bills must be communicated to the third parties representatives.
02:38
It's best to do this. Be a formal meeting where the third party can respond to the findings and agree upon corrective action and mitigation plans with the primary entity.
02:49
The primary entity should have a mechanism to track the findings so that it could follow up with third party to confirm closure
02:59
to conduct an assessment but not closed the issue.
03:01
Onley gets the primary entity halfway, and one could argue that it puts the primary entity in a worse position because now there's a known issue that's not address
03:13
the primary entity can close this gap by ensuring remediation activities are documented and tracked to culture.
03:21
In those instances where a serious finding is spelled,
03:24
the primary entity must consider whether or not it's prudent to continue to do business with the third party.
03:31
Such as in the case of a serious contractual violation,
03:36
it comes down to making a risk based decision.
03:39
This would be a serious situation, most likely requiring a decision by business and Information Security Senior management at the primary entity.
03:53
Let's do a knowledge check
03:54
cure. False
03:58
payment card data is more valuable than health care beta on the dark market
04:10
than into his false health care data as 20 to 40 times more valuable on the dark market.
04:20
True or false
04:23
controls that the vendor should be less van or equal to the primary into T controls
04:34
that is also false. Control should be equal to or greater than the primary into T controls.
04:46
In summary recovered information, asset protection controls,
04:53
compliance with protection controls
04:56
and the communication of findings.
04:59
Stay tuned for the next video

Up Next

HCISPP

The HCISSP certification course provides students with the knowledge and skills to successfully pass the certification test needed to become a healthcare information security and privacy practitioner. The course covers all seven domains included on the exam.

Instructed By

Instructor Profile Image
Schlaine Hutchins
Director, Information Security / Security Officer
Instructor