Hello again and welcome to the H C I S P P certification course with Sai Buri.
Third party assessment and controls. My name is Shalane Hutchins
in this video will cover the topics of information asset protection controls,
compliance with protection controls,
communication of findings.
Although regulations generally provide guidance on the healthcare data elements that must be protected.
Health care is unique in that it brings together a host of personal information, including not only true healthcare elements
but also personal and financial information.
According to a 2019 Trust Leave Global Security Report,
a health care record may be valued at up to $250 per record on the black market,
compared to $5.40 for the next highest value record, a credit card.
This creates a temptation for fraud.
The FBI estimates that health care fraud costs about $80 billion annually.
According to a recent study by IBM, the average cost of a health care data breach is $7.13 million which is up 10% from last year.
Health care organizations continue to have the highest costs associated with data breaches.
Lost business costs include increased customer turnover
lost revenue due to system downtime
in the increasing cost of acquiring new business. Due to diminish reputation,
the primary entity must determine the level of assessment it will undertake boards for pretty vendors.
will it rely on responses to due diligence questionnaire,
interview the representatives at the fair party and or performing onside assessment
for party controls must be at least equal to those that the entity applies to the data covering the administrative, technical and physical controls.
When a primary entity or its designated assessor finds issues at a third party,
bills must be communicated to the third parties representatives.
It's best to do this. Be a formal meeting where the third party can respond to the findings and agree upon corrective action and mitigation plans with the primary entity.
The primary entity should have a mechanism to track the findings so that it could follow up with third party to confirm closure
to conduct an assessment but not closed the issue.
Onley gets the primary entity halfway, and one could argue that it puts the primary entity in a worse position because now there's a known issue that's not address
the primary entity can close this gap by ensuring remediation activities are documented and tracked to culture.
In those instances where a serious finding is spelled,
the primary entity must consider whether or not it's prudent to continue to do business with the third party.
Such as in the case of a serious contractual violation,
it comes down to making a risk based decision.
This would be a serious situation, most likely requiring a decision by business and Information Security Senior management at the primary entity.
Let's do a knowledge check
payment card data is more valuable than health care beta on the dark market
than into his false health care data as 20 to 40 times more valuable on the dark market.
controls that the vendor should be less van or equal to the primary into T controls
that is also false. Control should be equal to or greater than the primary into T controls.
In summary recovered information, asset protection controls,
compliance with protection controls
and the communication of findings.
Stay tuned for the next video