Third Party Assessment and Controls

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
5 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
6
Video Transcription
00:00
>> Hello again and welcome to
00:00
the HCISPP certification course with Cybrary,
00:00
third-party assessment and controls.
00:00
My name is Schlaine Hutchins.
00:00
In this video, we'll cover the topics of information,
00:00
asset protection controls, compliance with
00:00
protection controls, communication of findings.
00:00
Although regulations generally provide guidance
00:00
on the health care data elements that must be protected,
00:00
health care is unique in that it
00:00
brings together a host of personal information,
00:00
including not only true health care elements,
00:00
but also personal and financial information.
00:00
According to a 2019 trust wave global security report,
00:00
a health care record may be valued at
00:00
up to $250 per record on
00:00
the black market compared to
00:00
$5.40 for the next highest value record, a credit card.
00:00
This creates a temptation for fraud.
00:00
The FBI estimates that health care fraud
00:00
costs about $80 billion annually.
00:00
According to a recent study by IBM,
00:00
the average cost of
00:00
a health care data breach is $7.13 million,
00:00
which is up 10 percent from last year.
00:00
Health care organizations continue to have
00:00
the highest cost associated with data breaches.
00:00
Lost business costs include increased customer turnover,
00:00
lost revenue due to system downtime,
00:00
and the increasing cost of acquiring
00:00
new business due to diminished reputation.
00:00
The primary entity must determine the level of
00:00
assessment it will undertake for its third-party vendors.
00:00
For example, will it rely on
00:00
responses to a due diligence questionnaire,
00:00
interview the representatives at the third party,
00:00
and or perform an on-site assessment?
00:00
Third-party controls must be at least equal to those that
00:00
the entity applies to
00:00
the data covering the administrative,
00:00
technical, and physical controls.
00:00
When a primary entity or it's designated
00:00
assessor finds issues at a third party,
00:00
those must be communicated to
00:00
the third parties representatives.
00:00
It's best to do this via
00:00
formal meeting where the third party can respond to
00:00
the findings and agree upon
00:00
corrective action and mitigation
00:00
plans with the primary entity.
00:00
The primary entity should have a mechanism to track
00:00
the findings so that it can follow
00:00
up with a third party to confirm closure.
00:00
To conduct an assessment,
00:00
but not close the issue only gets
00:00
the primary entity halfway and one could
00:00
argue that it puts the primary entity in a worse position
00:00
because now there is a non-issue that's not addressed.
00:00
The primary entity can close this gap by ensuring
00:00
remediation activities are documented
00:00
and tracked to closure.
00:00
In those instances where a serious finding is found,
00:00
the primary entity must consider whether or not
00:00
it's prudent to continue to
00:00
do business with a third party,
00:00
such as in the case of a serious contractual violation.
00:00
It comes down to making a risk-based decision.
00:00
This would be a serious situation,
00:00
most likely requiring a decision by
00:00
business and information security senior management
00:00
at the primary entity.
00:00
Let's do a knowledge check.
00:00
True or false. Payment card data
00:00
is more valuable than
00:00
the health care data from the dark market?
00:00
[NOISE] That answer is false.
00:00
Health care data is 20-40
00:00
times more valuable on the dark market.
00:00
True or false. Controls at the vendor should be
00:00
less than or equal to the primary entity controls.
00:00
[NOISE] That is also false.
00:00
Controls should be equal to or
00:00
greater than the primary entity controls.
00:00
In summary, we covered information,
00:00
asset protection controls,
00:00
compliance with protection controls,
00:00
and the communication of findings.
00:00
Stay tuned for the next video.
Up Next