Third Party Risk Management
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello again and welcome to
00:00
the HCISPP Certification course
00:00
with Cybrary, Third-Party Risk Management.
00:00
My name is Charlene Hutchins.
00:00
Today we're going to talk about primary entity,
00:00
third party, and accountability.
00:00
As we've discussed throughout this course,
00:00
health care involves a variety of stakeholders,
00:00
each of whom has a responsibility to
00:00
safeguard the sensitive data that is entrusted to it.
00:00
If you will recall from earlier in the course,
00:00
the entity that has direct relationship with
00:00
the patient is referred to as the primary entity.
00:00
That could be a doctor, a hospital,
00:00
a pharmacy, or health insurance company or payer.
00:00
Any entity in which
00:00
the primary entity sources
00:00
a function or multiple functions,
00:00
is considered a third party vendor.
00:00
The expectation for the third-party vendors
00:00
who create, access, store,
00:00
or process health information is that they must protect
00:00
the information at the same level
00:00
or greater than the primary entity.
00:00
Though this does not absolve
00:00
the primary entity of
00:00
any responsibility for due diligence.
00:00
Vendors in the healthcare space can be
00:00
as varied as a company that performs
00:00
hardware destruction to one that handles
00:00
medical claims processing, billing, or collections.
00:00
Just as in other industries,
00:00
vendor arrangements can vary and
00:00
each of them comes with a certain level of risk,
00:00
such as the location of the services.
00:00
Either on site at the primary entities facility,
00:00
for example, nurses provided by a temporary agency.
00:00
Off-site at the third-party vendors facility,
00:00
or within the primary entities country,
00:00
or in a foreign country,
00:00
often referred to as offshore,
00:00
or the service offerings.
00:00
Business process outsourcing, for example,
00:00
medical transcription services
00:00
or information technology outsourcing,
00:00
for example, systems development and maintenance.
00:00
Or even Cloud services,
00:00
such as Software as a service,
00:00
Infrastructure as a service,
00:00
and Platform as a service.
00:00
As mentioned previously,
00:00
because sharing information is vital to ensuring
00:00
that health care delivery
00:00
provides for the needs of the individual,
00:00
security and privacy of
00:00
health care data poses some unique challenges.
00:00
For example, the government of a health insurer or
00:00
payer requires information to be
00:00
able to pay for the delivery of care.
00:00
Providers must be capable of
00:00
securely sharing patient information.
00:00
Coordination among providers is required to give
00:00
individuals the appropriate level of care.
00:00
Although the data needs to be protected,
00:00
care depends on some level of openness to
00:00
the data to be efficient and effective.
00:00
At each step along the health care continuum,
00:00
there are risks that must be anticipated and medicated.
00:00
When third parties are added to the mix,
00:00
additional risk is introduced.
00:00
It is precisely that risk which the HCISPP
00:00
professional can help to
00:00
identify, communicate, and manage.
00:00
The accountability for protection of
00:00
health information ultimately lies
00:00
with the primary entity.
00:00
However regulators are becoming more aware
00:00
of the risks posed by downstream vendors.
00:00
There are countless examples in the media of
00:00
vendors who have caused data leakage or data breaches.
00:00
It's important for a primary entity to ensure that
00:00
its third-party vendors understand the laws and
00:00
regulations to which the entity is held
00:00
and to which compliance is expected of the vendor.
00:00
Those regulations vary by country,
00:00
state, or province.
00:00
Many regulations impose harsher penalties
00:00
if there is negligence.
00:00
It's important to keep
00:00
a close watch over issues identified at
00:00
a vendor to ensure they are
00:00
corrected in an appropriate and timely manner.
00:00
The organization that collected the PHI originally is
00:00
responsible for it even after
00:00
it passed on to a third party.
00:00
Time for a knowledge check.
00:00
Third parties can either a,
00:00
introduce additional risks to an organization,
00:00
if not properly assessed and monitored.
00:00
Or b, alleviate an organization of
00:00
responsibility during
00:00
a protected health information breach.
00:00
Or c, not outsource, processing, storage,
00:00
or transmission of sensitive PHI
00:00
regardless of contract requirements.
00:00
Or d, only operate in
00:00
countries where the original party resides,
00:00
which is the best answer?
00:00
[NOISE] Did you guess a?
00:00
Third parties can introduce additional risk.
00:00
In summary, we talked about primary entities,
00:00
third parties, and accountability.
00:00
See you in the next video.
Up Next
