Intelligent Vendor Risk Management

Cliff Baker, Managing Partner, Meditology Services

LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business

Intelligent Vendor

Risk Management

Agenda

■ Why it’s Needed

‒ Regulatory ‒ Breach

■ Challenges with Current Approaches ■ Developing an Intelligent Program

‒ Profiling

‒ Conducting Due Diligence ‒ Managing and Mitigating Risk ‒ Continuous Monitoring ■ Questions and Answers

WHY IT’S NEEDED

Regulatory Requirements

■ HIPAA 164.314(a)(1)(i)

‒ Requires BAAs be in place specifying the obligations of the BA with respect to privacy and security controls

■ HIPAA 164.314(a)(1)(ii)

‒ Requires covered entities to take risk management action if the BA materially breaches its obligations under the contract ■ PCI DSS 12.8.4

‒ Requires a program is maintained to monitor service providers' PCI DSS compliance status at least annually

■ Breach Notification

‒ 47 states have security breach notification laws

‒ HITECH requires BAs to notify both the Covered Entity (HITECH § 13402) and the affected individuals (HITECH § 13404 (a))

Regulatory Penalties

■ Increased civil monetary penalties under HITECH

‒ Violation not known (despite due diligence): Remains at $100/violation to $25,000 maximum

‒ Violation due to “reasonable cause:” Increased to $1,000/violation to $100,000 maximum

‒ Violation due to “willful neglect:” Increased to $500,000/violation to $1.5 million maximum

■ HITECH also granted State Attorneys General the ability to impose civil penalties

■ It’s already happening:

‒ Large hospital in the northeast was fined $750,000 by the State’s Attorney General’s office on May 24th

‒ The breach directly implicated the hospital’s BA when an unencrypted backup tape was stolen

‒ The hospital did not have a BAA with the vendor

Healthcare Breaches

■ Breaches have been “on the rise” since reporting became a requirement in September 2009. ■ Based on HHS breach data:

‒ 28% of breaches implicated a BA

‒ ~60% of records breached implicated a BA

■ The Ponemon Institute estimates the cost of a breach at $194/record

‒ ~$24.5M for the average organization

Breaches >500 Reported to HHS

No Business Associate Business Associate Involved

CHALLENGES WITH TODAY’S

APPROACHES

The “Wide Net” Approach

Under the “wide net” approach, each vendor undergoes some questionnaire or audit to evaluate risk

■ Difficult to do at scale

‒ 20 - 30 hours of internal analysis per questionnaire ‒ $20k - $30k in fees (real or based on internal resources’

time) per audit

‒ For an average organization of 100 vendors, ~1 FTE in managing questionnaires and $250k in audit fees of vendors per year

■ Cost of monitoring existing vendors

‒ If you’re not following up, how do you know when things change that affect risk?

No Transparency

■ Vendors have their own vendors (“sub-contractors”) ■ There is little to no transparency in each vendor’s

relationships

‒ What does the sub-contractor have access to?

‒ What does the vendor do to ensure adequate security and privacy?

‒ What is the risk of the sub-contractor?

DEVELOPING AN INTELLIGENT

PROGRAM

Effective 4-Step Approach

Profiling Conducting  Due Diligence Mitigating  Risk Continuous  Monitoring • Classify vendors by  inherent risk • Focus time and  money on the  highest risks • Document and  manage outstanding  risks • Periodically  reevaluate high risk  vendors © 2012 Corl Technologies, Atlanta, GA. All Rights Reserved

1. Profiling

OBJECTIVE

■ To quickly and efficiently identify high risk vendors to either pre-emptively avoid the risk or focus the organizations limited resources on the risky vendors.

IMPLEMENTATION

■ Likelihood

‒ Factors that increase the probability the vendor will experience or cause a breach

■ Impact

‒ If the vendor experiences a breach, the loss (dollars, downtime) the organization can expect to incur Risk = Impact + Likelihood

1. Profiling—Likelihood

Factors to consider: *Verizon 2012 Data Breach Investigations Report Size • Measured by number of employees • Companies with 1 to 100 employees experienced 60% of all  reported data breaches from 2009 to 2011. *Verizon 2011 Data Breach Investigations Report Leadership • Security leadership and team • Linked‐in did not have a CIO or CISO prior to their breach Industry Classification • The primary industry served by the organization • Hospitality (40%), retail (25%) and financial services (22%) experience more breaches Verizon 2011 Data Breach Investigations Report

Breach History • The frequency and nature of previous breaches

• 95% of breaches were avoidable through simple or intermediate  controls • 74% of organizations that experienced two or more breaches  experienced the second breach within 6 months Verizon 2011 Data Breach Investigations Report / HHS Breaches Affecting 500 or More Individuals © 2012 Corl Technologies, Atlanta, GA. All Rights Reserved

1. Profiling—Impact

■ Does the vendor access sensitive or confidential data (e.g., PII, PHI)?

■ Does the vendor directly access (logically) the organization’s internal systems?

■ Does the vendor provide customer facing products or services? ■ Does the vendor have direct physical access to the organization’s

property or facilities?

■ How difficult is it to replace the solution or service at a later date? ■ Does the vendor utilize offshore facilities?

■ Longevity of solution or service (length of expected or current contract)?

■ What is the total annual spend with the vendor?

2. Conducting Due Diligence

Risk of Business  Associate On‐site Audit Remote  Review Questionnaire OBJECTIVE

■ To focus additional due diligence efforts on the riskiest vendors through a tiered approach.

IMPLEMENTATION

■ Critical risk vendors undergo an on-site audit

■ High risk vendors complete a questionnaire and provide supporting evidence via interviews and documentation reviews

■ Moderate-high risk vendors complete a self-assessment questionnaire Critical  High Moderate‐High © 2012 Corl Technologies, Atlanta, GA. All Rights Reserved

2. Due Diligence—Development

■ Audit programs and questionnaires should be based on

industry standards

‒ OCR HIPAA Audit Program (HIPAA Security, Breach Notification, Privacy)

‒ HITRUST CSF and Certification ‒ NIST 800-53

‒ ISO 27002

■ Example areas to address: ‒ Auditing and Logging ‒ Access Management ‒ Authentication ‒ BCP / DR

‒ Configuration Management

‒ Data Protection (i.e., Encryption) ‒ Malware Protection

‒ Network Security

‒ Third Party Management ‒ Vulnerability Management

3. Mitigating Risk

OBJECTIVE ■ To take the appropriate action to manage and reduce the risk  to the organization presented by the vendor. IMPLEMENTATION ■ Develop and implement a process to review risks and agree to  corrective actions Due Diligence  Results Identify and Rank  Control Gaps Request the BA to  Correct Gaps Corrected End Request BA Develop  Corrective Action  Plan (CAP) Agree to CAP Timeline  and Milestones Complete Risk  Acceptance for Term of  CAP Items Monitor Risk Yes No © 2012 Corl Technologies, Atlanta, GA. All Rights Reserved

3. Mitigating Risk—CAP

■ A corrective action plan (CAP) should be developed and  agreed‐to between the organization and vendor for high risk  gaps ‒ Gap description ‒ Remediation description ‒ Milestones ■ Formally document the acceptance of risk for the duration of  the corrective actions ‒ The nature of the gap ‒ The risk to the business ‒ The vendor associated  ‒ Due date(s) ‒ Individual(s) responsible ‒ Resources required ‒ The risk manager responsible ‒ The business owner responsible ‒ The term of the acceptance

4. Continuous Monitoring

OBJECTIVE ■ To periodically re‐evaluate the vendor to ensure risks do not  increase and milestones, if any, are being met. IMPLEMENTATION ■ Based on the vendor’s risk classification, determine if changes  in risk have occurred since the last review

Vendor Classification Moderate to Low risk Vendors Moderate‐High to Critical Vendors Monitoring Activities Re‐profile vendor for basic changes  in inherent risk including:  Recent breaches  Financial performance  Mergers and Acquisitions Re‐profile vendor for basic changes  in inherent risk. Review the status of corrective  actions to ensure deadlines and  milestones are met. Monitoring Frequency Once per year or on notice of a  major event Once per quarter to once per year  depending on corrective actions or  on notice of a major event © 2012 Corl Technologies, Atlanta, GA. All Rights Reserved

4. Continuous Monitoring—

Tracking

■ Develop a schedule to track and manage the review activities  for each vendor including: ‒ Vendor name ‒ Product or service provided ‒ The internal department  ‒ The business owner  ‒ The risk manager ‒ The vendor point of contact ‒ The risk profile as determined through the first step ■ Ensure risk acceptance and CAP documentation is updated  accordingly ‒ Due diligence taken (if any) ‒ Risk management actions agreed  to (if any) ‒ The next review date ‒ The contract terms (start date, end  date, and renewal terms)

Summary

An effective vendor risk management program is comprised of four key steps:

1. Profile—classify vendors by inherent risk (likelihood of a

breach + impact to the organization) to determine where to focus

2. Conduct Due Diligence—additional due diligence

(self-assessment questionnaires, remote (self-assessments, on-site audits) should be performed for high risk vendors

3. Mitigate Risk—develop and agree to a corrective action

plan with the vendor and formally document accepted risk

4. Monitor Risk—periodically checkup on vendors to determine changes in risk

© 2012 Corl Technologies, Atlanta, GA. All Rights Reserved

QUESTIONS AND ANSWERS

Thank you for your time and attention.

Cliff Baker Meditology Services Cliff.baker@meditologyservices.com www.meditologyservices.com www.corltech.com LeeAnn Foltz Wolters Kluwer Law & Business leeann.foltz@wolterskluwer.com www.wolterskluwer.com