Main Nav

Message from dgrisham@salud.unm.edu

Back in 2009 Daniel Sarazen University of Massachusetts asked the group about requiring SAS70's or third-party assessments of both large and small contracts/companies. Unfortunately, only one person responded to the question about "should an entity require SAS70 or equivalent for large contracts as well as small ones in the $300 range". Once again the question has come up across the security groups here at UNM-HSC. I am curious what other academic health centers positions are in regard to requiring "third-party analysis of controls" when outsourcing ePHI or PII. Given the risk of breach costs (reputational, notification, potential fines, etc.) IMHO the risks are too high to not require an independent assessment no matter the size of the contract. There are beneficial smaller services that our researchers and physicians find by companies that cannot afford SAS70 audits. So, for those smaller contracts with smaller companies does anyone have an alternative assessment process? -- Do you have an external auditor that you are willing to pay to do an assessment? -- Do you have internal resources allocated to assess the smaller companies? -- Other options or processes? I will forward a summary to the Listserv of any responses I received. Thank you in advance and have happy holiday season. Cheers --grish David D. Grisham David Grisham, Ph.D., CISM, CRISC Manager, IT Security, UNM Hospitals, IT Division Suite 3131 933 Bradbury Drive, SE Albuquerque, New Mexico 87106 Ph: (505) 272-5657 Department FAX 272-7143, Desk Fax 272-9927 Work email: dgrisham@salud.unm.edu Adjunct Faculty, Computer Science, UNM Academic & personal email: dave@unm.edu The unauthorized disclosure or interception of e-mail is a federal crime. See 18 U.S.C. Sec. 2517(4). This e-mail is intended only for the use of those to whom it is addressed and may contain information which is privileged, confidential and exempt from disclosure under the law. If you have received this e-mail in error, do not distribute or copy it. Delete it immediately and attachments, if any, and notify me by telephone. Please do not forward or disseminate the information in this written document. ...

Comments

Message from dmarkiew+educause@andrew.cmu.edu

No medical center here but thought I'd chime in anyways. :-) > IMHO the risks are too high to not require an independent > assessment no matter the size of the contract. Agreed. When evaluating third-parties we request both a SAS70/SSAE16 Type II audit report as well as the results of an independent security assessment. In my experience, both are needed because SAS70s historically have not addressed security in great detail. We don't always get both and end up having to make some risk decisions regarding how to proceed. > There are beneficial smaller services that our researchers and physicians > find by companies that cannot afford SAS70 audits. So, for those smaller > contracts with smaller companies does anyone have an alternative > assessment process? Again just speaking from my own experience, a SAS70 can be affordable for a smaller company. We've certainly seen smaller companies that have them. Although in many instances it's actually a SAS70 for a hosting service that the small company is using. Perhaps you're right. I think some companies, particularly in the cloud space, are often just more focused on getting their product to market. > -- Do you have an external auditor that you are willing to pay to do an > assessment? Generally speaking, we would not pay an external auditor to assess a third-party. We would expect the third-party to pay for this. Even when a vendor does perform independent security testing, we often get pushback when trying to get the results. Most vendors seem willing to provide a summary report but summary reports don't go into much detail. Without some detail it's hard to know the scope of testing, etc. > -- Do you have internal resources allocated to assess the smaller > companies? We have internal resources that have performed security testing on third-parties when that third-party hasn't had an independent security review completed. We typically try to reserve the right to do our own security testing as part of the contract process. We get pushback on this though. It's also time consuming work and requires the right kind of expertise. We're fortunate that we have the expertise but I'm sure there are plenty of organizations that do not. > -- Other options or processes? IMO, a good option it the Shared Assessments Program. If you're not familiar, it's a standard framework for assessing third-party service providers. It has a questionnaire component and hands-on validation component. The questionnaire is meant to be something completed by a vendor once and shared with multiple customers. The hands-on validation component is fairly prescriptive and is something you could have an internal employee do or something you could hire a third-party to do at what I'm guessing would be minimal cost. It was created for the financial industry but has been expanded for healthcare. There is also interest from both sides on making it work for higher education. The HEISC had a working group evaluate the framework. If I can find a link to the final report, I'll send it along. http://www.sharedassessments.org/
Message from dgrisham@salud.unm.edu

Thank you Miguel. So far I have about one half-dozen responses. I will summarize back to the group after the responses slowdown. Cheers.-grish David Grisham >>> "Soldi, Miguel" 12/12/2011 8:53 AM >>> Please attached the final report that Doug mentions at the end. ms Miguel Soldi University of Texas System Information Security Compliance Office Phone: 512-499-4217 Email: msoldi@utsystem.edu
The preference is that there is a Type II SAS 70 or SSAE 16 (replaces SAS 70 for periods ending after June 15, 2011), or SOC 2 or SOC 3 report. However, as you've found, there are a lot of useful services that don't have any third-party assessment. For those, we look at them individually and try to evaluate the risk vs. the benefit and try to do some alternative procedures to give some additional comfort on the security of the solution. At a minimum, they are going to have to sign a Business Associate Agreement and agree to follow HIPAA/HITECH and we are going to ask them to complete a control questionnaire covering between 70 and 120 controls. Of course they could stretch things when they answer the control questionnaire, but we put in the contract a right-to-audit clause so that hopefully they will be less likely to state that they have controls that don't really exist. We have not yet attempted to exercise the right to audit because we've been too busy internally, but I hope to be able to do that in the future. We have not used an external auditor to do an assessment of a service provider - too expensive. I would also be interested to hear what others do. Thanks, David Clift Information Security & Privacy Office University of Utah
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.