Using NIST 800-66 to Achieve HIPAA Security Rule Third-Party Risk Management Compliance

2. Identify Realistic Threats

Objectives: Identify the potential threat events and threat sources that are applicable to the regulated entity and its operating environment.

How Prevalent Helps: Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information. All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives.

3. Identify Potential Vulnerabilities and Predisposing Conditions

Objectives: Use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results (e.g., penetration tests), and audit reports. External sources may include internet searches, vendor information, insurance data, and vulnerability databases.

How Prevalent Helps: Prevalent normalizes, correlates and analyzes information across inside-out risk assessments and outside-in monitoring. This unified model provides context, quantification, management and remediation support for risks. It also validates the presence and effectiveness of internal controls with external monitoring.

4.-6. Determine the Likelihood (and Impact) of a Threat Exploiting a Vulnerability; Determine the Level of Risk

Objectives: Determine the likelihood (Very Low to Very High) of a threat successfully exploiting a vulnerability; Determine the impact (operational, individual, asset, etc.) that could occur to ePHI if a threat event exploits a vulnerability; Assess the level of risk (Low, Medium, High) to ePHI, considering the information gathered and determinations made during the previous steps.

How Prevalent Helps: The Prevalent Platform enables you to define risk thresholds and categorize and score risks based on likelihood and impact. The resulting heat map enables teams to focus on the most important risks.

7. Document the Risk Assessment Results

Objectives: Document the results of the risk assessment.

How Prevalent Helps: With Prevalent, you can generate risk registers upon survey completion, integrating real-time cyber, business, reputational and financial monitoring insights to automate risk reviews, reporting and response. From the risk register, you can create tasks related to risks or other items; check task status via email rules linked to the platform; and leverage built-in remediation recommendations and guidance.

The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, and generating reports for dozens of government regulations and industry frameworks, including NIST, HIPAA and many more.

Mapping Prevalent Capabilities to NIST SP 800-66r2 HIPAA Security Rule Requirements

NIST SP 800-66r2 presents security measures that are relevant to each standard of the HIPAA Security Rule. Here we identify specific business associate measures and map Prevalent capabilities that help to satisfy the requirements.

NOTE: This information is presented as summary guidance only. Organizations should review NIST 800-66r2 and HIPAA Security Rule requirements in full on their own in consultation with their auditors.

5.1.9 Business Associate Contracts and Other Arrangements (§ 164.308(b)(1))

1. Identify Entities that are Business Associates Under the HIPAA Security Rule

Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment. Note: This capability can also be used to address 5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a)) – 4. Other Arrangements; and 5. Business Associate Contracts with Subcontracts.

Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties and business associates during onboarding. From this inherent risk assessment, your team can centrally manage all business associates; automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

2. Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met

Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments.

When a third party is found to be out of contract compliance, the Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

3. Written Contract or Other Arrangement

Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding.

With these capabilities, you can ensure that the right clauses – such as security protections over ePHI and training – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders.

Note: This capability can also be used to address 5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a)) – 1. Contract Must Provide that Business Associates Will Comply with the Applicable Requirements of the Security Rule; and 2. Contract Must Provide that the Business Associates Enter into Contracts with Subcontractors to Ensure the Protection of ePHI.

5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a))

3. Contract Must Provide that Business Associates Will Report Security Incidents

In addition to contract lifecycle management, Prevalent offers a Third-Party Incident Response Service that enables teams to rapidly identify and mitigate the impact of third-party breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

Customers can also access a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Combined with continuous cyber monitoring, it provides organizations with a comprehensive view of external information security risks that can impact operations.

Next Steps for HIPAA Security Rule Compliance Using NIST 800-66

Prevalent can help organizations apply the principles of NIST SP 800-66r2 to address HIPAA Security requirements for business associates. The Prevalent Third-Party Risk Management Platform:

• Delivers comprehensive pre-contract due diligence assessments to calculate the inherent risk that business associates bring to a relationship
• Simplifies contracting processes to ensure that all business associate key performance indicators (KPIs) and ePHI provisions are in place and tracked
• Profiles and tiers all third parties, right-sizing ongoing due diligence according to criticality
• Maps fourth parties to understand risk among subcontractors
• Adds workflow to automate the assessment, risk scoring and remediation process
• Continuously monitors business associates for cyber, business, reputational and financial risk, and correlates risks against assessment results and validate findings
• Automates incident response processes, speeding time to resolution
• Includes compliance and risk reporting by framework or regulation

For specific guidance on how Prevalent can help address the requirements in NIST SP 800-66r2 and support implementing the HIPAA Security Rule, download the complete compliance checklist or request a demo a demo today.