SecureGRC: Unification of Security Monitoring and IT-GRC
Enterprise Vendor Management, a Compliance and Information Security Strategy
1. Enterprise Vendor Management, a Compliance and Information Security Strategy
In today’s business scenario, vendors play an important role in the success of a business. They
are strategic partners who can help to boost the overall performance of the enterprise.
Obviously, not every vendor can contribute to the business success. Therefore, organizations
need to scrutinize the prospects before selecting a suitable vendor. However, it does not stop
there. Even after selecting a vendor, effective vendor management is essential to ensure
success.
With the Omnibus Final Rule coming into effect on March 26, 2013, the Business Associates of a
Covered Entity are also covered under applicable rules such as the Breach Notification Rule,
HIPAA Security Rule, and HIPAA Privacy Rule. As per the rules, a Business Associate, as much
as a Covered Entity must comply with the applicable standards, implementation specifications,
and requirements with respect to electronic protected health information of a Covered Entity.
This is necessary to ensure confidentiality, integrity and availability of all protected health
information in physical or electronic form that a Covered Entity or a Business Associate may
create, receive, maintain, or transmit.
Failure to comply with any or all of the requirements of HIPAA/HITECH regulations may lead
to monetary penalties up to $1.5 million per incident (with no upper limit), potential lawsuits,
and criminal prosecution. Therefore, healthcare practitioners and providers collectively known
as covered entities must need a vendor management solution to know how far their vendors
and Business Associates have progressed in their compliance efforts.
An IT Compliance Management solution helps to automate the security and compliance
management process of all external vendors and sub-contractors. This helps covered entities to
gain complete visibility and have control over the security and compliance posture of all their
vendors. Vendor management for HIPAA/HITECH is a simple process:
1. Covered Entity completes a HI-SCAN (HI-SCAN is a quick technique that utilizes a
simple-to-use, brief question set to determine the level of Business Associate security
and compliance with HIPAA/HITECH regulations) 25-question assessment of all
Business Associates that involves four steps:
·
·
·
·
Input all Business Associates into the HI-SCAN tool
Send the assessment to the Business Associates
Business Associates answer the questions online
Covered Entity reviews responses and generates a quick compliance report
that identifies remedial actions
2. Pursue the high-risk exposure Business Associates with a full assessment
Deploying a vendor management solution, thus, is a Vulnerability management that helps to quickly
access and manage the security and compliance levels of an enterprise’s organization and its
Business Associates.
Related Links – HIPAA compliance management