NIST SP 800-66 Compliance

1. Prepare for the Assessment

Understand where ePHI is created, received, maintained, processed or transmitted.

Define the scope of the assessment.

Prevalent partners with you to build a comprehensive third-party risk management (TPRM) program based on proven best practices and extensive real-world experience. Our experts collaborate with your team on defining and implementing TPRM processes and solutions; selecting risk assessment questionnaires and frameworks; and optimizing your program to address the entire third-party risk lifecycle – from sourcing and due diligence, to termination and offboarding.

Prevalent can identify fourth-party and Nth-party subcontracting relationships by conducting a questionnaire-based assessment or by passively scanning the third party’s public-facing infrastructure. The resulting relationship map depicts information paths and dependencies that could expose your environment to risk. Suppliers discovered through this process are continuously monitored for financial, ESG, cyber, business, and data breach risks, as well as for sanctions/PEP screening.

Once third and fourth parties are identified, you can leverage the 200+ pre-defined assessment templates available in the Prevalent Platform to assess third-party business associates against NIST, HIPAA or other requirements.

2. Identify Realistic Threats

Identify the potential threat events and threat sources that are applicable to the regulated entity and its operating environment.

Prevalent continuously tracks and analyzes external threats to third parties. The solution monitors the Internet and dark web for cyber threats and vulnerabilities, as well as public and private sources of reputational, sanctions and financial information.

All monitoring data is correlated to assessment results and centralized in a unified risk register for each vendor, streamlining risk review, reporting and response initiatives. Monitoring sources include:

• 1,500+ criminal forums; thousands of onion pages; 80+ dark web special access forums; 65+ threat feeds; and 50+ paste sites for leaked credentials — as well as several security communities, code repositories, and vulnerability databases covering 550,000 companies
• A database with 10+ years of breach history for thousands of companies
• 550,000 public and private sources of reputational information, including M&A activity, business news, negative news, regulatory and legal information, operational updates, and more
• A global network of 2 million businesses with 5 years of organizational changes and financial performance
• 30,000 global news sources
• A database containing over 1.8 million politically exposed person profiles
• Global sanctions lists and 1,000+ enforcement lists and court filings

3. Identify Potential Vulnerabilities and Predisposing Conditions

Use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results (e.g., penetration tests), and audit reports. External sources may include internet searches, vendor information, insurance data, and vulnerability databases.

Prevalent normalizes, correlates and analyzes information across inside-out risk assessments and outside-in monitoring. This unified model provides context, quantification, management and remediation support for risks. It also validates the presence and effectiveness of internal controls with external monitoring.

4.-6. Determine the Likelihood (and Impact) of a Threat Exploiting a Vulnerability; Determine the Level of Risk

Determine the likelihood (Very Low to Very High) of a threat successfully exploiting a vulnerability.

Determine the impact (operational, individual, asset, etc.) that could occur to ePHI if a threat event exploits a vulnerability.

Assess the level of risk (Low, Medium, High) to ePHI, considering the information gathered and determinations made during the previous steps.

The Prevalent Platform enables you to define risk thresholds and categorize and score risks based on likelihood and impact. The resulting heat map enables teams to focus on the most important risks.

7. Document the Risk Assessment Results

Document the results of the risk assessment.

With Prevalent, you can generate risk registers upon survey completion, integrating real-time cyber, business, reputational and financial monitoring insights to automate risk reviews, reporting and response. From the risk register, you can create tasks related to risks or other items; check task status via email rules linked to the platform; and leverage built-in remediation recommendations and guidance.

The solution automates third-party risk management compliance auditing by collecting vendor risk information, quantifying risks, and generating reports for dozens of government regulations and industry frameworks, including NIST, HIPAA and many more.

5.1.9 Business Associate Contracts and Other Arrangements (§ 164.308(b)(1))

HIPAA Standard: A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.

1. Identify Entities that are Business Associates Under the HIPAA Security Rule

• Identify the individual or department who will be responsible for coordinating the execution of business associate agreements or other arrangements.

• Reevaluate the list of business associates to determine who has access to ePHI in order to assess whether the list is complete and current.

• Identify systems covered by the contract/agreement.

• Business associates must have a BAA in place with each of their subcontractor business associates. Subcontractor business associates are also directly liable for their own Security Rule violations.

Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment.

Prevalent offers a pre-contract due diligence assessment with clear scoring based on eight criteria to capture, track and quantify inherent risks for all third parties and business associates during onboarding. Criteria includes:

• Type of content required to validate controls
• Criticality to business performance and operations
• Location(s) and related legal or regulatory considerations
• Level of reliance on fourth parties (to avoid concentration risk)
• Exposure to operational or client-facing processes
• Interaction with protected data
• Financial status and health
• Reputation

From this inherent risk assessment, your team can centrally manage all business associates; automatically tier suppliers; set appropriate levels of further diligence; and determine the scope of ongoing assessments.

2. Establish a Process for Measuring Contract Performance and Terminating the Contract if Security Requirements Are Not Being Met

• Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI as per the BAA or contract.

• Establish criteria for measuring contract performance.

Prevalent helps to centrally measure third-party KPIs and KRIs to reduce risks from gaps in vendor oversight by automating contract and performance assessments.

When a third party is found to be out of contract compliance, the Platform automates contract assessments and offboarding procedures to reduce your organization’s risk of post-contract exposure.

3. Written Contract or Other Arrangement

• Document the satisfactory assurances required by this standard through a written contract or other arrangement with the business associate that meets the applicable requirements of §164.314(a)…

• Execute new or update existing agreements or arrangements as appropriate.

• Identify roles and responsibilities.

• Include security requirements in business associate contracts and agreements to address the confidentiality, integrity, and availability of ePHI.

• Specify any training requirements associated with the contract/agreement or arrangement, if reasonable and appropriate.

Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding. Key capabilities include:

• Centralized tracking of all contracts and contract attributes such as type, key dates, value, reminders, and status – with customized, role-based views
• Workflow capabilities (based on user or contract type) to automate the contract management lifecycle
• Automated reminders and overdue notices to streamline contract reviews
• Centralized contract discussion and comment tracking
• Contract and document storage with role-based permissions and audit trails of all access
• Version control tracking that supports offline contract and document edits
• Role-based permissions that enable allocation of duties, access to contracts, and read/write/modify access

With these capabilities, you can ensure that the right clauses – such as security protections over ePHI and training – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders.

5.4.1 Business Associate Contracts or Other Arrangements (§ 164.314(a))

HIPAA Standard: (i) The contract or other arrangement between the covered entity and its business associate required by §164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (ii) A covered entity is in compliance with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of §164.504(e)(3). (iii) The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor required by § 164.308(b)(4) in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

1. Contract Must Provide that Business Associates Will Comply with the Applicable Requirements of the Security Rule

Contracts between covered entities and business associates must provide that business associates will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that the business associate creates, receives, maintains, or transmits on behalf of the covered entity.

2. Contract Must Provide that the Business Associates Enter into Contracts with Subcontractors to Ensure the Protection of ePHI

In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit ePHI on behalf of the business associate agree to comply with the applicable requirements of this subpart by entering into a contract or other arrangement that complies with this section.

Prevalent centralizes the distribution, discussion, retention, and review of vendor contracts. It also offers workflow capabilities to automate the contract lifecycle from onboarding to offboarding.

With these capabilities, you can ensure that the right clauses – such as security controls enforcement, auditability, incident response, notifications, fourth-party subcontractor arrangements, etc. – are in the contract, and that they are enforceable and efficiently communicated to all stakeholders.

3. Contract Must Provide that Business Associates Will Report Security Incidents

• Report to the covered entity any security incident of which it becomes aware, including breaches of unsecured PHI as required by § 164.410.

• Maintain clear lines of communication between covered entities and business associates regarding the protection of ePHI as per the BAA or contract.

• Establish a reporting mechanism and a process for the business associate to use in the event of a security incident or breach.

In addition to contract lifecycle management, Prevalent offers a Third-Party Incident Response Service that enables teams to rapidly identify and mitigate the impact of third-party breaches by centrally managing vendors, conducting event assessments, scoring identified risks, and accessing remediation guidance.

Customers can also access a database containing 10+ years of data breach history for thousands of companies around the world. The database includes types and quantities of stolen data; compliance and regulatory issues; and real-time vendor data breach notifications. Combined with continuous cyber monitoring, it provides organizations with a comprehensive view of external information security risks that can impact operations.

4. Other Arrangements

The covered entity complies with paragraph (a)(1) of this section if it has another arrangement in place that meets the requirements of § 164.504(e)(3).

5. Business Associate Contracts with Subcontractors

The requirements of paragraphs (a)(2)(i) and (a)(2)(ii) of this section apply to the contract or other arrangement between a business associate and a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate.

In addition to ensuring that business associate contracts contain provisions for assess fourth-party risks, Prevalent identifies fourth-party relationships through a native identification assessment or by passively scanning the third party’s public infrastructure. The resulting relationship map depicts information paths and dependencies that could open paths into an environment.