THIRD PARTY – “THEY”
An often used pronoun in my mother’s conversation was “they.” “They say when cows are lying down it is going to rain.” “They say it will be a horrible winter.” NOTE: I grew up in Watertown, NY. ALL winters were horrible! My brother and I would occasionally challenge and question just who “they” was, or were, that had so much information at their fingertips. “They” was undoubtedly the wisest authority on everything in the history of man. Their pronouncements were not to be questioned, just accepted. They were my first Third Party experience.
Job interviews can be an analogy for the need of a Third Party. It is not unusual for an interviewer to ask a question about skill level, only to find during the first few months post hire there was an exaggeration by the interviewee. While perhaps not a blatant lie, it is common to stretch the truth in an attempt to appease the interviewer and obtain the position. One never intends for the truth to become known, but instead hopes it will never be noticed.
When recommendations are made for a third party security assessment for the purpose of obtaining a baseline, it is with a conscious intent to help an organization obtain a more credible stance to meet compliance requirements for HIPAA, Meaningful Use and the myriad of other regulations facing corporations today. A Covered Entity may well have a policy on passwords, listing criteria, mandated changes in password, etc. but a third party risk assessment might find that policy has never been implemented. This puts the organization at very high risk for audit problems, not to mention an overwhelming possibility of making the headlines with the next million count data breach.
Best Practice suggests a baseline Security Risk Assessment by a third party with routine updates and/or reviews after that. All regulations are somewhat vague, so it is left to the organization to determine how frequently an assessment should be done. However, regulations do mention that update/review should also be done after changes are made. New server install? Update your assessment. Change in policy? Update your assessment. For every review and/or update, make sure you document such. Then, annually or at least once every three years, bring a third party in for another review.
In my daily work routine now, I use “third party,” frequently suggesting a third party assessment, a third party consult or a third party review. I know who “they” (i.e. – a third party) might be and why I would trust their pronouncements. The Third Party is that additional presence when there are two entities facing potential dispute or disagreement. For example, HIPAA compliance versus a Covered Entity. Enter Third Party assessment.
When your request for that third party assessment is reviewed and the need questioned, offer the example of the job interview. That is not to say an internal assessment cannot be truthful and accurate, but being able to provide documentation of routine third party assessments will go a long way in appeasing HIPAA auditors when they come around, not to mention any other regulatory agency or payor. Neutrality has served Switzerland well since 1815. They can be objective in their decisions. Third Party consultants can be your objective resource, your Switzerland.