I think it helps to have a more granular understanding of what NPI is for your organization. For instance, what sort of non-public information would allow a hacker to steal credit or identity? That's what my org counts as NPI. Names, phone numbers, addresses, make of vehicles - those are NOT NPI according to our definition. In fact anyone could find that information out by calling the library. But an account number and password could be.
For us, "NPI" is SSN, account ID number, passwords, credit/debit card numbers, or sometimes (case-by-case) instances of a non-encrypted combo of name/phone/address/email. This is troublesome information if it became public. So, any org that we say YES to sharing NPI should absolutely be high risk and that's correct!
------------------------------
Diego Fable
Enterprise Data Management Admin
Midsize Mortgage Nonprofit
------------------------------
Original Message:
Sent: 06-28-2024 07:52 PM
From: Lindsay Street
Subject: Identifying/Categorizing NPI/NPPI Risk
Has anyone identified/categorized different levels of risk when it comes to different types of NPI/NPPI? (And can you provide examples?)
Most risk assessments I see are yes or no on NPPI, with some instantly labeling the vendor as high risk with a yes.
Categorizing information seems like it would be more efficient since name, phone number, make of vehicle, account number/activity are all very different things.
Thanks!