Hi - Consider if that vendor's protection of your or your customer's NPI were compromised. Would that be damaging to you reputationally, financially, or legally?
Inherently I would consider any vendor who accesses, stores, processes, or transmits corporate or customer NPI a security risk that should be identified, evaluated, and monitored. After a formal risk assessment the residual risks might be considered less than high, but the potential for damages still exists and therefore should keep that third party in-scope as a high risk vendor.
Original Message:
Sent: 06-27-2023 02:37 PM
From: Anonymous Member
Subject: NPI
This message was posted by a user wishing to remain anonymous
Hello,
Do you consider a vendor with access to NPI automatically a high-risk vendor?
Our risk assessment automatically places them as high risk.
I appreciate everyone's input.