Risk Assessments

Hello,

Do you consider a vendor with access to NPI automatically a high-risk vendor?

Our risk assessment automatically places them as high risk. 

I appreciate everyone's input.

Hi - Consider if that vendor's protection of your or your customer's NPI were compromised. Would that be damaging to you reputationally, financially, or legally? 

Inherently I would consider any vendor who accesses, stores, processes, or transmits corporate or customer NPI a security risk that should be identified, evaluated, and monitored. After a formal risk assessment the residual risks might be considered less than high, but the potential for damages still exists and therefore should keep that third party in-scope as a high risk vendor. 

A vendor with NPI is automatically a high INHERENT risk, however depending on the controls the vendor has in place, the residual risk may lower the overall risk of the vendor.

We do not put them as automatically high risk. The way we think about it is total exposure. Are they only getting a handful of files? If something were to happen to those how big of an impact would this be both financially and reputationally? If both of those are minimal it would not be high risk. If you have a vendor as high risk they would most likely fall into a form of advanced and ongoing monitoring. Is that really needed on a vendor who only has access to 5-10 records? I would not think so but at the end it really depends on your organizations risk tolerance and risk appetite. If the cost of monitoring is more than the total cost (remember there are nonquantitative impacts such as impact to reputation) then I do not find them to be a high risk vendor.  

I would agree that it depends on the volume of data too.  If the vendor just has NPI for 5-10 customers, then the impact may never rise to a high risk.  That said, you still want to make sure you're considering any other risk associated with the services provided, and have a process to "check-in" on the service to see if the volume has changed.  Many times, a vendor might start off with a small number of records, but as the service gets up and running, that will scale up.  If you don't have a process to oversee any changes, you could miss a vendor moving from a low to high risk.

We also assess whether the vendor have direct or indirect access to the NPI.   If you are a regulated industry (ex.  Financial services), even a handful of NPI will default to high where you have to assess their controls such as encryption at rest/motion/use and MFA.

Thank you all for your inputs.  This really helps. 

I am so glad that we have this platform to exchange ideas.