21. 3rd Party Policy

CIRG attempts to assure that 3rd party organizations are cognizent of their responsiblitiy not to compromise the integrity, security, and privacy of CIRG or CIRG-managed data. 3rd Parties include Partners, Subcontractors, and Contracted Developers, or any organization to which CIRG provides data access, except at the requirement of an appropriately entitiled collaborator.

This policy is in place to allow CIRG to work with 3rd parties to provide essential services, subject to the constraints on ePHI described below. An example of such a service would be the use of UW Technology services to provide off-site backup of completely encrypted file or disk images, according to UW Technology’s standard service level agreement.

CIRG anticipates continuing a very minimal reliance on such 3rd party services.

21.1 Applicable Standards

21.1.1 Applicable Standards from the HITRUST Common Security Framework

• 05.i - Identification of Risks Related to External Parties
• 05.k - Addressing Security in Third Party Agreements
• 09.e - Service Delivery
• 09.f - Monitoring and Review of Third Party Services
• 09.g - Managing Changes to Third Party Services
• 10.1 - Outsourced Software Development

21.1.2 Applicable Standards from the HIPAA Security Rule

• 164.314(a)(1)(i) - Business Associate Contracts or Other Arrangements

21.2 Policies to Assure 3rd Parties Support CIRG Compliance

1. CIRG does not allow 3rd party access to production systems containing ePHI.

In the event that CIRG contracts for services that do not include the transmission of ePHI, except for ePHI data which is encrypted in a way that prevents a third party for accessing those data,

1. All connections and data in transit between CIRG systems and 3rd parties are encrypted end to end.
2. A standard business associate agreement with 3rd parties is defined and includes the required security controls in accordance with the organization’s security policies. Additionally, responsibility is assigned in these agreements.
3. CIRG has Service Level Agreements (SLAs) with 3rd parties with an agreed service arrangement addressing liability, service definitions, security controls, and aspects of services management.
   • 3rd parties must coordinate, manage, and communicate any changes to services provided to CIRG.
   • Changes to 3rd party services are classified as configuration management changes and thus are subject to the policies and procedures described in §9; substantial changes to services provided by 3rd parties will invoke a Risk Assessment as described in §4.2.
   • CIRG utilizes monitoring tools to regularly evaluate 3rd parties against relevant SLAs.
4. No 3rd parties have access outside of their own environment, meaning they cannot access, modify, or delete anything related to other 3rd parties.
5. CIRG does not outsource software development.
6. CIRG will maintain and annually reviews a list all current 3rd parties.
   • The list is maintained by the CIRG Privacy Officer, includes details on all provided services (along with contact information), and is recorded in §1.4.
   • The annual review is conducted as a part of the security, compliance, and SLA review referenced below.
7. CIRG assesses security, compliance, and SLA requirements and considerations with all 3rd parties.
   • CIRG leverages recurring calendar invites to assure reviews of all 3rd party services are performed annually. These reviews are performed by the CIRG Security Officer and Privacy Officer. The process for reviewing 3rd party services is outlined below:
     1. The Security Officer initiates the SLA review by documenting the start of the review, in a google doc specific to this review.
     2. The Security Officer, or Privacy Officer, is assigned to review the SLA and performance of 3rd parties. The list of current 3rd parties, including contact information, is also reviewed to assure it is up to date and complete.
     3. SLA, security, and compliance performance is documented in the documentation.
     4. Once the review is completed and documented, the Security Officer approves or rejects the documentation. If the documentatation is rejected, it goes back for further review.
8. Regular review is conducted as required by SLAs to assure security and compliance. These reviews include reports, audit trails, security events, operational issues, failures and disruptions, and identified issues are investigated and resolved in a reasonable and timely manner.
9. Any changes to 3rd party services and systems are reviewed before implementation.
10. For all partners, CIRG reviews activity annually to assure partners are in line with SLAs in contracts or published SLAs with CIRG.
11. SLA review is monitored on an annual basis using a review of the documentation to assess compliance with above policy.