icon devices

Technology Risk Office (TRO)

The Technology Risk Office manages technology risk through risk advisory and assessment activities.

Risk Assessments

What is it?

Risk assessments are advisory and assessment services related to regulatory compliance or information security. Risk assessments:

  • Help Kaiser Permanente remain compliant with regulatory obligations
  • Provide guidance to project teams and leadership to manage technology risk introduced by new solutions
  • Occur for ongoing risk monitoring activities

What risk assessments are in scope?

  • Initial risk consultation/inherent risk assessment (IRA)
  • Cyber security architecture
  • Technology controls design and implementation review for HIPAA compliance, Payment Card Industry (PCI) compliance, privacy compliance
  • Monitoring risk assessments for higher risk services provided by vendors
  • Solution and application security testing (application security assessment and penetration testing)

Vendor Risk Management (VRM) Program

The Vendor Risk Management (VRM) Program has been established to ensure that vendors providing technology or services to KP and accessing KP sensitive data such as Protected Health Information (PHI)/Personally Identifiable Information (PII), cardholder data and financial data are following key security principles and meeting compliance and regulatory requirements.

One of the Program’s goals is to understand and manage the vendor risks for KP technology vendors to support the needs of the following groups:

Regulators
HIPAA, PCI-DSS and SOX require that adequate controls are in place to ensure confidentiality, integrity, and availability of sensitive data.

Centers for Medicare and Medicaid Services (CMS) requires Medicare Advantage Organizations to report any contracts that involves sending protected health information outside the United States and its territories.

Customers, Members, and Patients
Kaiser Permanente is contractually obligated to its customers to maintain data confidentiality, service continuity, and meet customers’ regulatory obligations.

Board of Directors
Board and executive management require that all activities performed by vendors are executed in a secure environment and are performed in compliance with applicable laws.

Frequently Asked Questions

Which vendors are in scope?

All vendors are in scope for these risk assessments. Some services which are previously identified as low risk, may be grandfathered into service categories which do not require a detailed assessment.

How much time will this take?

The VRM team will schedule a kick off meeting with you. During this time, assessment activities and timelines will be communicated to you.

Can vendors access, generate, host, download, print, store, process, transfer, or maintain Kaiser Permanente’s Personal Information or Patient/Personal Data¹ outside of the United States or provide services to Kaiser Permanente from an offshore location?

No Personal Information or Patient/Personal Data may be accessed, generated, hosted, downloaded, printed, stored, processed, transferred, or maintained outside of the United States by Vendor or any Vendor Subcontractor or any services provided to Kaiser Permanente from an offshore location without Kaiser Permanente’s prior written approval. Such approval may be withheld by Kaiser Permanente for any reason in its sole discretion and/or approval may be subject to additional terms and conditions.

1 Personal Information” or “Patient/Personal Data” means personally identifiable information, data or records relating to or concerning any patient, member, plan participant, employee or contractor of any Kaiser Permanente entity, including, without limitation, Protected Health Information (“PHI”) under HIPAA and “Cardholder Data” under the Payment Card Industry (“PCI”) data security standards. Personal Information shall always be Confidential Information of Kaiser Permanente.

Technology Risk Office Vendor Risk Management

Privacy and Security

The privacy and security of our member, patient, and employee personal information* is a responsibility of the utmost importance and concern to Kaiser Permanente. In today’s environment where data security breaches are a serious threat and managing technology risk is a significant challenge, vendor adherence to Kaiser Permanente’s data security requirements is critical. As referenced in our vendor Data Security Requirements document, which can be found under the Requirements and Guidelines section of this website, vendors should pay specific attention to the prohibition regarding vendor offshore access to Personal Information without Kaiser Permanente’s prior written approval.