Nation’s Health CISOs Take Lead to Manage Third-Party Risk

Computer Weekly News

By a News Reporter-Staff News Editor at Computer Weekly News -- Prominent Chief Information Security Officers (CISOs) from leading health systems and providers throughout the country have come together to establish the Provider Third Party Risk Management Council to develop, recommend and promote a series of practices to effectively manage their information security-related risks in their supply chain and to safeguard patient safety and information.

Members of the Council observed their supply chains are filled with third parties who support the care delivery process and require access to patient information. Properly vetting and monitoring these third parties is a major challenge, and in some cases, insurmountable for many organizations who simply don't have the expertise or resources. Through innovation and industry leadership, the Provider Third Party Risk Management Council are developing common vetting and oversight practices that will benefit health systems, hospitals and other providers in the United States and around the world.

"Health systems and other providers need to be more active in assessing and monitoring risks posed by third parties to protect patient information while delivering effective care," says Taylor Lehmann, CISO of Wellforce, parent organization of a health system that includes Tufts Medical Center and Floating Hospital for Children. "The primary challenge is organizations can engage with vendors of various sizes, maturity and complexity without really knowing whether the vendor should be engaged in the first place based on their beliefs and investment in cybersecurity."

Lehmann says third parties may have a small number of customers or possibly hundreds or thousands to serve. For third parties, this challenge has resulted in lost time and resources in attempting to comply with each organization's risk management requirements and ensure efficiency for both parties.

The council is working with the HITRUST CSF® and its assurance programs for this initiative to better manage risk. The organizations on the council have each independently decided to require their third-party vendors to become HITRUST CSF Certified within the next 24 months. The HITRUST CSF Certification will serve as their standard for third parties providing services that require access to patient or sensitive information and will be accepted by all the council's organizations. The HITRUST CSF Assurance Program is already the most widely adopted assessment approach used by healthcare organizations and used by third parties to evaluate and communicate their information privacy and security posture. HITRUST will continue to work closely with council members and their organizations to ensure its programs are the hallmark for the industry.

"Our patients expect us to not only deliver robust healthcare to keep them healthy, but also to preserve the trust they have in us by safeguarding their sensitive data. When our patients' sensitive data is shared with our third parties, it's important that we have adequate controls in place. By aligning our third parties' controls to HITRUST CSF, a leading industry framework that evolves with the changing cyber landscape, our customers feel more confident their sensitive data is in good hands," says Omar Khawaja, VP and CISO, Allegheny Health Network and Highmark Health. Goal of the Provider Third-Party Risk Management Council The Provider Third Party Risk Management Council* recognizes that a more efficient approach to third-party assurance is necessary and strives to improve how the industry approaches assessing, monitoring, and responding to risks posed by third parties. By choosing to adopt a single comprehensive assessment and certification program, healthcare organizations represented by the council are prioritizing the safety, care, and privacy of their patients by providing clarity and adopting best practices that their vendors can also adopt, while providing vendors the expectation of what it takes to do business with their organizations.

"We believe the healthcare industry as a whole, our organizations and our third parties will benefit from a common set of information security requirements with a standardized assessment and reporting process," says John Houston, Vice President, Privacy and Information Security & Associate Counsel, UPMC. "We are strongly encouraging other provider organizations to follow suit and adopt these principles."

Council member organizations have each announced they will accept HITRUST CSF Certification in lieu of a separate assessment, questionnaire, audit or certification report.

Keywords for this news article include: HITRUST, United States, Information Technology, Information and Data Security.