By Robert Booker, Chief Strategy Officer, HITRUST

HITRUST is pleased to join with healthcare industry leaders who are working together through Health3PT to boldly meet the challenge of third-party risk management. Health3PT has approved HITRUST as the first assurance supplier supporting the requirements of the recently released Health3PT Recommended Practices & Implementation Guide (Guide).

HITRUST provides an assurance system designed to efficiently meet the needs of every company in the healthcare industry. The HITRUST portfolio of e1, i1, and r2 assessments all support healthcare industry organizations seeking to collect evidence of appropriate, reliable, and consistent assurance of their vendor’s security capabilities. And, the recently released e1 and i1 assessments alongside the long-respected r2 assessment together support the varying levels of risk across the healthcare industry. Just as importantly, the HITRUST Assurance Program provides the supporting infrastructure and scalability to address the complexity of healthcare for the tens of thousands of relationships between healthcare industry companies and third-party vendors and suppliers.

A recently released survey conducted by Health3PT confirms that vendors believe today's third-party risk management practices are not effective. The Health3PT guidance and the HITRUST Assurance Program together provide the capabilities and efficiency to solve the Third-Party Risk Management problem in healthcare. HITRUST enables organizations to practically implement five of the six practices presented in the Guide.

Let’s look at five of the six recommended practices presented in the Guide.

Risk Tiering Strategy (Practice 2)

Third parties with lower inherent risk may be more likely to experience data breaches, as they often have not established foundational cybersecurity. A risk tiering strategy ensures that all third parties follow appropriate security requirements, irrespective of risk levels. Consistent risk analysis is necessary to evaluate organizational, compliance and technical risk factors, identify risks to the third party, and the healthcare organization, and determine the required level of assurance. A HITRUST risk triage approach for Health3PT supports calculation of the risk score for vendors and selection of the appropriate level of assurance.

Reliable and Transparent Assurances (Practice 3)

Reliable assurances ensure that the third party has taken proper measures to safeguard the data of its partner organizations and customers. The HITRUST e1, i1, and r2 assessments support different levels of assurance for different risk levels as defined in the Guide. These assessments all are based upon the same framework. HITRUST assurances follow a consistent methodology and provide the required accuracy and quality of assurance based on evidence, assessor independence, and a robust quality assurance system. For over a decade, HITRUST has offered the needed reliability, quality, and transparency in its assurance system now selected by Health3PT. All HITRUST assessments and assurance reports are based on the HITRUST CSF and allow healthcare entities and third parties to progressively achieve higher assurances by sharing common control requirements and inheritance of control maturity provided by leading Cloud Service Providers.

Tracking of CAPs (Practice 4)

An important value of an assurance system is the identification of controls that are not implemented properly and tracking of remediation progress to completion. The HITRUST MyCSF SaaS platform supports the documentation of corrective action plans for all assurance reports for a third party so they may track their progress on milestones, the state of remediation, and share remediation progress with the healthcare industry companies they serve.

Assurance Updates (Practice 5)

As new threats emerge, security requirements change continuously. Assurance requirements must also change to reflect control adjustments needed in response to ongoing changes in the threat landscape. The HITRUST CSF is Threat-Adaptive by leveraging threat intelligence data to remain relevant and focused on the latest threats. Healthcare industry companies are therefore able to know that later assurance reports in the relationship with third parties are appropriate to the then current threat landscape.

Systematic Risk Management Approach (Practice 6)

Healthcare is a complex industry with organizations having relationships with multiple third parties. A systematic and technically-enabled approach is required to manage its exponential scale. A system that tracks progress across stakeholders, facilitates the sharing of results, integrates with existing systems, and supports business relationships enhances business value and risk management for healthcare. The HITRUST Results Distribution System (RDS) allows third parties to efficiently share their assessment reports with the multiple healthcare industry companies that they support and equally supports healthcare industry companies receiving reports from multiple third-party vendors.

Health3PT aims to promote effective strategies to help healthcare organizations mitigate third-party cyber risks. To learn more about these strategies, download the Guide from Health3PT, and go to HITRUST to learn more about how HITRUST is supporting Health3PT.

More than 150 organizations have joined the Health3PT Initiative, which is dedicated to solving TPRM problems with credible assurance models and automated workflows. Recently, Health3PT launched a Vendor Directory that lists vendors with completed and in-progress HITRUST certifications. Organizations can now identify trustworthy vendors that meet appropriate requirements of risk management for healthcare.

Check out the Vendor Directory to find trusted third-party vendors.