Using the HITRUST Framework to Manage and Mitigate Third-Party Risks

Guest blog by William Ahrens, Director, Mazars USA

HITRUST assessments can be used to reduce the risk of a data breach, achieve cost savings, and avoid threats. An especially compelling use case is for organizations to use the HITRUST framework to assess their third parties.

Data breaches caused by third-party vendors and suppliers have been a significant concern for organizations in recent years due to the complex nature of modern business operations. As it becomes more common for organizations across industries to outsource greater numbers of services, third-party risks are compounded.

Third-party risks

IBM’s Cost of a Data Breach Report 2022 stated that a compromise at a third party or a business partner caused 19% of breaches. The report also explored the impact various factors had on the average cost of a data breach. While the presence of AI, DevSecOps, and Incident Response had positive impacts on lowering costs, compliance failures and the involvement of third parties inflated the costs. In fact, these two were among the highest contributing factors. When organizations can quickly detect a breach and shorten its lifecycle, they can significantly reduce costs and save as much as $1.12 million.

The potential for risk caused by third parties is especially high for hospitals and healthcare organizations due to their interconnected systems and multiple entry points for data access, which increase their attack surfaces and potential vulnerabilities. Healthcare organizations outsource critical processes that give access to PHI and other sensitive data. This makes it essential to reduce third-party risks with practical solutions that provide reliable assurances and greater insights into security practices.

But where to start? Vendors are a diverse group. They range substantially in size, service offering, capability, risk profile, and cyber maturity. It’s no wonder most organizations — especially those in healthcare — struggle with vendor risk management.

Manual, inconsistent approaches are time- and resource-intensive, overtaxing assigned staff with limited bandwidths and competing priorities. Given the large number of third parties, staff members strain to keep up with the high volume of assessments.

Risk-tiering strategy

To effectively address security requirements that are appropriate for each vendor, companies should consider employing a risk-tiering strategy. Vendor risk management programs with a consistent and structured risk analysis process allow organizations to assess vendors based on the risk they present to the business.

Organizations can select the appropriate level of security assurance for each vendor by considering the following.

• What and how much data does the vendor access and process?
• Are there any fourth parties handling the data?
• If the data is compromised, what would be the impact on the business?

Realizing the need, HITRUST offers three certification options to address varying assurance requirements, risk maturity, and business profiles of vendors.

• The HITRUST e1 - 1-year Validated Assessment is ideal for low-risk vendors looking to assure basic foundational cybersecurity.
• The HITRUST i1 - 1-year Validated Assessment offers more coverage than the e1, demonstrating assurance for leading security practices.
• The HITRUST r2 - 2-year Validated Assessment is considered the gold standard in the industry and is ideal for high-risk vendors.

Benefits of the HITRUST CSF

The foundation of HITRUST certifications is its framework, the HITRUST CSF. The HITRUST CSF offers many unique benefits not found within other compliance frameworks.

• Each HITRUST assessment is built on a common framework, which means vendors can move from one assessment to the other without losing previous work. All of the 44 e1 controls are included in the 182 i1 controls, which are included in the r2 controls set.
• The HITRUST CSF leverages current threat intelligence information and is updated regularly. It ensures that the assessed entities are protected against the latest cyber threats with proper controls.
• The HITRUST MyCSF SaaS compliance and risk management tool automatically builds relevant controls and provides consistent mapping to 40+ authoritative sources.
• HITRUST assessments ensure consistency and accuracy as each validated assessment undergoes three independent quality assurance processes from three separate teams.

HITRUST assessments provide transparent reporting of the assessed vendor’s security practices. Unlike other frameworks, HITRUST is prescriptive. With its suite of products and services, HITRUST offers the most comprehensive assurance mechanism and provides an efficient and tiered vendor risk management methodology.