Winning the CSO50 2017 Award is further recognition of the Council’s continued leadership and innovation as they advance third-party assurance for the healthcare industry
You’ve likely heard the phrase, It Takes a Village. This mantra certainly holds true when it comes to protecting sensitive and private healthcare information. Healthcare organizations push tremendous amounts of healthcare data and other personally identifiable information within their own environment and throughout the entire healthcare ecosystem. When it comes to protecting this data, it’s become very apparent that healthcare organizations must not solely focus on protecting the data within the confines of their own data centers and networks, but also within those environments that connect to them.
“The members on the HITRUST BA Council stepped up and listened to each other’s concerns and needs, questioning existing approaches and collaborating to find a model that was mutually beneficial to both customers and vendors,” said Daniel Nutkis, CEO, HITRUST. “Council members exemplify leadership and innovation in advancing third-party assurance for the industry – and as a model for other industries as well.”
With the passing of HIPAA/HITECH regulatory requirements, it’s become common knowledge that healthcare organizations must assess their vendors—their business associates—in order to understand their adherence to privacy and security practices. Without that insight and knowledge, organizations cannot determine risk, and without determining risk, they cannot manage their risk effectively nor can they ensure compliance with healthcare regulations.
“Healthcare organizations rely upon a tremendous number of third-party vendors who have access to the organization’s network and sensitive data, representing an opportunity to improve customer outcomes and lower costs, as well as a potential risk to the healthcare organization’s ability to ensure security, privacy and compliance,” said Omar Khawaja , Vice President and Chief Information Security Officer, Highmark Health and HITRUST Business Associate Council Member in a recent HITRUST press release.
Responding to concerns within the industry on how best to balance Covered Entities (CE) requirements to comprehensively evaluate the effectiveness of their vendors’ or business associates’ (BA) security controls and programs, while in a manner that is efficient and effective for the BAs and vendors, leaders from some of the nation’s largest healthcare organizations joined forces with the vendor community to collaborate and launch the HITRUST Business Associate (BA) Council. The HITRUST Business Associate Council is comprised of five healthcare organizations and 17 vendors serving the healthcare industry.
BA Council members represent a variety of types and sizes of organizations supporting the healthcare and public health sector and hold varying positions with deep and diverse expertise in managing risk and protecting sensitive health information. The Council holds four meetings over the course of each year to discuss ways the HITRUST Third Party Assurance and other programs can consider and accommodate business associate and vendor perspectives and objectives.
The founding members of the HITRUST BA Council include:
- Anthem: Jeff Martin, Manager II Technology, Information Security
- Armor: Chris Drake, CEO and Founder
- Arvato Digital Services: Richard Haft, Head of Risk, Information Security, and Compliance
- Availity: Debbie Hutchinson, Senior Manager, Audit and Third-Party Assurance
- Azure (Microsoft): Hector Rodriguez, National Director, Health and Life Sciences
- Catalyze: Travis Good, M.D., CEO and Co-founder
- Change Healthcare: Susan Richards, Strategic Program Manager, Information Security
- Cognizant: Andrew Frazier, Healthcare Information Security Officer
- Conduent (Xerox Corporation): Troy Bos, Director, Third-Party Assurance
- Dropbox: Patrick Heim, Head of Trust and Security
- Epic Systems Corporation: Stirling Martin, Chief Security Officer
- Fiserv: Brenda Magri, Director, Risk and Compliance, ISO
- Health Care Services Corp.: Brenda Callaway, Executive Director, Information Security Compliance & Disaster Recovery
- HealthEdge: Taylor Lehmann, Chief Information Officer
- Highmark: Tim Belardi, Director, Technology & Supplier Risk Management
- HMS: Scott Pettigrew, Chief Security Officer
- Humana: Darin Clapp, Information Security Contracts Manager
- PDHI: Lee Penn, Chief Financial Officer and Chief Compliance Officer
- RR Donnelley: Peter Tiemeyer, Chief Information Security and Privacy Officer
- Salesforce: Izak Mutlu, Vice President – Information Security
- United Health Group: Bryan Sheehan, Senior Director, Information Risk Management
- West Corporation: Rebekah Johnson, Compliance Leader
In recognition of the above-mentioned achievements, IDG’s CSO magazine has selected the HITRUST Business Associate Council as a CSO50 Award winner. The CSO50 Awards, which launched in 2013, recognizes 50 organizations for security projects and initiatives that demonstrate outstanding business value and thought leadership.
“We are thrilled to see the real-world benefits of our mission to inspire excellence in healthcare IT by driving innovation throughout the third-party vendor supply chain,” said Roy Mellinger, Vice President, IT Security and Chief Information Security Officer, Anthem and HITRUST Business Associate Council Member, in a recent HITRUST press release announcing the award.
With tremendous results already experienced and with many more plans in the works, the HITRUST Business Associate Council has proven to be an incredibly valuable program given BA organizations like PDHI get equal time at the table. In addition to streamlining the assessment process these BAs also gain the added benefit of demonstrating to clients and insurance companies that we are managing risk effectively.
“There is no other security framework or industry where you can find this same level of buy-in and cross-participation,” said Lee Penn, Chief Financial Officer and Chief Compliance Officer, PDHI and HITRUST Business Associate Council Member in a recent HITRUST press release.
The HITRUST Business Associate Council is thrilled to accept its award during the CSO50 Conference + Awards scheduled for May 1-3, 2017 at the Scottsdale Resort at McCormick Ranch, Scottsdale, Arizona. Brenda Callaway, Executive Director, Information Security, HCSC and Craig Eidelman, Modern Workplace Security Specialist, Microsoft Healthcare are accepting the award on behalf of the HITRUST Business Associate Council.
To learn more about the HITRUST Business Associate Council, please visit https://hitrustalliance.net/councils/.