The HITRUST Third-Party Risk Management (TPRM) Council was formed to foster collaboration between companies, third-party vendors, and advisory service firms. The mission of the Council is to drive efficiencies and effectiveness as it relates to identifying, assessing, and mitigating risk in the complex supply chain ecosystem.

Founding members of the TPRM Council are global, security, risk, compliance, and audit executives representing a diverse cross-section of organizations. TPRM Council members are committed to identifying and supporting approaches to improve the current TPRM process—with a focus on increasing effectiveness and reducing inefficiencies.

Members of the TPRM Council include:

• Amazon Web Services (AWS) – Hadis Ali, Security Assurance Manager
• AT&T – Vecky Juko, Associate Director, Supplier Governance, Global Benefits
• Broadridge Financial – Sandra Rohrer, Sr. Director, Product Management, Marketing and Regulatory Communications
• Change Healthcare – Susan Richards, Director, Information Security
• Coalfire – Zachary Shales, Director, Healthcare Assurance
• Conduent – Troy Bos, Director, Client Assurance
• CVS Health – Steve Meallo, Information Security Program Management
• Frist Cressey Ventures – Chris Booker, Partner
• Frazier & Deeter – Andrew Hicks, VP, Risk Assurance
• Google – Sam Morales, Program Manager, Cloud Compliance
• Health Care Service Corporation (HCSC) – Chris Lodico, Sr. Director, Information Security
• Humana – Matt Phillips, Enterprise Information Security
• Mastercard – Ashish Gupta, VP, Cyber & Data Product Management
• Microsoft Azure – David Houlding, Director of Healthcare Experiences
• Rite Aid – Robert Lautsch, CISO
• Teleperformance – Jeffery Schilling, Global CISO
• UnitedHealth Group – Brian Troen, Sr. Director, Risk Governance & Supplier Management
• University of Pittsburgh Medical Center – John Houston, VP, Information Security & Privacy
• Vonage – Ordia Bryan, Sr. Manager, Global Security Compliance

HITRUST Third-Party Assurance Council Receives 2017 CSO50 Award for IDG’s CSO

Previously named the HITRUST Third-Party Assurance Council, this working group was named as an honoree of the 2017 CSO50 Award for IDG’s CSO. This prestigious honor is bestowed upon a select group of organizations that have demonstrated that their security initiatives have created outstanding business value and thought leadership for their companies.

View the official press release.

Now in its second year, the HITRUST Authorized External Assessor Council has grown to 25 appointees, representing a broad range of experience in information security and privacy. The council provides a forum to ensure that HITRUST Authorized External Assessors can directly submit input to HITRUST thereby influencing the HITRUST CSF Assurance program to continually ensure and evolve its integrity, effectiveness, and efficiency. The creation of the Quality Subcommittee further upholds the continued focus on maintaining a standard of excellence.

The HITRUST Authorized External Assessor Council interacts regularly with HITRUST to share challenges and opportunities relating to HITRUST service offerings. It holds periodic meetings over the course of each year.

HITRUST Authorized External Assessor Council members include:

• 360 Advanced, Inc. – Ryan Winkler and Chelsea Higgins
• A-LIGN – Petar Besalev and Shreesh Bhattarai
• Baker Tilly – Emily Di Nardo and Samantha Boterman
• Coalfire – Arthur Staff and Tiffany Stewart
• ControlCase – Omkar Salunkhe and Himanshu Goel
• Frazier & Deeter – Andrew Hicks and Eric Johnson
• Intraprise Health – John Toner and Liz Gulden
• LBMC Security & Risk Services – Robyn Barton and Drew Hendrickson
• Meditology Services – Angela Fitzpatrick
• NBD Assurance, LP – Charles Denyer
• PwC – Brent Stevens and Adrian Leung
• Schellman – Doug Kanney and Greg Miller
• Tevora – Justin Graham and Jason Lee

The Asia Advisory Council (the Council) will help ensure the HITRUST Approach remains current and relevant to the needs of the HITRUST community in Asia-Pacific countries. Members will advise and make recommendations to the HITRUST Office of Research and Strategy (OR&S) based on their area of expertise.

The Council will support the OR&S in facilitating continuous improvement of information security and individual privacy as HITRUST expands within Asia by providing thought leadership on the emerging laws, policies, and trends impacting regional risk management and compliance.

For more information about the HITRUST Asia Advisory Council, visit here.

The HITRUST Venture Program, governed by a council of members from leading venture capital firms, was established to address the unique challenges of startup organizations by integrating security, privacy, and compliance into an organization’s culture and strategy from their genesis.

One element of the program is providing startups access to a bundle of tools and services to facilitate an efficient and cost-effective process of ensuring they have the appropriate and effective information risk management and compliance controls in place and can demonstrate and provide assurances of such to their prospects, customers and investors.

The purpose of the Venture Program is simple: accelerate innovation for startups.

For more information about the HITRUST Venture Program, also known as the HITRUST Venture Capital Advisory Council, visit here.

The HITRUST Threat Catalogue was designed to help organizations become more proactive and improve their information security posture by better aligning cyber threats with HITRUST CSF controls—a combination not currently found in other frameworks. This helps simplify the risk analysis process and subsequently reduces some of the burden, costs, and confusion otherwise experienced by organizations when conducting a risk analysis.

HITRUST will transition the HITRUST Threat Catalogue into a more comprehensive and rigorous risk management tool—the HITRUST Risk Catalogue—through the planned addition of metadata related to information assets, vulnerabilities, and other non-threat specific areas of risk analysis.

Objectives of the Risk Catalogue Working Group:
The objectives of the HITRUST Risk Catalogue Working Group are to support further development of the HITRUST Risk Catalogue as a comprehensive risk assessment tool that will enable organizations to conduct more meaningful risk analyses and better leverage active threat intelligence in their risk management programs.

HITRUST Risk Catalogue Working Group Members will advise and make recommendations to HITRUST in the following key areas:

• Updating the threat taxonomy and enumerated threats.
• Mapping HITRUST CSF control requirements to enumerated threats.
• Updating threat metadata in the Catalogue to support HITRUST’s work around quasi-quantitative risk analysis, which includes, but is not limited to:
  • Mobile Application Environment (MAE) assessment,
  • Quantitative and quasi-quantitative risk analysis, and
  • The MITRE ATT&CK framework.
• Providing additional risk information, such as asset and vulnerability types.
• Mapping this additional information to enumerated threats.

HITRUST launched a new Mobile Application Environment (MAE) Working Group (WG) to help solve the market need for organizations that employ mobile applications (apps) within their environment to ensure and provide interested stakeholders reasonable assurances that the internal development, distribution, implementation, and usage of apps are done securely.

The goal of the HITRUST MAE WG is to support the development and integration of organizational-level mobile app environment-related security and privacy control requirements into the HITRUST CSF and HITRUST CSF Assurance Program. The scope of the WG’s efforts may include an organization’s internal development, vetting, deployment, and operation of mobile apps and mobile devices, but does not currently include the technical testing and certification of the mobile apps themselves.

HITRUST MAE WG Members will advise and make recommendations to HITRUST in the following key areas:

• Formal definition of the term “mobile applications environment” consistent with public and private sector usage and its intended use for the purpose of HITRUST CSF Certification.
• Identification of security and privacy risks specific to an organization’s MAE, as defined, and the specification of structured HITRUST CSF control requirements to mitigate those risks, which may include but are not limited to:
  • Apps pushed to mobile devices and personal computers via a third party or organizational app store, and
  • Apps intended to run from a browser.

Specification of related changes, if any, to the HITRUST CSF Assurance Program to support the assessment and certification of an organization’s MAE, as defined.