Written by HITRUST Independent Security Journalist Sean Martin.
The HITRUST Third-Party Assurance Summit 2018 (TPA) kicked off in Chicago with a panel about the common challenges organizations face in establishing a Third Party Risk Management Program with an in-depth discussion amongst speakers from Google, Wellforce, and HITRUST. This was followed by a customer session with speakers from Availity, Cooper University Health Care, UnitedHealth Group, and UPMC, and a vendor session comprised of HITRUST partners including PDHI, Salesforce, Microsoft, and Change Healthcare.
Some of the main takeaways from these sessions include:
- A multi-industry opportunity: This isn’t an enterprise problem; it’s not a business associate problem; it’s an industry problem in that the third parties need to experience the value of the HITRUST program. Now is the time to start working with your vendors to jointly solve this problem – every industry struggling to manage third-party vendor risk must work together to extract the most value possible.
- Follow the data: Organizations need to take data protection seriously, extending their risk assessments out to their third-party vendor supply chain. The best way to determine a population of third-party vendors in which to focus is to follow where the data goes as opposed to just leveraging an AP or procurement system.
- Lose the questionnaire: Organizations need to ensure they are assessing risk beyond basic policies and questionnaires; they need to know that their third-party vendors’ controls are working properly.
- Contract scoping is critical: One size does not fit all; organizations need to ensure the right set of controls are in place for each third-party based on the relationship with the third-party. Organizations will typically negotiate with the vendors and try to come to an agreement that is reasonable, and that the vendor can comply with.
- Assessment scoping is also critical: The service areas that are being provided by the vendor need to be HITRUST CSF Certified; some of the healthcare organizations presenting at the TPA Summit suggested working with an assessor to define the scope.
- Stay off the plane: It’s time to stop wasting money and time sending people all over the world to conduct in-person risk assessments and on-site audits when those assessments can be provided through a HITRUST CSF assessment.
- Share and share alike: Vendors are starting to say that participating in the third-party assurance process is beneficial for them in both an improved security posture and cost savings via an assess-once/report-many model. It also gives them a competitive advantage and can oftentimes secure them a seat at the vendor table that would otherwise be difficult to attain.
- Risk comes in many shapes: Third-party assessments have proven valuable for merger and acquisition (M&A) transactions as well; risk assessments are being performed before the contracts are signed.
A comment from Omar Khawaja, CISO, Information Security & Risk Management at Highmark Health, made during his panel on day 2 of the TPA summed up these points quite well: “It is disappointing to realize that we (the industry) are short on resources and are being wasteful in allocating resources to manage questionnaires and on-site assessments,” he said. “Are we spending our resources in the best way possible?”
If applied appropriately, savings, efficiencies, and an increased level of security posture are brought to the forefront. To illustrate this point, Hector Rodriguez from Microsoft noted during his panel that “HITRUST gives us the ability to be more proactive; to lead with the security and compliance conversations since it is at the forefront of the conversation,” he said. “Now, we are accelerating opportunities by opening up these conversations and moving them to implementation much more quickly. Our work with TELEDOC is a prime example where they can now see a patient every 8 seconds. That’s what success looks like when two companies partner together, bringing an innovative, patient-oriented solution to market, quickly, at scale.”
Streamlining Vendor Management
Most importantly, the TPA Summit showed – or rather, continued to show – that the healthcare industry stands behind the HITRUST Third Party Assurance Program, and that the program is making a difference and being adopted across other industries very quickly. As Rodriguez said, “HITRUST is how we do what we do… not why.”
Indeed, from the vendor perspective, the HITRUST Third Party Assurance Program can help everyone get through the sales process more quickly – with fewer meetings focused on risk and security and compliance. This increased confidence in the partner and the reduction in time required to complete the pre-sales engagement benefits both sides: customers can dig down into the problems they are looking to solve, or the opportunities they want to open up; while vendors can listen and demonstrate their capabilities, and their unique value proposition.
Make no mistake: risk, security, and compliance will always be part of the conversation. However, the industry can stop ruminating over those factors in the vendor selection process as more vendors within the healthcare supply chain complete and share their HITRUST CSF assessments.
Is this real? That’s often a challenge, suggested Taylor Lehmann, CISO for Wellforce, Tufts Medical Center. “How can we get beyond the third-party assurance FUD (fear, uncertainty, and doubt) and make the conversation relevant to the CISO?” Because, after all, if the CISO (and their chief risk officer counterpart) are satisfied, everyone’s going to be satisfied.
Finding the Right Stakeholders for Streamlined Conversations
Whether at a customer site or a vendor or other service provider, it’s essential for everyone to listen – and listen more than they talk. Every healthcare organization has its unique concerns, and despite the commonality offered by the HITRUST CSF, risk is not commoditized. Indeed, said Jutta Williams from Google, “Companies should consider personalized risk scoring models that consider their unique culture and individual risk appetite.”
The answer will lie in both listening, and in leveraging a more inherent risk-assessment approach to figure out where to spend your time in assessing third-party providers, added Lehmann. Also, he recommends, “Utilize automation when appropriate.”
Lehmann explains that automation lets Wellforce scale their HITRUST program, such as by gathering evidence, posting that evidence, and making it available to auditors.
“Every organization needs to start somewhere, even if you start with a spreadsheet,” Lehmann shared. “Within a few months, you can get to a highly automated, scalable process.” This means that the sales cycles are much shorter, and conversations with business partners are simpler and more meaningful.”
Advancing HITRUST Framework and Programs
The TPA Summit also offered sessions on data security and privacy law, including Europe’s new General Data Protection Regulation (GDPR). Sessions reviewed the efforts being taken by several states, such as New York and Delaware, to provide their own standardized health information exchanges, which are leveraging the HITRUST framework to standardize third-party risk assessments.
Two additional topics presented during the TPA Summit were the version 9.1 release of the HITRUST CSF and the ongoing work with the forthcoming MyCSF 2.0 program.
HITRUST CSF v9.1 embraces two essential government programs – the European Union’s GDPR and the New York State Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500).
GDPR harmonizes data privacy laws across Europe, with a goal to protect and empower all EU citizens data privacy and to reshape the way organizations across the region (and around the world) approach data privacy concerning EU citizens.
The 23 NYCRR 500 regulation specifies that covered entities – which includes a significant number the 3rd, 4th, and nth party vendors within the healthcare supply chain –shall maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of their Information Systems and electronic health data they house.
Incorporating both of these laws is part of HITRUST’s initiative towards cross-industry expansion and internationalization of the CSF with increased support for global organizational privacy and compliance programs.
MyCSF 2.0, which is in progress, is the next generation of MyCSF incorporating new features and improved functionality designed to streamline and enhance the risk assurance process.
Included in MyCSF 2.0 will be a cleaner user interface with streamlined assessment navigation, linking of artifacts, a vendor risk management section, new analytics and dashboards, mobility, and certification verification.
Meet the Team at HIMSS 2018
HITRUST and many of its contributors are attending HIMSS 2018, coming up during the week of March 5-9 in Las Vegas. HITRUST’s Michael Parisi, VP, Assurance Strategy & Community Development, is leading a session, “Managing a Third-Party Risk Management Program.” You won’t want to miss that session! You can learn more about it here: http://www.himssconference.org/session/managing-third-party-risk-management-program.
HITRUST will also be exhibiting at the Las Vegas conference. Visit us in the Cybersecurity Command Center in the Veronese Room, Booth #29.
If you want to connect during a lunch and learn session, you can catch Michael Parisi with Microsoft’s Hector Rodriguez; you can reserve your spot here: https://enterprise.microsoft.com/en-us/trends/lunch-learns-presented-by-microsoft/.
If you’d like to schedule a meeting with us, please contact HITRUST at firstname.lastname@example.org.
See you in Las Vegas!