Written by HITRUST Independent Security Journalist Sean Martin.

Healthcare organizations must regularly assess their vendors in order to understand their adherence to privacy and security practices. Without that knowledge, they can’t determine risk, and without determining risk, they can’t manage that risk let alone ensure their own compliance with industry regulations. That’s where the HITRUST CSF Assurance program comes in, helping organizations manage those assessments with standardized templates and tools.

At the same time, vendors and business associates serving those healthcare companies need to document their privacy and security practices in order to facilitate those assessments. There’s where the HITRUST CSF Third-Party Assurance program has a role to play, making it easy for vendors to supply relevant information to their customers and prospective customers in an efficient, consistent manner.

To get a sense of how well these two programs are working, HITRUST recently surveyed healthcare organizations and their business partners about the value of these two assurance programs. You can read the full report here.

Here are a few of the highlights:

• Healthcare organizations are justifiably concerned about letting business partners access their environment, including the network, applications and data. Although partners sign nondisclosure and business associate agreements, signatures can only go so far and security is only as good as its weakest link – the industry clearly recognizes that third parties cannot be that weakest link.
• Survey respondents said that the HITRUST programs help strengthen their security posture in today’s fast-evolving environment: “HITRUST evolves to meet the changing landscape.”
• A challenge for vendors is the lack of consistency in customer assessment reporting requirements, which means that assessments often have to be laboriously researched and written from scratch – for each and every partner. That problem is addressed by HITRUST CSF, which provides a common template for risk assessments. If customers can accept one comprehensive standard, the industry can devote fewer resources on compliance reporting, allocating those resources to what really matters – providing better healthcare.
• Another concern and frustration by vendors: A lack of realism in their customers’ requirements, which means that the vendor is attempting to demonstrate compliance with nonsensical issues that don’t reflect real-world threats against the customers’ assets.
• The HITRUST CSF programs reduce cost, and sometimes in unexpected ways. For example, one respondent cited using its HITRUST CSF assessment as a useful document when applying for their cyber-security insurance policy.
• The HITRUST CSF Assessments provide universal concepts and vocabulary that can be shared with company’s employees — helping them talk about, understand and build security into their daily tasks with intelligence and understanding as opposed to rote response.
• Respondents agree that the “network effect” will continue to enhance the value of the HITRUST CSF programs – the more healthcare organizations and business partners, the greater the benefit to the entire industry. HITRUST was encouraged to do “more marketing, more evangelism, more promotion to help tell the story.”
• Finally, it was clear that the HITRUST CSF Third-Party Assurance program reduces the burden on suppliers, rather than adding to it. Vendors were urged to adopt the CSF framework in a practical manner consistent with the range of services a company provides, being mindful of the varied industries that suppliers may serve.

The August 2016 report, “The HITRUST CSF Assurance and Third-Party Assurance Programs: Delivering Confidence, Managing Risk, Inspiring Excellence in Healthcare IT,” may be downloaded from here.