By Dr. Kevin Charest, Executive Vice President and Chief Technology Officer, HITRUST
For many organizations, the explosion in information security threats is increasing focus on Third-Party Risk Management. That’s why more and more customers are asking suppliers for assurances regarding their information protection programs. In addition, they want results that are easier to review and consume.
Current Limitations in Exchanging Assurances
What should be a fairly simple assurance sharing process can actually be quite complicated. Currently, sharing assessment results is primarily handled manually using spread sheets, Word documents, PDFs, and the like. Trying to review and analyze this type of unstructured data is extremely labor-intensive. In many cases, the assessed entity has locked down the PDF file to ensure document integrity, which further restricts the relying party’s ability to find and mine the information they need. In this traditional model, the vendor typically gets their assessment report in a massive PDF file, which they may try to review or simply forward as an attachment to the relying party who requests it. On the relying party side, someone has to scroll through that large report file trying to find the information they need. Oftentimes this leads to an inability to find information and efficiently analyze results, which in-turn forces several follow-up questions that require extensive back-and-forth communications. All of these steps are tedious and time-consuming making this a highly inefficient approach.
HITRUST Results Distribution System (RDS) Streamlines the Process
Scheduled for availability in May 2022, the new HITRUST Results Distribution System offers an efficient and effective way to dramatically simplify assurance sharing and consumption. The RDS is designed to remove the burden of managing results by responding to assurance requests more easily. It gives an assessed entity the ability to distribute assessment results to multiple entities in their customer base through a highly secure and automated online portal.
From the relying party perspective, they get results electronically through the RDS web portal. Recipients can customize dashboards to view the results that interest them most, including the type of HITRUST Assessment, scope, aggregate scores, Corrective Action Plans (CAPs), and specific control scores. In addition, recipients can configure dashboards to display results across multiple assessments in a manner consistent with their preferred format.
RDS Adds Efficiency, Automation, and Better Decision-Making
RDS allows assessed entities to respond faster and more cost-efficiently to share assurances electronically with enabling relying parties, who can unlock intelligence and analytics. This can translate to significant time savings for both parties, and in many cases allows an analytical view of an organization’s third-party risk that simply isn’t possible using traditional methods.
At-A-Glance RDS Benefits
- Enables electronic delivery of assessment results to specific individuals or organizations via portal or API
- Enables portal recipients to set alerts based on various assessment attributes
- Enables portal recipients to set up customized views and dashboards
- Reduces the inefficiencies in the current approaches to assessment result sharing and consuming
In addition, by using RDS, relying parties have the ability to drill down to see who is scoring normally, who is showing the most risk, and other automated functionality such as alerts that identify vendors falling below certain scoring thresholds. They can also view the vendor’s CAPS and gaps, Letter of Certification, or both. In 2022, HITRUST plans to enrich RDS data analytics capabilities such as the ability to search, group, and aggregate HITRUST assessment results. In addition, HITRUST will be partnering with key GRC and VRM vendors to facilitate additional API integration. Ultimately, RDS will allow for the conversion of assurance information into structured quantitative data that will help manage supply chain risk overall, as well providing in-depth analysis of the results of one or more vendors.
RDS and HITRUST Innovation
HITRUST has performed hundreds of thousands of InfoSec assessments over the years, and it is this deep understanding that drove RDS development to enhance connectivity between the assessed entity and their relying parties. Future plans around enhanced data analytics and an enriched API ecosystem will facilitate pushing assurance information directly into Vendor Risk Management (VRM) and Governance Risk Compliance (GRC) systems. This unique end-to-end approach delivers major innovation and value we don’t believe anyone else in the marketplace now offers.
Combining the HITRUST Enhanced Assessment Portfolio with RDS
The expanded HITRUST Assessment portfolio, which will include the HITRUST Basic Current State (bC) Assessment and the HITRUST Implemented 1-Year (i1) Assessment when low- or moderate level assurances are warranted, aims to bring the highest levels of Rely-AbilityTM across all levels of information protection assurances. Since every HITRUST Assessment can be shared using RDS, assessed entities and relying parties of all sizes can benefit from the HITRUST assurance program to address their business needs.
About the Author
Kevin Charest, Executive Vice President & Chief Technology Officer, HITRUST
Dr. Kevin Charest serves as Executive Vice President and Chief Technology Officer (CTO) for HITRUST. Kevin is responsible for all aspects of agile development, IT operations, information security, and engineering. He comes to HITRUST from Health Care Service Corporation where he served as Chief Information Security Officer (CISO) and Head of IT Infrastructure. Prior to that he served as the VP, IT Security and Cyber Defense Operations for UnitedHealth Group. Kevin also led the Information Security Office for the Department of Health and Human Services (HHS) as the CISO and was directly responsible for the HHS cybersecurity technology portfolio.
Dr. Charest holds a PhD in Cybersecurity from Capella University. He also holds a Master’s Degree in Business Administration from the University of West Georgia and a Bachelor’s Degree in Computer Science from the University of Central Arkansas. He is a veteran of the United States Marine Corps and the U.S. Army.