HITRUST enables organizations to implement 5 out of the 6 practices recommended to reduce third-party cyber risk
HITRUST, the information risk management, standards, and certification body, announced that the Health 3rd Party Trust Initiative (Health3PT) has approved HITRUST as the first assurance supplier supporting the Health3PT Recommended Practices & Implementation Guide. The selection of HITRUST is based on HITRUST’s alignment with Health3PT’s recommended practices for the healthcare industry to meet the challenges of Third-Party Risk Management (TPRM) for vendor cyber risk.
Founded by professionals from leading care providers, health systems, and other healthcare organizations, the Health3PT initiative was established to evaluate, identify, and implement actionable and practical solutions that healthcare organizations can adopt to provide more reliable assurances, consistent information security program reporting, and better visibility into downstream relationships with third parties and beyond.
The Health3PT Recommended Practices were created through the collaborative efforts of members of the Health3PT Council. They provide an instructional framework of actionable steps organizations can take to ensure due diligence and due care throughout the healthcare ecosystem—while improving effectiveness, reducing inefficiencies, and leading the way for standardization in TPRM.
The HITRUST assurance program is designed to efficiently meet the TPRM needs of organizations in the healthcare industry. The HITRUST e1, i1, and r2 assessments all support healthcare industry organizations seeking to collect evidence of appropriate, reliable, and consistent assurance of their vendors’ security capabilities. The recently released e1 assessment, the i1 assessment, and the long-respected r2 assessment together support the varying levels of risk across the healthcare industry.
Additionally, the HITRUST Results Distribution System (RDS) makes it easier and more efficient to collect, inspect, export, and act upon findings in a third-party information assurance report. RDS allows assessed entities to share their assessment results securely and electronically with designated relying parties who can seamlessly locate and review key aspects of the assessment results, such as date, scope, control requirements, scores, and corrective action plans, through the RDS portal or integrated into their own TPRM System via API. This eliminates the need for risk analysts to manually review assessment results and extract relevant information from PDFs, freeing resources for more strategic activities.
“The Health3PT Recommended Practices and the HITRUST assurance program together help the healthcare industry better address 3rd party cyber risk. Most notably, they help map vendor risks to the appropriate levels of assurance,” said John Houston, VP, Information Security and Privacy at UPMC and H3PT Council Member. “Ultimately, it will help healthcare industry members establish comprehensive portfolios of their 3rd parties, along with related risks and associated assurances.”
The HITRUST assurance program also provides the infrastructure and scalability required to address the complexity of healthcare and support the tens of thousands of relationships between healthcare industry companies and third-party vendors and suppliers that need to collect assurances and report, track, and manage risk.
“Health3PT is the most exciting third-party risk management initiative in healthcare today and we are honored to work with the healthcare industry leaders who are boldly tackling the vendor cyber risk challenge,” said Robert Brooker, Chief Strategy Officer, Exec VP Center of Excellence, HITRUST. “The group has wasted no time in producing effective deliverables that will help protect the nation’s healthcare ecosystem against the cybersecurity supply chain attacks that continue to increase unabated.”
HITRUST enables organizations to implement practices two through six of the six recommendations presented in the guide. The practices ratified by Health3PT include:
1. Concise contract language tying financial terms to a vendor’s transparency, assurance, and collaboration on security matters
2. Risk tiering strategy that drives frequency of reviews, extent of due diligence, and urgency of remediation
3. Appropriate, reliable, and consistent assurances about the vendors’ security capabilities
4. Follow-up through to closure of identified gaps and corrective action plans (CAPS)
5. Recurring updates of assurance of the vendors’ security capabilities
6. Metrics and reporting on organization-wide vendor risks
The Health3PT guidance and the HITRUST assurance program together provide the capabilities and efficiency to solve the vendor cyber risk problem in healthcare. Organizations can leverage the combined guidance and programs at any stage in their journey and begin mapping their vendor risk to the appropriate levels of assurance. This puts organizations on a path of progressive steps through a traversable portfolio that matures alongside them and provides transparent, consistent, and reliable assurances.
To join the Health3PT initiative and for more details visit Health3PT.org