HITRUST Business Associate Council Receives 2017 CSO50 Award for IDG’s CSO
<< All Press Releases

Date: December 8, 2016

FRISCO, Texas – December 8, 2016: The Health Information Trust Alliance (HITRUST) announced today that the HITRUST Business Associate Council has been named an honoree of a 2017 CSO50 Award from IDG’s CSO. This prestigious honor is bestowed upon a select group of organizations that have demonstrated that their security initiatives have created outstanding business value and thought leadership for their companies. The HITRUST Business Associate Council will accept its award at the CSO50 Conference + Awards held on May 1-3, 2017, at the Scottsdale Resort at McCormick Ranch, Scottsdale, Arizona.

Responding to concerns within the industry on how best to balance customer or Covered Entities (CE) requirements to comprehensively evaluate the effectiveness of their vendors or business associates (BA) security controls and programs, while in a manner that is efficient and effective for the BAs and vendors, leaders from some of the nation’s largest healthcare organizations and the vendor community collaborated to launch the HITRUST Business Associate (BA) Council. The HITRUST Business Associate Council is comprised of five healthcare organizations and 17 vendors serving the healthcare industry.

These collaborators listen to each other’s requirements and concerns, seeking an approach mutually acceptable to customers and vendors. The innovative approach can scale up and down as well as across healthcare organizations and vendors regardless of size and maturity, leveraging the HITRUST Common Security Framework (CSF) Assurance Program. This initiative provides the leadership needed to drive widespread adoption by thousands of BA organizations and advance practices for measuring and mitigating cybersecurity risk, gaining operational efficiencies, and raising consumer confidence.

“Healthcare organizations rely upon a tremendous number of third-party vendors who have access to the organization’s network and sensitive data, representing an opportunity to improve customer outcomes and lower costs, as well as a potential risk to the healthcare organization’s ability to ensure security, privacy and compliance. Effectively assessing the security posture and managing risk across this supply chain is prohibitively expensive to scale,” said Omar Khawaja, Vice President and Chief Information Security Officer, Highmark Health and HITRUST Business Associate Council Member.

“We are thrilled to see the real-world benefits of our mission to inspire excellence in healthcare IT by driving innovation throughout the third-party vendor supply chain,” said Roy Mellinger, Vice President, IT Security and Chief Information Security Officer, Anthem and HITRUST Business Associate Council Member.

“It’s not that often that we engage in efforts that enhance our information security posture, reduce costs and simplify the process on our partners,” said Kevin Charest, DSVP and CISO, HCSC and HITRUST Business Associate Council Member. “The HITRUST third-party assurance program is one such effort because of the work on the Business Associate Council.”

“Instead of taking the traditional approach of ‘dictating’ to BAs, the HITRUST Business Associate Council asked representatives from across the health care continuum to voluntarily participate in the council, giving BAs a voice for the first time to develop an approach that would meet their needs,” said Hector Rodriguez, MBA, Microsoft and HITRUST Business Associate Council Member.

“Business Associates serving the healthcare industry have anywhere from a few to thousands of clients, creating an extremely intricate, multi-dimensional supply chain where the demands of client third-party risk management programs can easily become overwhelming to medium- and small-size organizations. The HITRUST Business Associate Council is incredibly valuable because BA organizations like PDHI get equal time at the table. In addition to streamlining the assessment process, we also gain the added benefit of demonstrating to clients and insurance companies that we are managing risk effectively. There is no other security framework or industry where you can find this same level of buy-in and cross-participation,” said Lee Penn, Chief Financial Officer and Chief Compliance Officer, PDHI and HITRUST Business Associate Council Member.

“As a collaborative leadership effort, this is a ground-breaking effort for the healthcare industry – and a model for other industries as well,” said Daniel Nutkis, CEO, HITRUST.

“The stakes have never been higher when it comes to protecting an organization’s sensitive data from criminals and breach,” said Joan Godchild, editor-in-chief of CSO. “Security leaders are expected to not only deliver protection, but also to drive business initiatives. Our annual CSO50 awards recognize security projects that not only enhance defense, but that also deliver ROI.”

Tweet this news @CSOonline and #CSO50.

About the CSO50 Awards

Launched in 2013, the CSO50 Awards recognizes 50 organizations for security projects and initiatives that demonstrate outstanding business value and thought leadership. The CSO50 Awards are scored according to a uniform set of criteria by a panel of judges that includes security leaders, industry experts, and academics. Awards will be presented at the CSO50 Conference + Awards.

About CSO

CSO is the premier content and community resource for security decision-makers leading “business risk management” efforts within their organization. For more than a decade, CSO’s award-winning web site (CSOonline.com), executive conferences, strategic marketing services and research have equipped security decision-makers to mitigate both IT and corporate/physical risk for their organizations and provided opportunities for security vendors looking to reach this audience. To assist CSOs in educating their organizations’ employees on corporate and personal security practices, CSO also produces the quarterly newsletter Security Smart. CSO is published by IDG Enterprise, a subsidiary of IDG. Company information is available at www.idgenterprise.com.


Founded in 2007, the Health Information Trust Alliance (HITRUST) was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST—in collaboration with public and private healthcare technology, privacy and information security leaders—has championed programs instrumental in safeguarding health information systems and exchanges while ensuring consumer confidence in their use.

HITRUST programs include the establishment of a common risk and compliance management framework (CSF); an assessment and assurance methodology; educational and career development; advocacy and awareness; and a federally recognized cyber Information Sharing and Analysis Organization (ISAO) and supporting initiatives. Over 84 percent of hospitals and health plans, as well as many other healthcare organizations and business associates, use the CSF, making it the most widely adopted security framework in the industry. For more information, visit www.HITRUSTalliance.net.

The official press release can be viewed here.

Chat Now

This is where you can start a live chat with a member of our team