HITRUST Establishes Assessment Exchange to Modernize Vendor Risk Management Process
<< All Press Releases

Date: May 2, 2017

Leverages HITRUST CSF Assurance Program to improve efficiencies, streamline processes and free precious resources in obtaining vendor security and privacy risk assessment information

May 2, 2017—Frisco, TX: HITRUST announced today the creation of an assessment exchange to automate and streamline the process customers engage in when requesting and receiving third-party security and privacy risk assessment information from their vendors. The HITRUST Assessment Exchange replaces the inefficient, time-consuming and labor-intensive approaches often found by customers who seek to obtain risk management information from their business partners, associates and vendors.

Just as the HITRUST Third Party Assurance Program has benefited thousands of vendors and been instrumental in reducing redundant and inconsistent assessment requests, the HITRUST Assessment Exchange will benefit customers by simplifying the vendor risk management process, enabling organizations of any size, type or industry segment to effectively manage their third-party vendor risk.  This is particularly relevant in the healthcare industry where customers (or Covered Entities) are required by regulation to ensure their vendors with access to protected health information (or Business Associates) have appropriate privacy and security controls.

“Any program designed to streamline the vendor risk management process must avoid assessment shortcuts and be based on a comprehensive, transparent, scalable and broadly adopted assessment approach such as the CSF Assurance Program,” said Daniel Nutkis, CEO, HITRUST. “Until now assessment exchanges have lacked widespread acceptance, comprehensive assessment criteria, transparency and consistency, or simply haven’t supported exchanging the right level of assessment details with the company’s existing vendor risk management systems.”

The HITRUST Assessment Exchange helps customers by:

  • Streamlining and simplifying the process of managing and maintaining risk assessment and compliance information from third-party vendors
  • Offloading the administrative and time-consuming activities, including identifying the appropriate individual or function at a vendor, communicating assurance requirements and receiving status information
  • Removing the unnecessary administrative burden and related distractions for information security and procurement departments
  • Delivering a HITRUST CSF Assessment report in a format that can be consumed for review, analysis and input into existing vendor risk management systems

“Leveraging HITRUST CSF Assessments for our vendor risk management program standardized the expectations, requirements and format for obtaining information privacy and security program information from our vendors, making it much more efficient for both parties,” said Kevin Charest, DSVP and Chief Information Security Officer, Health Care Service Corporation. “We were still left with the highly inefficient task of identifying the appropriate person at each vendor organization, communicating with them, obtaining the HITRUST CSF Assessment Report and getting the information into our vendor risk management system. The HITRUST Assessment Exchange automates the entire process for us across all our vendors.”

The HITRUST Assessment Exchange also provides customers with updates on progress and allows engagement when a vendor is not appropriately meeting their requirements, allowing the customer to focus on managing risk rather than the administrative process. The HITRUST Assessment Exchange is intended to integrate with, and not replace, an organization’s existing vendor risk management system, allowing specific vendors and assessments to be assigned to the HITRUST Assessment Exchange and to receive the HITRUST CSF Assessment report in a fully consumable format – eliminating the manual posting of key assessment details. HITRUST is currently working to integrate the HITRUST Assessment Exchange with leading vendor risk management systems, such as RSA Archer and Rsam, with others being added in the future. Additionally, HITRUST will offer an online portal for those not currently using a vendor risk management system.

“We are excited to further extend our partnership with HITRUST to integrate with their HITRUST Assessment Exchange. It adds significant value to our joint customers by integrating existing CSF Assessments in the HITRUST Assessment Exchange with the Rsam VRM solution,” said Vivek Shivananda, CEO, Rsam. “Everyone in the industry benefits greatly by integrating assessments, vendor exchanges and VRM solutions, reducing significant inefficiencies, redundant work and costs from the process. Customers can not only leverage Rsam’s market-leading VRM SaaS solution, but can also integrate with and leverage thousands of HITRUST CSF assessments already completed.”

For the vendor, it streamlines and simplifies the process, as most vendors do business with multiple organizations. Given the wide adoption and success of the HITRUST CSF Assessment and HITRUST CSF Assurance Program, already covering thousands of vendor assessments and thousands more in process, vendors are ensured they can truly achieve “assess once, report many” benefits, unlike other third-party assessment approaches and exchanges.

With HITRUST’s ability to engage with a vendor on behalf of multiple organizations, it streamlines the communications and interactions for that vendor by reducing the number of organizations making similar requests and automating the process, making business engagements much more efficient.

The HITRUST Assessment Exchange integrates with the HITRUST MyCSF assessment tool and ensures the vendor is in complete control of their assessment information; information is only shared with their business partner if and when they choose to share it.

The HITRUST Assessment Exchange is priced based on the number of vendors managed for a customer through the exchange. HITRUST is currently contracting with customers and anticipates the HITRUST Assessment Exchange being operational in Q3 of this year. Any valid CSF Assessment can be made available to the HITRUST Assessment Exchange when operational later this year.

View the official press release.

About HITRUST Third Party Assurance

The HITRUST Third Party Assurance Program enables organizations to apply the HITRUST CSF Assurance Program to streamline the third-party risk management process by using a single comprehensive framework harmonizing multiple standards and best practices to support a single assessment that may be reported out in multiple ways or “assess once report many”. Using the HITRUST CSF Assurance Program for third-party risk management can result in significant reductions in the cost and level of effort. An increasing number of healthcare organizations are now requiring their business associates within the healthcare industry to obtain CSF Certification.

More information can be found at: https://hitrustalliance.net/csf-assurance/.


Founded in 2007, the HITRUST Alliance, a not for profit, was born out of the belief that information protection should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST—in collaboration with public and private healthcare technology, privacy and information security leaders—has championed programs instrumental in safeguarding health information and managing information risk while ensuring consumer confidence in the organizations that create, store or exchange their information.

HITRUST develops, maintains and provides broad access to its common risk and compliance management and de-identification frameworks, and related assessment and assurance methodologies, as well as programs supporting cyber sharing, analysis and resilience. HITRUST also leads many efforts in advocacy, awareness and education relating to information protection.

For more information, visit www.HITRUSTalliance.net.

Chat Now

This is where you can start a live chat with a member of our team