HITRUST announces last mile integrations with leading TPRM platforms

FRISCO, Texas, October 3, 2024

HITRUST, the leader in information risk management, security, and compliance assurances, today announces enhancements to the HITRUST Assessment XChange, its comprehensive third-party risk management (TPRM) solution, overcoming legacy challenges and making TPRM practical and effective for organizations across all industries. In addition, HITRUST is announcing integrations with leading TPRM solution platforms to address the current “last mile” challenge of capturing and consuming detail assurance information and performing population risk analysis.

HITRUST Assessment XChange enablement and integration with leading TPRM platforms operationalizes the broad assurance portfolio, Results Distribution System, and other components in HITRUST’s portfolio for more effective and efficient risk management of vendors and partners through pre-built, streamlined workflows enabling end-to-end third-party risk, from initial evaluation, to vendor engagement, through assignments and completion of assurances, to results ingestion and analysis. The total solution enables TPRM programs to significantly improve their information security risk capabilities while reducing time, costs, and complexity.

Managing third-party risk, more specifically information security risk, has long been a critical, yet challenging task for organizations across industries. Data breaches and ransomware incidents stemming from third-party vulnerabilities have caused significant financial losses and eroded trust. Despite the increasing focus on this area, current approaches have been inefficient, impractical, and cost-prohibitive — limiting effectiveness while leaving many organizations vulnerable.

“HITRUST has been working for years to support organizations and their TPRM challenges,” said Robert Booker, Chief Strategy Officer at HITRUST. “The lifecycle that organizations manage for hundreds of third-party suppliers is complex and the outcomes to secure those relationships are essential to the integrity of the services they deliver. We have now reached a significant milestone with the components in place to make third-party risk management not only practical but comprehensive and effective.“

A Comprehensive Solution Built on Industry-Leading Assurances

The HITRUST solution addresses key TPRM functions while offloading the complexities and seamlessly bringing together key components previously not available or not capable of being integrated into a single solution. HITRUST’s TPRM solution is the culmination of many years of development, designed to address the gaps in existing and traditional methods, such as assessments with limited assurance, incomplete control selection, need for gap self-assessments and questionnaires, and non-existent third-party population risk analysis and engagement. Unlike these outdated and limited approaches, HITRUST’s solution provides:

Comprehensive Framework with Threat-Adaptive Controls: HITRUST’s continuously updated framework adapts to current and emerging cyber threats, eliminating the need for custom questionnaires and ensuring the controls maintain relevance to emerging cyber threats.

Multiple Assessment Options: A broad portfolio of assessments covering third-party suppliers with different levels of inherent risk all delivered through a portfolio of low, medium, and high assurance levels for information security in addition to the recently announced AI assessments. 

Streamlined Results Delivery: Organization’s TPRM solutions can electronically receive validated assessment results, enabling faster, more efficient consumption, and risk analysis with real-time updates of status, progress, and remediation activities through seamless integration with the HITRUST Results Distribution System.

End-to-End Security Risk Management: Enabled by integration between the HITRUST Assessment XChange and key TPRM solutions, organizations can gain access to comprehensive management of the vendor information risk process, from initial onboarding to the evaluation and management of conformity and corrective action plans. The platform supports functions such as guided setup and configuration, assignment of appropriate assessments, digital receipt of summary and detailed assessment results, regular renewals and re-assessments based on vendor changes, management reporting, and detailed third-party population analysis at the control specification level. It efficiently manages these processes across vast vendor populations, ensuring appropriate rigor and assurance at every step.

Staff Augmentation: Managed and integrated services are available from the HITRUST Assessment XChange to support vendor engagement, outreach, education, and assessment. These optional services are available to complement internal governance efforts.

Industry Adoption and Next Steps

Healthcare, finance, and other industries are already benefiting from HITRUST’s offerings that support TPRM, but the additional services in the HITRUST Assessment XChange and integration with TPRM solutions will take risk management to the next level by providing unprecedented visibility into vendors’ information risk.

“Existing approaches to third-party risk management, such as relying on spreadsheets or limited control sets or assurance assessments, have proven insufficient to manage risk. HITRUST now delivers a complete solution that includes a broad portfolio of assessment options that maintain control relevance coupled with a proven effective assurance model to effectively address third-party information risk,” said Erika Del Giudice, IT Assurance Services Principal at Crowe LLP. “With the addition of its ServiceNow and other integrations, HITRUST now offers a complete solution that is not only powerful but also practical for organizations to employ”.

First Planned Integration: ServiceNow (Third-Party Risk Management) TPRM

As part of this strategic expansion, HITRUST today announced that the first planned integration of The HITRUST Assessment XChange with ServiceNow’s Third-Party Risk Management (TPRM) solution to operationalize HITRUST's TPRM portfolio and methodology within a single pane of glass.

The joint effort enables customers to harness the power of the Now Platform while enjoying the full benefits of HITRUST’s comprehensive information security and risk management capabilities.

ServiceNow’s expansive partner ecosystem and partner program is critical in supporting the $275 billion forecasted market opportunity through 2026 for the Now Platform. The ServiceNow Partner Program recognizes and rewards partners for their varied expertise and experience to drive opportunities, open new markets, and help customers transform their business across the enterprise. 

As a Registered Build Partner, the certified integration enables HITRUST to create better experiences, drive value for customers and enable organizations. The integration is expected to be available in the ServiceNow Store by the end of 2024.

Accepting Applications for ServiceNow Private Preview

HITRUST is currently accepting applications for participation in the private preview program and expects general availability of the certified ServiceNow integration by the end of 2024, with additional GRC and TPRM platform integrations prioritized for 2025 and beyond. Attendees at HITRUST Collaborate have the first opportunity to see the tool and learn about its features and functionality.

To apply for the private preview program, go to: https://info.hitrustalliance.net/preview/

The digital transformation of healthcare has unlocked incredible opportunities to improve patient care and operational efficiency. However, it has also exposed a critical flaw in how third-party risk management (TPRM) is done across the industry.

As digital health technologies proliferate, so do the challenges for security teams tasked with vetting vendors. The traditional questionnaire-based vendor assessment model was long considered the gold standard for due diligence, but it is struggling to keep pace with the volume and complexity of today’s supply chains.

The chokepoint in the procurement process

Healthcare organizations rely on a vast ecosystem of vendors to power everything from telemedicine platforms to electronic health records. But with great reliance comes great responsibility: these vendors must be thoroughly vetted to ensure they won’t introduce vulnerabilities into the organization.

The sheer volume of vendors is overwhelming security teams. Requests for security due diligence assessments are coming in faster than they can be completed, creating a backlog that frustrates internal business owners waiting to onboard critical technologies.

This bottleneck not only slows innovation but also prevents teams from reassessing critical vendors as their technology evolves and threats change.

The vendor's perspective: A broken model

The challenges aren’t limited to healthcare providers. Vendors in the supply chain are equally overwhelmed by the inefficiencies of the current system. Every prospective customer requires some form of security due diligence, and there’s no industry-wide standardization.

Vendors often face

• Inconsistent questionnaires: Each customer has unique expectations, making it impossible to standardize responses.
• Moving goalposts: Security requirements vary widely across healthcare entities, leading to confusion and delays.
• Resource constraints: Vendors with finite security teams struggle to keep up with the growing volume of audits, leaving customers dissatisfied and deals unfinished.

The result is a broken system that delays procurement, frustrates both parties, and introduces unnecessary risk.

Reassessments: The forgotten priority

Adding to the complexity is the need to reassess critical vendors over time. Technology and threats evolve rapidly, and a vendor’s security posture today might not be the same six months from now. However, most security teams are so bogged down with initial assessments that they don’t focus on reassessments. This creates a dangerous gap in visibility and increases the likelihood of vulnerabilities slipping through the cracks.

How do we fix it?

If the traditional TPRM model is broken, how can we rebuild it? Here are a few key strategies.

1. Automate where possible

Leverage tools and platforms that automate aspects of vendor assessments, such as real-time monitoring of security postures, to reduce reliance on static questionnaires.

2. Adopt industry standards

HITRUST, with its risk- and threat-based approaches to security and compliance, provides a framework that can alleviate many of these challenges. Healthcare organizations and vendors can reduce inefficiencies and build a more robust TPRM program by leveraging HITRUST as a standardized assessment mechanism.

3. Join industry collaborators

The Health 3rd Party Trust (Health3PT) Initiative is a proactive group committed to reducing third-party information security risk with more reliable and efficient assurances. It has been established to evaluate, identify, and implement actionable and practical solutions that healthcare organizations can adopt to provide more reliable assurances, consistent information security program reporting, and better visibility into downstream relationships with third parties.

4. Implement continuous monitoring

Use continuous monitoring to track vendors’ security practices over time instead of relying solely on one-time assessments. This approach ensures risks are identified and addressed as they arise.

5. Enhance collaboration

Foster open communication between vendors and healthcare organizations to set clear expectations and establish mutual trust.

The path forward

Vendor risk management is at a breaking point in healthcare, but it doesn’t have to stay that way. We can reduce the burden on security teams and vendors alike by embracing automation, standardization, and continuous monitoring. Most importantly, we can create a TPRM program that balances efficiency with the need for robust security, ensuring that healthcare organizations can innovate safely while protecting patient data and trust.

The time for change is now. Let’s stop letting TPRM be a chokepoint and start using it as a competitive advantage.

Due diligence and security questionnaires have become staples of the vendor risk assessment process for third-party risk management (TPRM). However, as the cybersecurity landscape evolves, our tools must evolve, too. Due diligence questionnaires remain a necessary component but the overreliance on static security questionnaires has become a barrier to effective risk management.

The value of due diligence questionnaires

Due diligence questionnaires are designed to answer critical, relationship-specific questions.

• Scope of engagement: What data, systems, or services will the third party access?
• Compliance requirements: Are specific legal, regulatory, or contractual obligations tied to this relationship?
• Business impact: What is the potential operational or reputational risk if this third party is compromised?

These questions go beyond generic cybersecurity concerns, focusing on the unique aspects of the partnership. They help organizations understand the relationship and ensure that appropriate safeguards align with its specifics. Due diligence questionnaires are a necessary foundation for establishing trust and setting expectations.

The problem with security questionnaires

Security questionnaires often fall short. These standardized forms ask third parties to provide detailed information about their cybersecurity practices.

• How do they handle encryption?
• Do they’ve had recent audits?
• What are their incident response protocols?

While these are important topics, the format of traditional questionnaires introduces several issues.

1. Static and stale data

Security questionnaires provide a snapshot in time that quickly becomes outdated. A vendor might submit a completed questionnaire today, but their environment, controls, or threat landscape could change tomorrow.

2. Lack of context

These forms are often disconnected from the specifics of the relationship. For example, knowing that a vendor uses encryption is less relevant if the relationship doesn’t involve handling sensitive data.

3. Inefficiency

Completing and reviewing lengthy questionnaires is time-consuming for both parties, creating bottlenecks that slow down procurement and vendor risk assessments.

4. Checkbox mentality

Organizations may treat completed questionnaires as a substitute for meaningful engagement, creating a false sense of security without truly understanding the risks.

5. Expertise of analysts

Questionnaires are typically developed by the staff at the requesting organization. The staff may lack the expertise to evaluate control selection or even the ability to interpret the results/responses to the questions.

A better approach to TPRM

To move forward, organizations must reimagine the role of questionnaires in TPRM.

1. Use due diligence for context

Focus on due diligence to capture relationship-specific insights. These questions matter most for tailoring your risk management approach to the specific vendor or partner.

2. Replace static questionnaires with dynamic assessments

Instead of relying on static forms, leverage real-time threat intelligence, continuous monitoring, and assessments that incorporate threat data into the control selection to understand a vendor’s security posture.

3. Focus on collaboration, not compliance

Engage with third parties to address risks collaboratively. Move beyond filling out forms to having meaningful discussions about risks, mitigations, and shared goals.

4. Streamline where possible

Adopt frameworks and framework bodies that actively collaborate on reciprocity to reduce redundancy and streamline the process for vendors managing multiple client requests.

The bottom line

Due diligence questionnaires remain a vital part of TPRM because they provide relationship-specific details needed to assess and manage risks effectively. Security questionnaires, however, need a modern overhaul. By transitioning from static, checklist-driven approaches to dynamic, real-time methods, organizations can focus on what truly matters: building resilient partnerships that mitigate risks and enable business growth.

It’s time to retire the outdated questionnaire model and embrace a more effective, efficient, and adaptive approach to TPRM. After all, managing third-party risks isn’t about ticking boxes — it’s about protecting your organization in an interconnected world.

How often do you rely on a third-party vendor to conduct a business function? Every day or, perhaps, every hour?  

Third-party vendors are an integral part of a business. Organizations rely on them for many services, from processing payments to providing hardware and automating operations. If your organization is growing, your number of vendors is growing, too.  

But have you thought this indeed increases your data exposure? 

Third-party vendors increase cyber risks 

Your risk amplifies as more and more third parties access your systems and data. These vendors use your sensitive data to perform critical business functions. However, if any of these vendors is breached, attackers can gain direct access to your business data and misuse information about your customers and employees.  

So, how do you ensure your vendors have strong security programs before giving them access to sensitive data?  

Third-party risk assessment is crucial to identifying the strengths and weaknesses of your vendors’ security programs. Traditionally, organizations have used multiple tools and tactics to evaluate third-party risks. But these tactics are far from being effective.  

Cybersecurity questionnaires have been one of the popular tactics. Questionnaires are tedious and unreliable. They consume a lot of staff hours, refraining your teams from focusing on more critical tasks. If your teams send out questionnaires, they spend hundreds of hours coordinating with vendors, evaluating answers, and following up on incomplete responses. Furthermore, there is no accurate way of verifying the information provided by the vendors in the questionnaires.  

Organizations need a better third-party risk management (TPRM) program, and that’s why they choose HITRUST.  

HITRUST helps organizations demonstrate trust  

HITRUST offers reliable assurances that are based on its framework, HITRUST CSF. The HITRUST CSF harmonizes best practices from more than 50 authoritative sources. It is widely accepted and transparent as it allows you to verify the sources of the controls. The cyber threat-adaptive HITRUST CSF is updated regularly to help you protect against upcoming threats.  

Not all your vendors need to undergo the comprehensive HITRUST r2 assessment. Based on their needs, size, and risk profiles, HITRUST offers different assessment options. The HITRUST e1 is suited for small vendors or those with limited inherent risks. It also serves as the ideal option for vendors looking to demonstrate a milestone on their journey to a more robust certification. HITRUST i1 is best for mid-level vendors looking for an assessment between the basic e1 and the extensive r2.   

HITRUST makes vendor risk management efficient 

HITRUST offers additional solutions to make vendor risk management efficient. The HITRUST Assessment XChange coordinates with vendors to track assessments and Corrective Action Plans (CAPs) so you don’t have to worry about exchanging hundreds of emails and phone calls. It helps your vendors understand expectations and maintain the right level of certifications.  

The HITRUST Results Distribution System (RDS) makes exchanging results easier and more secure. It helps you manage multiple third-party vendors simultaneously and analyze their results accurately.  

Learn more about how you can make vendor risk management more effective and efficient with HITRUST.  

- Ryan Patrick, VP of Adoption, HITRUST 

Third-Party Risk Management (TPRM) is supposed to be the bedrock of securing organizations from the risks posed by external vendors and business partners, but the current system is fundamentally broken. This becomes painfully clear when we examine three of the most critical pain points: the low quality and variability of SOC 2 reports, the inefficiency of questionnaires, and the lack of reciprocity between governing bodies. 

SOC 2 Reports: A Quality Crisis 

SOC 2 reports are often regarded as the “go-to” standard for assessing the security controls of third-party vendors because of their wide adoption across all industries. Yet, the quality and reliability of these reports can vary dramatically. Some SOC 2s are meticulously detailed and provide actionable insights into a vendor's security posture. However, many others are shallow, missing critical information, or worse, relying on outdated practices that no longer align with today's threat landscape. The control selection is purely up to the organization being assessed. Furthermore, there is a race to the bottom with “SOC in box” firms pencil whipping reports at the lowest cost possible. The variability of these reports erodes trust.  

What is the point of asking for a SOC 2 if you can’t guarantee a consistent standard? SOC 2 reports will remain an unreliable cornerstone in TPRM until there is a way to enforce more uniform, higher-quality reporting. 

The Questionnaire Bottleneck 

The next pain point is the inefficiency of vendor questionnaires. In theory, these should help organizations get a clearer understanding of a vendor’s security practices. In reality, they’ve become a bureaucratic nightmare. Security questionnaires are often long, repetitive, and rarely tailored to the specific risks posed by a particular vendor. Worse yet, vendors receive dozens, sometimes hundreds, of these questionnaires, leading to inconsistent or hurried responses. It’s not uncommon for vendors to send recycled answers that don’t address the nuances of the questions asked. This "checkbox" approach is inefficient for both sides and doesn’t provide the insight to make informed risk decisions. 

It’s even more troubling that the organizations requesting the security questionnaires often lack the time, expertise, or resources to assess the answers they receive thoroughly. Most companies don't have dedicated teams or the specialized knowledge required to interpret the responses and probe deeper into potential vulnerabilities. As a result, the due diligence process often becomes superficial, with organizations relying on incomplete or misunderstood information. Organizations may unwittingly expose themselves to greater vulnerabilities instead of truly mitigating risk.  

Reciprocity Between Governing Bodies: A Missing Link 

One of the biggest systemic failures in TPRM is the lack of reciprocity between governing bodies and frameworks. We have SOC 2, ISO 27001, NIST, and a host of other frameworks, all serving slightly different functions but ultimately aiming at the same goal: reducing risk. However, organizations are forced to undergo multiple, redundant audits and assessments as there’s little reciprocity between these frameworks. Vendors end up in a web of overlapping requirements, increasing the time and cost of compliance without adding meaningful value to security. The industry needs a system of mutual recognition, where frameworks work together to streamline the risk management process, creating a unified standard that works across sectors and regions. 

A Call for Change 

TPRM is in dire need of reform. Although SOC 2s serve a specific purpose within an organization, they were not designed for TPRM and should not be used for this purpose. Questionnaires must become more focused on the relationship between the two organizations and should stop there. Relying on industry-recognized risk-based assessments/certifications and getting rid of questionnaires lead to streamlined processes and reduced risk profiles. Finally, there must be reciprocity and collaboration between governing bodies to eliminate redundant processes and create a more efficient, effective approach to managing third-party risks. 

The current system is broken, but with concerted efforts from industry leaders, governing bodies, and security professionals, we can rebuild TPRM into a process that truly protects organizations without wasting time or resources. 

Organizations live and operate in an interconnected business environment. The security of your organization is not solely dependent on your internal measures. Every vendor you engage with can either bolster your defenses or expose you to significant risks. The potential consequences of a vendor-related security breach can be devastating, impacting not only your organization but also your customers. This is why it is imperative to have an effective vendor risk assessment plan.

Act before it’s late

Vendor risk evaluation is a crucial aspect of a robust security strategy. When even one vendor is compromised, the ripple effects can lead to data breaches, financial losses, and reputational damages. The attack surface expands as businesses increasingly rely on third-party services, making it vital to understand and mitigate these risks early on before they become vulnerabilities.

Stay ahead of emerging threats

HITRUST offers robust solutions to identify and address security gaps for efficient vendor risk assessment. The HITRUST framework stands out due to its cyber threat-adaptive nature. It harmonizes best practices from more than 50 standards, frameworks, and regulations to address all 19 domains of security and risk management.

The HITRUST CSF is a universal, living framework, unlike most compliance frameworks that are updated every three to four years. It is continuously updated and published regularly for constant cyber threat management.

HITRUST uses threat intelligence data to identify new threats and mitigate them. HITRUST’s proactive approach ensures that your organization and its vendors are assessed against the latest cyber threats, offering optimal risk management. HITRUST enables businesses to be proactive rather than reactive, providing a significant advantage in the ever-evolving threat landscape.

Learn how HITRUST stays agile in cyber threat management with its cyber threat-adaptive framework.

Leverage HITRUST assessments for diverse needs

HITRUST understands that one size does not fit all. You may be working with a vendor that’s a newbie in the business and another one that’s a veteran. HITRUST offers three distinct assessment options — e1, i1, and r2 — catering to organizations of different sizes, needs, and risk profiles.

e1 is best suited for vendors that are new or small, possess limited risks, or are looking to achieve a milestone on their journey to a more robust certification. r2 is HITRUST’s most comprehensive security certification perfect for vendors that need to establish the highest level of trust. i1 serves as the ideal bridge between e1 and r2 for service providers with medium risk profiles. Vendors can also move from one assessment type to the other without losing previous work.  

These assessments provide the right type of security assurance, helping organizations to evaluate vendor risks meticulously. HITRUST assessments ensure that all vendors meet stringent security standards.

Build trust and foster strong business relationships

HITRUST helps you reduce the complexity and cost of vendor risk management by streamlining the assessment process and eliminating the need for multiple audits and questionnaires. It improves the transparency and accountability of your vendors. It boosts the confidence and satisfaction of your customers by demonstrating that you and your vendors are committed to protecting their data and privacy.

Beyond security assurance, HITRUST helps organizations and vendors to build trust and establish strong business relationships. It empowers you to foster a secure and trustworthy business environment by ensuring your vendors adhere to high security standards. This mutual trust is essential for long-term success and resilience against cyber threats.

Evaluating vendor risks is not just a best practice; it is a necessity in today’s digital age. HITRUST assessments provide a comprehensive, adaptive, and proactive approach to vendor risk management. Leverage HITRUST’s tailored assessment options to ensure robust security, build trust, and protect valuable data and reputation.

Don’t wait for a breach to occur — evaluate your vendor risks now and secure your organization’s future.

Guest blog by William Ahrens, Director, Mazars USA

HITRUST assessments can be used to reduce the risk of a data breach, achieve cost savings, and avoid threats. An especially compelling use case is for organizations to use the HITRUST framework to assess their third parties.

Data breaches caused by third-party vendors and suppliers have been a significant concern for organizations in recent years due to the complex nature of modern business operations. As it becomes more common for organizations across industries to outsource greater numbers of services, third-party risks are compounded.

Third-party risks

IBM’s Cost of a Data Breach Report 2022 stated that a compromise at a third party or a business partner caused 19% of breaches. The report also explored the impact various factors had on the average cost of a data breach. While the presence of AI, DevSecOps, and Incident Response had positive impacts on lowering costs, compliance failures and the involvement of third parties inflated the costs. In fact, these two were among the highest contributing factors. When organizations can quickly detect a breach and shorten its lifecycle, they can significantly reduce costs and save as much as $1.12 million.

The potential for risk caused by third parties is especially high for hospitals and healthcare organizations due to their interconnected systems and multiple entry points for data access, which increase their attack surfaces and potential vulnerabilities. Healthcare organizations outsource critical processes that give access to PHI and other sensitive data. This makes it essential to reduce third-party risks with practical solutions that provide reliable assurances and greater insights into security practices.

But where to start? Vendors are a diverse group. They range substantially in size, service offering, capability, risk profile, and cyber maturity. It’s no wonder most organizations — especially those in healthcare — struggle with vendor risk management.

Manual, inconsistent approaches are time- and resource-intensive, overtaxing assigned staff with limited bandwidths and competing priorities. Given the large number of third parties, staff members strain to keep up with the high volume of assessments.

Risk-tiering strategy

To effectively address security requirements that are appropriate for each vendor, companies should consider employing a risk-tiering strategy. Vendor risk management programs with a consistent and structured risk analysis process allow organizations to assess vendors based on the risk they present to the business.

Organizations can select the appropriate level of security assurance for each vendor by considering the following.

• What and how much data does the vendor access and process?
• Are there any fourth parties handling the data?
• If the data is compromised, what would be the impact on the business?

Realizing the need, HITRUST offers three certification options to address varying assurance requirements, risk maturity, and business profiles of vendors.

• The HITRUST e1 - 1-year Validated Assessment is ideal for low-risk vendors looking to assure basic foundational cybersecurity.
• The HITRUST i1 - 1-year Validated Assessment offers more coverage than the e1, demonstrating assurance for leading security practices.
• The HITRUST r2 - 2-year Validated Assessment is considered the gold standard in the industry and is ideal for high-risk vendors.

Benefits of the HITRUST CSF

The foundation of HITRUST certifications is its framework, the HITRUST CSF. The HITRUST CSF offers many unique benefits not found within other compliance frameworks.

• Each HITRUST assessment is built on a common framework, which means vendors can move from one assessment to the other without losing previous work. All of the 44 e1 controls are included in the 182 i1 controls, which are included in the r2 controls set.
• The HITRUST CSF leverages current threat intelligence information and is updated regularly. It ensures that the assessed entities are protected against the latest cyber threats with proper controls.
• The HITRUST MyCSF SaaS compliance and risk management tool automatically builds relevant controls and provides consistent mapping to 40+ authoritative sources.
• HITRUST assessments ensure consistency and accuracy as each validated assessment undergoes three independent quality assurance processes from three separate teams.

HITRUST assessments provide transparent reporting of the assessed vendor’s security practices. Unlike other frameworks, HITRUST is prescriptive. With its suite of products and services, HITRUST offers the most comprehensive assurance mechanism and provides an efficient and tiered vendor risk management methodology.

Watch the on-demand recording that will cover the current state of e1 adoption, creative use cases, lessons learned from QA, pricing, market acceptance, and how organizations are leveraging it as a part of their third-party risk management programs.

Ryan George from UPMC and Mike Parisi from Schellman discuss their experience from scoping to certification. 

Speakers

The digital transformation of healthcare has unlocked incredible opportunities to improve patient care and operational efficiency. However, it has also exposed a critical flaw in how third-party risk management (TPRM) is done across the industry.

As digital health technologies proliferate, so do the challenges for security teams tasked with vetting vendors. The traditional questionnaire-based vendor assessment model was long considered the gold standard for due diligence, but it is struggling to keep pace with the volume and complexity of today’s supply chains.

The chokepoint in the procurement process

Healthcare organizations rely on a vast ecosystem of vendors to power everything from telemedicine platforms to electronic health records. But with great reliance comes great responsibility: these vendors must be thoroughly vetted to ensure they won’t introduce vulnerabilities into the organization.

The sheer volume of vendors is overwhelming security teams. Requests for security due diligence assessments are coming in faster than they can be completed, creating a backlog that frustrates internal business owners waiting to onboard critical technologies.

This bottleneck not only slows innovation but also prevents teams from reassessing critical vendors as their technology evolves and threats change.

The vendor's perspective: A broken model

The challenges aren’t limited to healthcare providers. Vendors in the supply chain are equally overwhelmed by the inefficiencies of the current system. Every prospective customer requires some form of security due diligence, and there’s no industry-wide standardization.

Vendors often face

• Inconsistent questionnaires: Each customer has unique expectations, making it impossible to standardize responses.
• Moving goalposts: Security requirements vary widely across healthcare entities, leading to confusion and delays.
• Resource constraints: Vendors with finite security teams struggle to keep up with the growing volume of audits, leaving customers dissatisfied and deals unfinished.

The result is a broken system that delays procurement, frustrates both parties, and introduces unnecessary risk.

Reassessments: The forgotten priority

Adding to the complexity is the need to reassess critical vendors over time. Technology and threats evolve rapidly, and a vendor’s security posture today might not be the same six months from now. However, most security teams are so bogged down with initial assessments that they don’t focus on reassessments. This creates a dangerous gap in visibility and increases the likelihood of vulnerabilities slipping through the cracks.

How do we fix it?

If the traditional TPRM model is broken, how can we rebuild it? Here are a few key strategies.

1. Automate where possible

Leverage tools and platforms that automate aspects of vendor assessments, such as real-time monitoring of security postures, to reduce reliance on static questionnaires.

2. Adopt industry standards

HITRUST, with its risk- and threat-based approaches to security and compliance, provides a framework that can alleviate many of these challenges. Healthcare organizations and vendors can reduce inefficiencies and build a more robust TPRM program by leveraging HITRUST as a standardized assessment mechanism.

3. Join industry collaborators

The Health 3rd Party Trust (Health3PT) Initiative is a proactive group committed to reducing third-party information security risk with more reliable and efficient assurances. It has been established to evaluate, identify, and implement actionable and practical solutions that healthcare organizations can adopt to provide more reliable assurances, consistent information security program reporting, and better visibility into downstream relationships with third parties.

4. Implement continuous monitoring

Use continuous monitoring to track vendors’ security practices over time instead of relying solely on one-time assessments. This approach ensures risks are identified and addressed as they arise.

5. Enhance collaboration

Foster open communication between vendors and healthcare organizations to set clear expectations and establish mutual trust.

The path forward

Vendor risk management is at a breaking point in healthcare, but it doesn’t have to stay that way. We can reduce the burden on security teams and vendors alike by embracing automation, standardization, and continuous monitoring. Most importantly, we can create a TPRM program that balances efficiency with the need for robust security, ensuring that healthcare organizations can innovate safely while protecting patient data and trust.

The time for change is now. Let’s stop letting TPRM be a chokepoint and start using it as a competitive advantage.

Due diligence and security questionnaires have become staples of the vendor risk assessment process for third-party risk management (TPRM). However, as the cybersecurity landscape evolves, our tools must evolve, too. Due diligence questionnaires remain a necessary component but the overreliance on static security questionnaires has become a barrier to effective risk management.

The value of due diligence questionnaires

Due diligence questionnaires are designed to answer critical, relationship-specific questions.

• Scope of engagement: What data, systems, or services will the third party access?
• Compliance requirements: Are specific legal, regulatory, or contractual obligations tied to this relationship?
• Business impact: What is the potential operational or reputational risk if this third party is compromised?

These questions go beyond generic cybersecurity concerns, focusing on the unique aspects of the partnership. They help organizations understand the relationship and ensure that appropriate safeguards align with its specifics. Due diligence questionnaires are a necessary foundation for establishing trust and setting expectations.

The problem with security questionnaires

Security questionnaires often fall short. These standardized forms ask third parties to provide detailed information about their cybersecurity practices.

• How do they handle encryption?
• Do they’ve had recent audits?
• What are their incident response protocols?

While these are important topics, the format of traditional questionnaires introduces several issues.

1. Static and stale data

Security questionnaires provide a snapshot in time that quickly becomes outdated. A vendor might submit a completed questionnaire today, but their environment, controls, or threat landscape could change tomorrow.

2. Lack of context

These forms are often disconnected from the specifics of the relationship. For example, knowing that a vendor uses encryption is less relevant if the relationship doesn’t involve handling sensitive data.

3. Inefficiency

Completing and reviewing lengthy questionnaires is time-consuming for both parties, creating bottlenecks that slow down procurement and vendor risk assessments.

4. Checkbox mentality

Organizations may treat completed questionnaires as a substitute for meaningful engagement, creating a false sense of security without truly understanding the risks.

5. Expertise of analysts

Questionnaires are typically developed by the staff at the requesting organization. The staff may lack the expertise to evaluate control selection or even the ability to interpret the results/responses to the questions.

A better approach to TPRM

To move forward, organizations must reimagine the role of questionnaires in TPRM.

1. Use due diligence for context

Focus on due diligence to capture relationship-specific insights. These questions matter most for tailoring your risk management approach to the specific vendor or partner.

2. Replace static questionnaires with dynamic assessments

Instead of relying on static forms, leverage real-time threat intelligence, continuous monitoring, and assessments that incorporate threat data into the control selection to understand a vendor’s security posture.

3. Focus on collaboration, not compliance

Engage with third parties to address risks collaboratively. Move beyond filling out forms to having meaningful discussions about risks, mitigations, and shared goals.

4. Streamline where possible

Adopt frameworks and framework bodies that actively collaborate on reciprocity to reduce redundancy and streamline the process for vendors managing multiple client requests.

The bottom line

Due diligence questionnaires remain a vital part of TPRM because they provide relationship-specific details needed to assess and manage risks effectively. Security questionnaires, however, need a modern overhaul. By transitioning from static, checklist-driven approaches to dynamic, real-time methods, organizations can focus on what truly matters: building resilient partnerships that mitigate risks and enable business growth.

It’s time to retire the outdated questionnaire model and embrace a more effective, efficient, and adaptive approach to TPRM. After all, managing third-party risks isn’t about ticking boxes — it’s about protecting your organization in an interconnected world.

How often do you rely on a third-party vendor to conduct a business function? Every day or, perhaps, every hour?  

Third-party vendors are an integral part of a business. Organizations rely on them for many services, from processing payments to providing hardware and automating operations. If your organization is growing, your number of vendors is growing, too.  

But have you thought this indeed increases your data exposure? 

Third-party vendors increase cyber risks 

Your risk amplifies as more and more third parties access your systems and data. These vendors use your sensitive data to perform critical business functions. However, if any of these vendors is breached, attackers can gain direct access to your business data and misuse information about your customers and employees.  

So, how do you ensure your vendors have strong security programs before giving them access to sensitive data?  

Third-party risk assessment is crucial to identifying the strengths and weaknesses of your vendors’ security programs. Traditionally, organizations have used multiple tools and tactics to evaluate third-party risks. But these tactics are far from being effective.  

Cybersecurity questionnaires have been one of the popular tactics. Questionnaires are tedious and unreliable. They consume a lot of staff hours, refraining your teams from focusing on more critical tasks. If your teams send out questionnaires, they spend hundreds of hours coordinating with vendors, evaluating answers, and following up on incomplete responses. Furthermore, there is no accurate way of verifying the information provided by the vendors in the questionnaires.  

Organizations need a better third-party risk management (TPRM) program, and that’s why they choose HITRUST.  

HITRUST helps organizations demonstrate trust  

HITRUST offers reliable assurances that are based on its framework, HITRUST CSF. The HITRUST CSF harmonizes best practices from more than 50 authoritative sources. It is widely accepted and transparent as it allows you to verify the sources of the controls. The cyber threat-adaptive HITRUST CSF is updated regularly to help you protect against upcoming threats.  

Not all your vendors need to undergo the comprehensive HITRUST r2 assessment. Based on their needs, size, and risk profiles, HITRUST offers different assessment options. The HITRUST e1 is suited for small vendors or those with limited inherent risks. It also serves as the ideal option for vendors looking to demonstrate a milestone on their journey to a more robust certification. HITRUST i1 is best for mid-level vendors looking for an assessment between the basic e1 and the extensive r2.   

HITRUST makes vendor risk management efficient 

HITRUST offers additional solutions to make vendor risk management efficient. The HITRUST Assessment XChange coordinates with vendors to track assessments and Corrective Action Plans (CAPs) so you don’t have to worry about exchanging hundreds of emails and phone calls. It helps your vendors understand expectations and maintain the right level of certifications.  

The HITRUST Results Distribution System (RDS) makes exchanging results easier and more secure. It helps you manage multiple third-party vendors simultaneously and analyze their results accurately.  

Learn more about how you can make vendor risk management more effective and efficient with HITRUST.  

- Ryan Patrick, VP of Adoption, HITRUST 

Third-Party Risk Management (TPRM) is supposed to be the bedrock of securing organizations from the risks posed by external vendors and business partners, but the current system is fundamentally broken. This becomes painfully clear when we examine three of the most critical pain points: the low quality and variability of SOC 2 reports, the inefficiency of questionnaires, and the lack of reciprocity between governing bodies. 

SOC 2 Reports: A Quality Crisis 

SOC 2 reports are often regarded as the “go-to” standard for assessing the security controls of third-party vendors because of their wide adoption across all industries. Yet, the quality and reliability of these reports can vary dramatically. Some SOC 2s are meticulously detailed and provide actionable insights into a vendor's security posture. However, many others are shallow, missing critical information, or worse, relying on outdated practices that no longer align with today's threat landscape. The control selection is purely up to the organization being assessed. Furthermore, there is a race to the bottom with “SOC in box” firms pencil whipping reports at the lowest cost possible. The variability of these reports erodes trust.  

What is the point of asking for a SOC 2 if you can’t guarantee a consistent standard? SOC 2 reports will remain an unreliable cornerstone in TPRM until there is a way to enforce more uniform, higher-quality reporting. 

The Questionnaire Bottleneck 

The next pain point is the inefficiency of vendor questionnaires. In theory, these should help organizations get a clearer understanding of a vendor’s security practices. In reality, they’ve become a bureaucratic nightmare. Security questionnaires are often long, repetitive, and rarely tailored to the specific risks posed by a particular vendor. Worse yet, vendors receive dozens, sometimes hundreds, of these questionnaires, leading to inconsistent or hurried responses. It’s not uncommon for vendors to send recycled answers that don’t address the nuances of the questions asked. This "checkbox" approach is inefficient for both sides and doesn’t provide the insight to make informed risk decisions. 

It’s even more troubling that the organizations requesting the security questionnaires often lack the time, expertise, or resources to assess the answers they receive thoroughly. Most companies don't have dedicated teams or the specialized knowledge required to interpret the responses and probe deeper into potential vulnerabilities. As a result, the due diligence process often becomes superficial, with organizations relying on incomplete or misunderstood information. Organizations may unwittingly expose themselves to greater vulnerabilities instead of truly mitigating risk.  

Reciprocity Between Governing Bodies: A Missing Link 

One of the biggest systemic failures in TPRM is the lack of reciprocity between governing bodies and frameworks. We have SOC 2, ISO 27001, NIST, and a host of other frameworks, all serving slightly different functions but ultimately aiming at the same goal: reducing risk. However, organizations are forced to undergo multiple, redundant audits and assessments as there’s little reciprocity between these frameworks. Vendors end up in a web of overlapping requirements, increasing the time and cost of compliance without adding meaningful value to security. The industry needs a system of mutual recognition, where frameworks work together to streamline the risk management process, creating a unified standard that works across sectors and regions. 

A Call for Change 

TPRM is in dire need of reform. Although SOC 2s serve a specific purpose within an organization, they were not designed for TPRM and should not be used for this purpose. Questionnaires must become more focused on the relationship between the two organizations and should stop there. Relying on industry-recognized risk-based assessments/certifications and getting rid of questionnaires lead to streamlined processes and reduced risk profiles. Finally, there must be reciprocity and collaboration between governing bodies to eliminate redundant processes and create a more efficient, effective approach to managing third-party risks. 

The current system is broken, but with concerted efforts from industry leaders, governing bodies, and security professionals, we can rebuild TPRM into a process that truly protects organizations without wasting time or resources. 

Organizations live and operate in an interconnected business environment. The security of your organization is not solely dependent on your internal measures. Every vendor you engage with can either bolster your defenses or expose you to significant risks. The potential consequences of a vendor-related security breach can be devastating, impacting not only your organization but also your customers. This is why it is imperative to have an effective vendor risk assessment plan.

Act before it’s late

Vendor risk evaluation is a crucial aspect of a robust security strategy. When even one vendor is compromised, the ripple effects can lead to data breaches, financial losses, and reputational damages. The attack surface expands as businesses increasingly rely on third-party services, making it vital to understand and mitigate these risks early on before they become vulnerabilities.

Stay ahead of emerging threats

HITRUST offers robust solutions to identify and address security gaps for efficient vendor risk assessment. The HITRUST framework stands out due to its cyber threat-adaptive nature. It harmonizes best practices from more than 50 standards, frameworks, and regulations to address all 19 domains of security and risk management.

The HITRUST CSF is a universal, living framework, unlike most compliance frameworks that are updated every three to four years. It is continuously updated and published regularly for constant cyber threat management.

HITRUST uses threat intelligence data to identify new threats and mitigate them. HITRUST’s proactive approach ensures that your organization and its vendors are assessed against the latest cyber threats, offering optimal risk management. HITRUST enables businesses to be proactive rather than reactive, providing a significant advantage in the ever-evolving threat landscape.

Learn how HITRUST stays agile in cyber threat management with its cyber threat-adaptive framework.

Leverage HITRUST assessments for diverse needs

HITRUST understands that one size does not fit all. You may be working with a vendor that’s a newbie in the business and another one that’s a veteran. HITRUST offers three distinct assessment options — e1, i1, and r2 — catering to organizations of different sizes, needs, and risk profiles.

e1 is best suited for vendors that are new or small, possess limited risks, or are looking to achieve a milestone on their journey to a more robust certification. r2 is HITRUST’s most comprehensive security certification perfect for vendors that need to establish the highest level of trust. i1 serves as the ideal bridge between e1 and r2 for service providers with medium risk profiles. Vendors can also move from one assessment type to the other without losing previous work.  

These assessments provide the right type of security assurance, helping organizations to evaluate vendor risks meticulously. HITRUST assessments ensure that all vendors meet stringent security standards.

Build trust and foster strong business relationships

HITRUST helps you reduce the complexity and cost of vendor risk management by streamlining the assessment process and eliminating the need for multiple audits and questionnaires. It improves the transparency and accountability of your vendors. It boosts the confidence and satisfaction of your customers by demonstrating that you and your vendors are committed to protecting their data and privacy.

Beyond security assurance, HITRUST helps organizations and vendors to build trust and establish strong business relationships. It empowers you to foster a secure and trustworthy business environment by ensuring your vendors adhere to high security standards. This mutual trust is essential for long-term success and resilience against cyber threats.

Evaluating vendor risks is not just a best practice; it is a necessity in today’s digital age. HITRUST assessments provide a comprehensive, adaptive, and proactive approach to vendor risk management. Leverage HITRUST’s tailored assessment options to ensure robust security, build trust, and protect valuable data and reputation.

Don’t wait for a breach to occur — evaluate your vendor risks now and secure your organization’s future.

Guest blog by William Ahrens, Director, Mazars USA

HITRUST assessments can be used to reduce the risk of a data breach, achieve cost savings, and avoid threats. An especially compelling use case is for organizations to use the HITRUST framework to assess their third parties.

Data breaches caused by third-party vendors and suppliers have been a significant concern for organizations in recent years due to the complex nature of modern business operations. As it becomes more common for organizations across industries to outsource greater numbers of services, third-party risks are compounded.

Third-party risks

IBM’s Cost of a Data Breach Report 2022 stated that a compromise at a third party or a business partner caused 19% of breaches. The report also explored the impact various factors had on the average cost of a data breach. While the presence of AI, DevSecOps, and Incident Response had positive impacts on lowering costs, compliance failures and the involvement of third parties inflated the costs. In fact, these two were among the highest contributing factors. When organizations can quickly detect a breach and shorten its lifecycle, they can significantly reduce costs and save as much as $1.12 million.

The potential for risk caused by third parties is especially high for hospitals and healthcare organizations due to their interconnected systems and multiple entry points for data access, which increase their attack surfaces and potential vulnerabilities. Healthcare organizations outsource critical processes that give access to PHI and other sensitive data. This makes it essential to reduce third-party risks with practical solutions that provide reliable assurances and greater insights into security practices.

But where to start? Vendors are a diverse group. They range substantially in size, service offering, capability, risk profile, and cyber maturity. It’s no wonder most organizations — especially those in healthcare — struggle with vendor risk management.

Manual, inconsistent approaches are time- and resource-intensive, overtaxing assigned staff with limited bandwidths and competing priorities. Given the large number of third parties, staff members strain to keep up with the high volume of assessments.

Risk-tiering strategy

To effectively address security requirements that are appropriate for each vendor, companies should consider employing a risk-tiering strategy. Vendor risk management programs with a consistent and structured risk analysis process allow organizations to assess vendors based on the risk they present to the business.

Organizations can select the appropriate level of security assurance for each vendor by considering the following.

• What and how much data does the vendor access and process?
• Are there any fourth parties handling the data?
• If the data is compromised, what would be the impact on the business?

Realizing the need, HITRUST offers three certification options to address varying assurance requirements, risk maturity, and business profiles of vendors.

• The HITRUST e1 - 1-year Validated Assessment is ideal for low-risk vendors looking to assure basic foundational cybersecurity.
• The HITRUST i1 - 1-year Validated Assessment offers more coverage than the e1, demonstrating assurance for leading security practices.
• The HITRUST r2 - 2-year Validated Assessment is considered the gold standard in the industry and is ideal for high-risk vendors.

Benefits of the HITRUST CSF

The foundation of HITRUST certifications is its framework, the HITRUST CSF. The HITRUST CSF offers many unique benefits not found within other compliance frameworks.

• Each HITRUST assessment is built on a common framework, which means vendors can move from one assessment to the other without losing previous work. All of the 44 e1 controls are included in the 182 i1 controls, which are included in the r2 controls set.
• The HITRUST CSF leverages current threat intelligence information and is updated regularly. It ensures that the assessed entities are protected against the latest cyber threats with proper controls.
• The HITRUST MyCSF SaaS compliance and risk management tool automatically builds relevant controls and provides consistent mapping to 40+ authoritative sources.
• HITRUST assessments ensure consistency and accuracy as each validated assessment undergoes three independent quality assurance processes from three separate teams.

HITRUST assessments provide transparent reporting of the assessed vendor’s security practices. Unlike other frameworks, HITRUST is prescriptive. With its suite of products and services, HITRUST offers the most comprehensive assurance mechanism and provides an efficient and tiered vendor risk management methodology.