CISO’s mission resonates with healthcare peers

The vision of a standardized method to assess the risk management posture of third party suppliers to healthcare firms envisioned by the recently-formed Provider Third Party Risk Management Council is gaining momentum and support throughout the industry as security leaders from both healthcare providers and their suppliers embrace the unified approach.

Led by governing members consisting of Chief Information Security Officers (CISOs) throughout the healthcare sector, the Council and its growing number of participants are adopting an approach that address the issues affecting information security-related risks in their organization’s supply chain and safeguarding patient safety and information.

“The Council is committed to improving risk management for providers and efficiencies for third parties who support healthcare organizations throughout the sector,” says Taylor Lehmann, CISO of Wellforce, Founding Participant of the Council, and Governing Member. “As industry leaders we need to collaborate to solve problems, and we will actively engage with HITRUST to lend our leadership to benefit the healthcare sector.”

One of the goals for the Council is to address the inefficiencies found in the third party supply chain ecosystem. Suppliers are commonly required by their customers to respond to questionnaires or other assessment requests relating to their risk management posture. By reducing the multiple audits and questionnaires, the financial savings will allow business partners to invest in substantive risk reduction efforts and not redundant assessments.

“By reducing wasted effort and duplication, suppliers will find their products and services will be acquired more quickly by healthcare providers,” says Founding Participant and Governing Member, Omar Khawaja, VP and CISO of Allegheny Health Network and Highmark Health. “This will also reduce the complexity of contracts and provide third parties with better visibility regarding the requirements to do business with providers.”

Since the Provider Third Party Risk Management Council and associated program was announced in August, an expanding number of healthcare organizations – from providers to supply chain business associates and vendors – are advocating the value of a more efficient approach to third party assurance is necessary and strives to improve how the industry approaches assessing, monitoring, and responding to risks posed by third parties.

“The desire to establish a standard, effective and scalable method for assessing the privacy and security of third parties is resonating with providers of all sizes,” says John Houston, Vice President, Privacy and Information Security & Associate Counsel of UPMC, Founding Participant of the Council, and Governing Member. “The leaders throughout the industry recognize their responsibility and role in improve the protection of patient and sensitive information and streamline the assurance process.”

In addition to the original Founding Participants, the governing members have been expanded to include: Nuance, The Mayo Clinic, Multicare, Indiana University Health, Children’s Health Dallas, Phoenix Children’s Hospital, and Banner Health.

The Council recognizes the value of the HITRUST CSF and its assurance programs to manage risk, and each organization on the Council will be requiring their third parties to become HITRUST CSF Certified. The HITRUST CSF Certification will serve as the standard for third parties providing services where they require access to patient or sensitive information and be accepted by all the Council’s organizations.

The HITRUST CSF Assurance Program is already adopted assessment approach by healthcare organizations and used by third parties to evaluate and communicate their information privacy and security posture. HITRUST will continue to work with Council members and their organizations to ensure its programs are the hallmark for the industry.

The Founding Participant organizations for the Provider Third Party Risk Management Council include:

• Allegheny Health Network,
• Cleveland Clinic,
• University of Rochester Medical Center,
• UPMC,
• Vanderbilt University Medical Center,
• Wellforce, parent of Tufts Medical Center.