Health3PT Council unites healthcare CISOs to solve third-party cyber risk

Amid heightened threats to the nation’s healthcare systems, more than 20 leading healthcare organizations have come together to identify effective, efficient, and new innovative approaches to reduce cyber risk across the healthcare industry’s third-party ecosystem.

The Health 3rd Party Trust (Health3PT) Initiative and Council, is committed to bringing standards, credible assurance models, and automated workflows to solve the third-party risk management problem and advance the mission to safeguard sensitive information.

Healthcare is one of the top industry sectors targeted by cyber attackers due to the value of sensitive electronic patient records, the potential impact on critical life-saving IT systems and medical devices, and the lack of security around the third-party vendors and suppliers delivering vital services.

According to one survey, 55% of healthcare organizations suffered a third-party breach in the past year. However, most healthcare organizations do not have effective measures in place to identify these risks. Only 23% of security and risk leaders monitor third parties in real time for cybersecurity exposure, according to Gartner data.

With increasing government warnings—such as HHS’ Health Sector Cybersecurity Coordination Center recent alerts on ransomware and last December’s alert from CISA, FBI and NSA to mitigate Log4j software supply chain vulnerabilities—as well as anticipated regulatory guidance for cross-sector Cybersecurity Common Performance Goals, healthcare organizations are looking for ways to understand and ensure the security, integrity, and availability of services provided by third parties and the associated sensitive information they handle.

Unfortunately, today’s methods to manage these third-party risk exposures are burdensome and inadequate, with each vendor handling their assessments differently and often manually, resulting in blind spots on risks, limited follow-through on remediation of identified risks, complacency regarding continuous monitoring, and insufficient assurance programs to prove that the right security controls are in place.

This is especially true for smaller organizations who have limited resources and are often where many breaches occur.

In response, the Health3PT is collaborating to overcome these challenges and achieve greater efficiencies throughout the ecosystem. The Health3PT will focus first on a series of common practices to effectively manage information security risks associated with vendors and other third-party service providers.

These include methodologies and tools that address multiple best practice frameworks, that foster standardization and transparent assurances and validation, and that address legislative and regulatory requirements.

The Health3PT will publish its first deliverable in Q1 2023: Research on third-party risk metrics to benchmark the state of the industry. In addition, in 2023, the Health3PT will establish working groups and will host industry-wide events including a Summit for vendors, healthcare third-party risk management stakeholders, and assessor organizations.

The Health3PT has support from key industry stakeholders and is comprised of security and risk executives from 20 leading healthcare providers, health systems, health payors/insurers, and healthcare service organizations:

• Patricia Yarabinetz, Director, Information Risk Management, AmeriHealth Caritas
• Cindy Shuna, Cyber Risk Management, Amerisource Bergen
• Rick Kratz Director, Cyber Risk Management, Amerisource Bergen
• Glen Braden, Principal, Attest Health Care Advisors
• Dr. Omar Sangurima, Principal Technical Program Manager, Governance, Risk, & Program Management, Memorial Sloan Kettering Cancer Center
• Shenny Sheth, Deputy CISO, Centura Health
• Natalie Henderson, Executive Director, Third Party Risk Governance, CVS
• Eric Sinclair, VP, Information & Cyber Security, Evolent Health
• Matthew Webb, AVP – Product Security, Chief Product Security Officer, HCA Healthcare
• Brenda Callaway, Divisional VP, Operations Performance Management, Health Care Service Corporation (HCSC)
• John Chow, CISO, Healthix
• Jeff Lockwood, VP of Enterprise Technology Services, HealthStream
• Karin Balsley, Sr. Director, Information Security, HealthStream
• Omar Khawaja, CISO, Highmark Health
• Heather Ryan, Project Manager, Highmark BCBS
• Joe Dylewski, Cyber Data Protection Manager, Humana
• Purvik Shah, Project Manager, Memorial Sloan Kettering Cancer Center
• Walsy Saez-Aguirre, Cyber Security Governance, Risk and Compliance Analyst, Memorial Sloan Kettering Cancer Center
• Monique Hart, Executive Director of Information Security, Executive Director of Information Security, Piedmont Healthcare
• Dr. Adrian Mayers, VP, CISO, Premera Blue Cross
• Joel Seymour, Deputy CISO, Premera Blue Cross
• Shawna Hofer, CISO, St. Lukes Health System
• Brian Cayer, CISO, Tufts Medicine
• Alan Labianca-Campbell, Director of Information Assurance, Tufts Medicine
• John Houston, VP, Information Security and Privacy, UPMC
• Ryan George, Sr. Director – IT, IAS, UPMC
• Alex Zhivov, Vice President, Information Security, Virtual Health
• Bhavesh Merai, Senior Manager, Technology, Risk & Compliance, Walgreens

“Society has evolved to demand speed of delivery, and this is no different in the healthcare space. However, we cannot sacrifice security for speed. A standardized and measurable standard for assessing third parties will bring both speed and efficiency, while potentially increasing security. This also could drive reduced costs though efficiency. A standardized and measurable assessment mechanism will be the cornerstone in securing people’s most precious information,” said Joel Seymour, Deputy CISO for Premera Blue Cross.

“It’s clear that TPRM is broken in the healthcare industry. We need to come together as an industry to establish a sustainable approach to third-party risk management. The common process of sending and receiving self-attested proprietary questionnaires is inefficient and potentially unreliable. We need a practical pathway to supplier assurances that are reliable and not self-attested, have inadequate controls or over burdening for the risk posed. The lack of standardization today results in vendor confusion due to the different question sets and requirements, resulting in confusion, frustration, and eventually…lack of response,” said John Chow, CISO for Healthix.

“Managing third party risk in a comprehensive and sustainable way requires collaboration between healthcare organizations and their suppliers to find solutions that are efficient and effective for both sides. That’s why the Health3PT is so important to Centura Health and our partnerships. In order for this to work, we need more healthcare organizations to adopt common, standardized processes,” said Shenny Sheth, Deputy CISO for Centura Health.