Prominent CISOs from leading health systems and providers throughout the country have come together to establish the Provider Third Party Risk Management Council to develop, recommend and promote a series of practices to manage their information security-related risks in their supply chain and to safeguard patient safety and information.
Members of the Council observed their supply chains are filled with third parties who support the care delivery process and require access to patient information. Properly vetting and monitoring these third parties is a major challenge, and in some cases, insurmountable for many organizations who simply don’t have the expertise or resources. Through innovation and industry leadership, the council are developing common vetting and oversight practices that will benefit health systems, hospitals and other providers in the United States and around the world.
“Health systems and other providers need to be more active in assessing and monitoring risks posed by third parties to protect patient information while delivering effective care,” says Taylor Lehmann, CISO of Wellforce, parent organization of a health system that includes Tufts Medical Center and Floating Hospital for Children. “The primary challenge is organizations can engage with vendors of various sizes, maturity and complexity without really knowing whether the vendor should be engaged in the first place based on their beliefs and investment in cybersecurity.”
Lehmann says third parties may have a small number of customers or possibly hundreds or thousands to serve. For third parties, this challenge has resulted in lost time and resources in attempting to comply with each organization’s risk management requirements and ensure efficiency for both parties.
The council is working with the HITRUST CSF and its assurance programs for this initiative to better manage risk. The organizations on the council have each independently decided to require their third-party vendors to become HITRUST CSF Certified within the next 24 months. The HITRUST CSF Certification will serve as their standard for third parties providing services that require access to patient or sensitive information and will be accepted by all the council’s organizations.
Goal of the Provider Third-Party Risk Management Council
The Provider Third Party Risk Management Council recognizes that a more efficient approach to third-party assurance is necessary and strives to improve how the industry approaches assessing, monitoring, and responding to risks posed by third parties. By choosing to adopt a single assessment and certification program, healthcare organizations represented by the council are prioritizing the safety, care, and privacy of their patients by providing clarity and adopting best practices that their vendors can also adopt, while providing vendors the expectation of what it takes to do business with their organizations.
“We believe the healthcare industry as a whole, our organizations and our third parties will benefit from a common set of information security requirements with a standardized assessment and reporting process,” says John Houston, Vice President, Privacy and Information Security & Associate Counsel, UPMC. “We are strongly encouraging other provider organizations to follow suit and adopt these principles.”
The founding member organizations for the Provider Third Party Risk Management Council include:
- Allegheny Health Network
- Cleveland Clinic
- University of Rochester Medical Center
- Vanderbilt University Medical Center
- Wellforce/Tufts University.