Chief information security officers and risk management officials from 20 healthcare organizations have come together to identify new approaches to reduce cyber risk across the healthcare industry’s third-party ecosystem. The Health 3rd Party Trust Initiative and Council (Health3PT) will seek to bring standards, credible assurance models, and automated workflows to solve the third-party risk management problem.
Leaders of the new group pointed to a survey published in the HIPAA Journal in August 2022 in which 55 percent of healthcare organizations reported suffering a third-party breach in the past year. They also note that Gartner research suggests that only 23 percent of security and risk leaders monitor third parties in real time for cybersecurity exposure.
The methods to manage third-party risk exposures are burdensome and inadequate, the Health3PT says, with each vendor handling their assessments differently and often manually, resulting in blind spots on risks, limited follow-through on remediation of identified risks, complacency regarding continuous monitoring, and insufficient assurance programs to prove that the right security controls are in place. This is especially true for smaller organizations that have limited resources and are where many breaches occur.
The nonprofit Health3PT will focus first on a series of common practices to effectively manage information security risks associated with vendors and other third-party service providers. These include methodologies and tools that address multiple best practice frameworks, foster standardization and transparent assurances and validation, and address legislative and regulatory requirements.
“Managing third-party risk in a comprehensive and sustainable way requires collaboration between healthcare organizations and their suppliers to find solutions that are efficient and effective for both sides. That’s why the Health3PT is so important to Centura Health and our partnerships. In order for this to work, we need more healthcare organizations to adopt common, standardized processes,” said Shenny Sheth, Deputy CISO for Centura Health, in a statement.
The Health3PT is supported by HITRUST, the risk and compliance standards and certification body, and CORL, a healthcare third-party risk management services and solutions provider. It will publish its first deliverable in the first quarter of 2023: Research on third-party risk metrics to benchmark the state of the industry. In addition, in 2023, the Health3PT will establish working groups and will host industry-wide events including a summit for vendors, healthcare third-party risk management stakeholders, and assessor organizations.
The Health3PT is comprised of security and risk executives from 20 healthcare providers, health systems, health payers/insurers, and healthcare service organizations:
Patricia Yarabinetz, Director, Information Risk Management, AmeriHealth Caritas
Cindy Shuna, Cyber Risk Management, Amerisource Bergen
Rick Kratz Director, Cyber Risk Management, Amerisource Bergen
Glen Braden, Principal, Attest Health Care Advisors
Dr. Omar Sangurima, Principal Technical Program Manager, Governance, Risk, & Program Management, Memorial Sloan Kettering Cancer Center
Shenny Sheth, Deputy CISO, Centura Health
Natalie Henderson, Executive Director, Third Party Risk Governance, CVS
Eric Sinclair, VP, Information & Cyber Security, Evolent Health
Matthew Webb, AVP – Product Security, Chief Product Security Officer, HCA Healthcare
Brenda Callaway, Divisional VP, Operations Performance Management, Health Care Service Corporation (HCSC)
John Chow, CISO, Healthix
Jeff Lockwood, VP of Enterprise Technology Services, HealthStream
Karin Balsley, Sr. Director, Information Security, HealthStream
Omar Khawaja, CISO, Highmark
Health Heather Ryan, Project Manager, Highmark BCBS
Joe Dylewski, Cyber Data Protection Manager, Humana
Purvik Shah, Project Manager, Memorial Sloan Kettering Cancer Center
Walsy Saez-Aguirre, Cyber Security Governance, Risk and Compliance Analyst, Memorial Sloan Kettering Cancer Center
Monique Hart, Executive Director of Information Security, Executive Director of Information Security, Piedmont Healthcare
Dr. Adrian Mayers, VP, CISO, Premera Blue Cross
Joel Seymour, Deputy CISO, Premera Blue Cross
Shawna Hofer, CISO, St. Lukes Health System
Brian Cayer, CISO, Tufts Medicine
Alan Labianca-Campbell, Director of Information Assurance, Tufts Medicine
John Houston, VP, Information Security and Privacy, UPMC
Ryan George, Sr. Director – IT, IAS, UPMC
Alex Zhivov, Vice President, Information Security, Virtual Health
Bhavesh Merai, Senior Manager, Technology, Risk & Compliance, Walgreens