Health 3rd Party Trust Initiative Develops Recommended Practices
A nonprofit organization set up to identify new approaches to reduce cyber risk across the healthcare industry’s third-party ecosystem has announced several milestones, including growing to 1,900 professionals representing 1,100 organizations in its first year.
When it was formed last year, the Health 3rd Party Trust Initiative and Council (Health3PT) noted that methods to manage third-party risk exposures are burdensome and inadequate, with each vendor handling their assessments differently and often manually, resulting in blind spots on risks, limited follow-through on remediation of identified risks, complacency regarding continuous monitoring, and insufficient assurance programs to prove that the right security controls are in place. This is especially true for smaller organizations that have limited resources and are where many breaches occur.
Health3PT is now guided by 20 Council member organizations that work to establish standards for third-party risk management to help organizations reduce vendor risk and streamline their vendor risk processes. It has created an actionable framework called the "Health3PT Recommended Practices.”
These practices aim to drive substantial improvements in vendor risk management by moving away from traditional questionnaires to a standard for risk tiering and validated assurances. The initiative will also tackle emerging challenges, such as evolving regulations and the impact of AI on cyber risk.
The practices ratified by Health3PT include:
1. Concise contract language tying financial terms to a vendor’s transparency, assurance, and collaboration on security matters
2. Risk tiering strategy that drives frequency of reviews, extent of due diligence, and urgency of remediation
3. Appropriate, reliable, and consistent assurances about the vendors’ security capabilities
4. Follow-up through to closure of identified gaps and corrective action plans (CAPS)
5. Recurring updates of assurance of the vendors’ security capabilities
6. Metrics and reporting on organization-wide vendor risks.
The Council's efforts have been bolstered by the adoption of HITRUST as the first assurance methodology, which Health3PT says has played a crucial role in enabling the Recommended Practices. Additionally, the Health3PT Vendor Directory has been launched, serving as a platform for HITRUST-certified vendors, or those in the process of becoming certified, to showcase their compliance efforts.
Health3PT is supported by HITRUST, the risk and compliance standards and certification body, and CORL, the healthcare third-party risk management services and solutions provider.
The 2024 Health3PT Council recently added new members, including:
• Devin Shirley, CISO, Arkansas Blue Cross Blue Shield
• Chris Lodico, Senior Director, HCSC
• Kathy McKenna-Sauerman, Director, Third-Party Cyber Risk, Humana
• Tim Witos, Vice President Information Security, McKesson
• David Finkelstein, CISO, St. Luke’s University Health Network
• Lane Sullivan, SVP, Chief Information Security Officer, Magellan Health
“As evidenced by the substantial number of third-party breaches, the healthcare industry has not done a good job of addressing third-party risk,” said John Houston, vice president of information security and privacy at UPMC, in a statement. “I do not believe that those efforts have been effective or a good value for the money. The Health3PT Council has arrived upon a solution to this challenge. It starts with organizations adopting the Health3PT Recommended Practices and leveraging the HITRUST assessment portfolio.”