New healthcare cybersecurity council wants to make HITRUST the standard for assessing third-party risks

Security lock on computer data
A group of CISOs will push the industry to adopt HITRUST certification to assess third-party vendors' security posture. (Getty/gintas77)

A new council of healthcare chief information security officers (CISOs) will push the industry to adopt a standard certification to manage third-party vendor risk.

As hospital systems and data have moved from local infrastructure to the cloud, providers’ ability to directly secure data has diminished. That change in the security landscape creates headaches for hospitals that need to assess third-party vendors to ensure they treat data securely and comply with applicable regulations, particularly HIPAA, says John Houston, vice president of information security and privacy and associate counsel at the University of Pittsburgh Medical Center.

Along with CISOs from institutions such as Wellforce/Tufts Medical Center, Allegheny Health Network, Cleveland Clinic, the University of Rochester Medical Center and Vanderbilt University Medical Center, Houston serves on the Provider Third Party Risk Management Council, which recently launched to promote information-security best practices up and down the healthcare supply chain.

Innovation Awards

Submit your nominations for the FierceHealthcare Innovation Awards

The FierceHealthcare Innovation Awards showcases outstanding innovation that is driving improvements and transforming the industry. Our expert panel of judges will determine which companies demonstrate innovative solutions that have the greatest potential to save money, engage patients, or revolutionize the industry. Deadline for submissions is this Friday, October 18th.

The group’s first big push will encourage both providers and vendors to adopt the HITRUST CSF Certification standard as a way to streamline the vetting process. According to Houston, the group has worked closely with HITRUST to develop a standard robust enough that he and his fellow CISOs are willing to rely solely upon it to qualify vendors.

“What’s nice about HITRUST is really twofold. First, it’s historically been specific to healthcare, and it rolls up the framework of not just security standards like NIST or COBIT or whatever, but it also is designed to look at the regulations,” says Houston. For example, the framework ensures vendors’ practices comply with HIPAA.

During the certification process, an independent assessor uses the HITRUST framework and then submits work papers to HITRUST for scoring and quality assurance. That ensures providers a level of consistency from one assessment to another. HITRUST also does a gap analysis, which providers could request to help them further assess a vendor’s security posture.

RELATED: FDA wants to create a ‘go-team’ for medical device cybersecurity

From a provider’s standpoint, that process saves substantial resources, according to Houston.

“If I don’t have HITRUST, my team has to send that vendor our security questionnaire of a couple hundred questions, review the answers, and ask other questions potentially, and do a bunch of things to try to divine what that vendor’s security posture is and what their maturity is and the like," he said. "That’s a lot of work, and often what we get back in response is incomplete.”

The council also sees value in pushing for widespread adoption of HITRUST certification from a vendor’s perspective. Though the assessment means extra cost, vendors could potentially save themselves time and resources currently spent navigating individual providers’ qualification processes.

Suggested Articles

Centene Corporation, Walgreens and RxAdvance announced this week that they’re joining forces to grow the use of a cloud-based PBM platform. 

Welcome to this week's Chutes & Ladders, our roundup of hirings, firings and retirings throughout the industry.

Microsoft is teaming up with Nuance Communications to use technology to solve a big pain point for doctors—too much time spent on documentation.