A new council of healthcare chief information security officers (CISOs) will push the industry to adopt a standard certification to manage third-party vendor risk.
As hospital systems and data have moved from local infrastructure to the cloud, providers’ ability to directly secure data has diminished. That change in the security landscape creates headaches for hospitals that need to assess third-party vendors to ensure they treat data securely and comply with applicable regulations, particularly HIPAA, says John Houston, vice president of information security and privacy and associate counsel at the University of Pittsburgh Medical Center.
Along with CISOs from institutions such as Wellforce/Tufts Medical Center, Allegheny Health Network, Cleveland Clinic, the University of Rochester Medical Center and Vanderbilt University Medical Center, Houston serves on the Provider Third Party Risk Management Council, which recently launched to promote information-security best practices up and down the healthcare supply chain.
The group’s first big push will encourage both providers and vendors to adopt the HITRUST CSF Certification standard as a way to streamline the vetting process. According to Houston, the group has worked closely with HITRUST to develop a standard robust enough that he and his fellow CISOs are willing to rely solely upon it to qualify vendors.
“What’s nice about HITRUST is really twofold. First, it’s historically been specific to healthcare, and it rolls up the framework of not just security standards like NIST or COBIT or whatever, but it also is designed to look at the regulations,” says Houston. For example, the framework ensures vendors’ practices comply with HIPAA.
During the certification process, an independent assessor uses the HITRUST framework and then submits work papers to HITRUST for scoring and quality assurance. That ensures providers a level of consistency from one assessment to another. HITRUST also does a gap analysis, which providers could request to help them further assess a vendor’s security posture.
From a provider’s standpoint, that process saves substantial resources, according to Houston.
“If I don’t have HITRUST, my team has to send that vendor our security questionnaire of a couple hundred questions, review the answers, and ask other questions potentially, and do a bunch of things to try to divine what that vendor’s security posture is and what their maturity is and the like," he said. "That’s a lot of work, and often what we get back in response is incomplete.”
The council also sees value in pushing for widespread adoption of HITRUST certification from a vendor’s perspective. Though the assessment means extra cost, vendors could potentially save themselves time and resources currently spent navigating individual providers’ qualification processes.