Healthcare CISOs reach out to over 15,000 third party vendors to encourage standardized risk assessments and improve protection against supply chain attacks
FRISCO, Texas–(BUSINESS WIRE)–The Health 3rd Party Trust (Health3PT) Initiative today announced significant momentum with the rapid growth of its membership, including the addition of large national healthcare leaders, and its first deliverables in an industry-wide effort to protect the nation’s healthcare ecosystem against increasing cybersecurity supply chain attacks.
“We are excited to join Health3PT and contribute to the industry movement toward managing the full lifecycle of third-party risk in an effective, efficient and sustainable way,” said Rakesh Sharma, Senior Director, Cybersecurity at Cleveland Clinic and new Health3PT participant.
In addition, member organizations have notified over 15,000 vendors of their requirements to provide reliable, standardized assessments, in lieu of proprietary questionnaires that often lack appropriate controls, scope, and assurances. As a result of these requirements, vendors who provide a HITRUST Assessment (e1, i1 or r2) will greatly reduce the time required in responding to multiple, redundant assessment requests and speed the onboarding process with Health3PT organizations.
“I think it is fair to say that most healthcare CISO’s want to effectively manage third party risk but have struggled to do it efficiently because there lacked a consistent set of requirements or practices, we could align as an industry and with our vendor partners,” said John Houston, CISO, UPMC. “Health3PT is solving that challenge for the industry.”
Health3PT is kicking off the first of many deliverables planned for 2023:
Health3PT Third Party Risk Industry Survey: Designed to provide meaningful insights for healthcare organizations and vendor stakeholders, this independent research will deliver third-party risk metrics and benchmark the state of the industry. Survey results are expected to be published in June 2023.
Health Industry Recommended Practices for Third Party Risk Management (TPRM): Created to ensure the healthcare industry has a consistent set of TPRM practices that are keeping up with emerging cyber threats and the adoption of Cloud, AI and other industry solutions while aligning with modern-day risks. Health3PT organizations have come together to affirm these practices, develop guidance for proper implementation and demonstrate due diligence and due care—while improving effectiveness, reducing inefficiencies, and demonstrating leadership in TPRM.
Health3PT Vendor Directory: This directory of vendors that have obtained various (HITRUST e1, i1 or r2) certifications will assist organizations in identifying vendors they can trust and more quickly contract based on the inherent risk the vendor poses to their organization. The directory was created to allow contracting organizations to identify vendors that meet their information risk management requirements before and during the vendor selection process.
Health3PT Third Party Risk Virtual Summit: This inaugural industry-wide event will be held on June 7th, 2023, and allow vendors to hear from various customers and relying parties on their expectations, understand their risk reporting requirements, and offer the opportunity for vendors to ask questions.
“The Virtual Summit is the first event organized to give vendors a ‘voice’ and collaborate in a trusted environment with their healthcare customers to improve the efficiency and state of third-party risk for all stakeholders,” said Matthew Webb, AVP, Product Security of a leading national healthcare Group Purchasing Organization and Chair of the Health3PT Events Committee.
“The Health3PT Initiative will significantly help to provide standards and resources that will streamline the cyber risk process with documenting the contractual and regulatory obligations for the organization or business line. Passing those requirements to vendors is an important step you must take in protecting your data,” said Lane Sullivan, SVP, Chief Information Security Officer, Magellan Health (a Centene Corporation company) and new Health3PT participant.
“The Vendor Directory will be a great tool in the vendor selection process. It will encourage vendors to meet a standardized security posture in a timely manner. As importantly, it demonstrates progress in driving the industry towards a common approach and solution to third party risk management with the hope the community will take action,” said John Chow, CISO, Healthix.
The Health3PT Initiative is dedicated to bringing standards, credible assurance models, and automated workflows to solve the third-party risk management problem and advance the mission to safeguard sensitive information.
To learn more and get involved:
Vendors interested in being listed in the Vendor Directory can complete a form here
Take the TPRM Survey for Covered Entities and Business Associates/Vendors here
To join the Health3PT initiative and for more details visit Health3PT.org
About the Health3PT Initiative
Representing leaders from health providers, payers, and healthcare services, the Health3PT Council strives to share best practices in managing third-party risk to deliver on their organizations’ mission of safeguarding sensitive information. By driving collaboration with industry and government, the Health3PT Initiative is enabling a standardized approach that organizations can adopt to effectively and efficiently manage third-party risk within their organization and to protect the entire third-party ecosystem. Health3PT is supported by HITRUST, the industry-recognized risk and compliance standards and certification body, and CORL, the healthcare third-party risk management services and solutions provider.
Kesselring Communications for Health3PT