- Share this item with your network:
- Download
Information Security
- Editor's letterIndustries seek to improve third-party security risk controls
- Cover storyCloud-first? User and entity behavior analytics takes flight
- InfographicBeware of the gray hat hacker, survey warns
- FeatureCISOs face third-party risk management challenges
- ColumnKurt Huhn discusses the role of CISO in the Ocean State
- ColumnWhite hat Dave Kennedy on purple teaming, penetration testing
Denys Rudyi - Fotolia
Industries seek to improve third-party security risk controls
Healthcare security leaders are developing industry best practices for better third-party risk management using common assessment and certification standards.
CISOs are making strides in some industries to drive support for a common set of information security requirements to help manage third-party security risk.
Taylor Lehmann, CISO of Wellforce, the parent organization of Tufts Medical Center, and Omar Khawaja, CISO of Alleghany Health Network and Highmark Health, joined forces with security leaders from the healthcare industry to create the Provider Third-Party Risk Management Council. Announced in August, the council is working with the Health Information Trust Alliance (HITRUST) to develop industrywide best practices for managing third-party security risk associated with supply chain vendors and their information security-related systems.
The goal is to create and adopt a common third-party assessment and certification process for healthcare industry providers and their vendors -- companies that have to spend considerable time and money attempting to meet the information security requirements of different hospitals and health plans.
The founding members of the healthcare Provider Third-Party Risk Management Council include Allegheny Health Network, Cleveland Clinic, University of Rochester Medical Center, University of Pittsburgh Medical Center, Vanderbilt University Medical Center and Wellforce/Tufts Medical Center.
The healthcare consortium is working with the nonprofit HITRUST Alliance, an organization whose Common Security Framework is purportedly consensus-driven, to meet security requirements for sensitive healthcare data such as electronic protected health information and personally identifiable information. According to HITRUST, the risk-based framework derives its control requirements from the International Organization for Standardization and other sources, such as NIST, PCI and HIPAA. Council members will require their third-party vendors to have a HITRUST Common Security Framework (CSF) certification -- irrespective of other third-party security risk assessments, audits and certifications -- within 24 months. The CSF framework is already used by about 80% of hospitals and health plans, according to HITRUST. Some international companies have adopted the CSF framework, but it is primarily used by those that supply U.S. health providers.
Analysts expect more industries to begin to work together in consortiums to ease the burden of third-party security risk assessments and audits with information sharing and standardized certification and reporting requirements. CISOs, at least in healthcare, are out in front of this effort.
Related Resources
Dig Deeper on Risk management
-
How revenue cycle management’s security needs are evolving
-
Cybersecurity Preparedness Tied to Lower Insurance Premium Increases
-
HITRUST Responds to RFI on Cybersecurity Regulation Harmonization
-
Top 12 IT security frameworks and standards explained