BOSTON--(BUSINESS WIRE)--The vision of a standardized method to assess the risk management posture of third party suppliers to healthcare firms envisioned by the recently-formed Provider Third Party Risk Management Council is gaining momentum and support throughout the industry as security leaders from both healthcare providers and their suppliers embrace the unified approach.
Led by Governing Members consisting of prominent Chief Information Security Officers (CISOs) throughout the healthcare sector, the Council and its growing number of participants are adopting a consistent approach that address the issues affecting information security-related risks in their organization’s supply chain and safeguarding patient safety and information.
“The Council is committed to improving risk management for providers and efficiencies for third parties who support healthcare organizations throughout the sector,” says Taylor Lehmann, CISO of Wellforce, Founding Participant of the Council, and Governing Member. “As industry leaders we need to collaborate to solve problems, and we will actively engage with HITRUST to lend our leadership to benefit the healthcare sector.”
One of the goals for the Council is to address the inefficiencies found in the third party supply chain ecosystem. Suppliers are commonly required by their customers to respond to unique questionnaires or other assessment requests relating to their risk management posture. By reducing the multiple audits and questionnaires, the financial savings will allow business partners to invest in substantive risk reduction efforts and not redundant assessments.
“By reducing wasted effort and duplication, suppliers will find their products and services will be acquired more quickly by healthcare providers,” says Founding Participant and Governing Member, Omar Khawaja, VP and CISO of Allegheny Health Network and Highmark Health. “This will also reduce the complexity of contracts and provide third parties with better visibility regarding the requirements to do business with providers.”
Since the Provider Third Party Risk Management Council and associated program was announced in August, an expanding number of healthcare organizations – from providers to supply chain business associates and vendors – are advocating the value of a more efficient approach to third party assurance is necessary and strives to improve how the industry approaches assessing, monitoring, and responding to risks posed by third parties.
“The desire to establish a standard, effective and scalable method for assessing the privacy and security of third parties is resonating with providers of all sizes,” says John Houston, Vice President, Privacy and Information Security & Associate Counsel of UPMC, Founding Participant of the Council, and Governing Member. “The leaders throughout the industry recognize their responsibility and role in improve the protection of patient and sensitive information and streamline the assurance process.”
In addition to the original Founding Participants, the Governing Members have been expanded to include: Nuance, The Mayo Clinic, Multicare, Indiana University Health, Children’s Health Dallas, Phoenix Children’s Hospital, and Banner Health.
The Council recognizes the value of the HITRUST CSF® and its assurance programs to better manage risk, and each organization on the Council will be requiring their third parties to become HITRUST CSF Certified. The HITRUST CSF Certification will serve as the standard for third parties providing services where they require access to patient or sensitive information and be accepted by all the Council’s organizations. The HITRUST CSF Assurance Program is already the most widely adopted assessment approach by healthcare organizations and used by third parties to evaluate and communicate their information privacy and security posture. HITRUST will continue to work closely with Council members and their organizations to ensure its programs are the hallmark for the industry
The Founding Participant organizations for the Provider Third Party Risk Management Council include:
- Allegheny Health Network
- Cleveland Clinic
- University of Rochester Medical Center
- Vanderbilt University Medical Center
- Wellforce, parent of Tufts Medical Center
More information on the Provider Third Party Risk Management Council and how your organization can join, contribute to and adopt its policies and practices can be found at http://provider-tprm.org
Register here for a webinar about the Provider Third Party Risk Management Council on Thursday, December 13th at 12 p.m. (CST).
About the Provider Third Party Risk Management Council
Representing Chief Information Security Officer from leading health systems and hospitals, the Provider Third Party Risk Management Council strives to share best practices in managing third party risk to deliver on their organizations’ mission of safeguarding sensitive information. The Council is collaborating with industry and HITRUST to create a comprehensive set of practices that organizations can adopt to effectively manage third party risk that is efficient for both their organizations and the entire third party ecosystem.
Members of the Council observed their supply chains are filled with third parties who support the care delivery process and require access to patient information – properly vetting and monitoring these third parties is a major challenge, and in some cases, insurmountable for many organizations who simply don’t have the expertise or resources. Through innovation and industry leadership, the Provider Third Party Risk Management Council has developed and adopted common vetting and oversight practices that will benefit health systems, hospitals and other providers in the US and around the world.