Global Companies Join Forces to Tackle Third-Party Risk Management Challenges

HITRUST names founding members of newly formed Third-Party Risk Management Council

FRISCO, Texas--()--HITRUST® announced today the formation of the HITRUST Third-Party Risk Management (TPRM) Council to foster collaboration between companies, third-party vendors, and advisory service firms. The mission for the TPRM Council is to drive efficiencies and effectiveness as it relates to identifying, assessing, and mitigating risk in the complex supply chain ecosystem.

Founding members of the TPRM Council are global security, risk, compliance, and audit executives representing a diverse cross-section of organizations. TPRM Council members are committed to identifying and supporting approaches to improve the current TPRM process—with a focus on increasing effectiveness and reducing inefficiencies.

“One of our goals for the Council is to ensure organizations are considering the impact on the supply chain as they mandate assurance requirements on their third parties,” said Dr. Bryan Cline, Chief Research Officer at HITRUST. “We are providing a collaborative forum for customers, their vendors, and their advisors to discuss these challenges, identify actionable solutions, and provide inputs directly to HITRUST on the approach toward doing just that—in the most effective, efficient manner.”

The need to ensure appropriate privacy and security over sensitive and confidential information, such as protected health information (PHI) or personally identifiable information (PII), with third-party vendors has never been more important. However, many current approaches to managing third-party risk have unintended, widespread impacts on companies and their vendors. Challenges exist around inconsistent and uncoordinated requirements that lead to redundant assessments. The results are inefficient uses of time, higher costs, increased burdens, and ineffective mitigation strategies.

“The HITRUST TPRM Council will serve to bring together customers, vendors, and partners across the ecosystem, helping to establish standards for both effectiveness and efficiency,” said Ashish Gupta, Vice President, Cyber & Data Product Management at Mastercard. “These objectives are in line with what we do every day at Mastercard, enabling better, more rewarding, and more secure experiences for businesses and individuals alike.”

The founding members of the TPRM Council include:

  • Amazon Web Services (AWS)Hadis Ali, Security Assurance Manager
  • AT&T Vecky Juko, Associate Director, Supplier Governance, Global Benefits
  • Broadridge FinancialSandra Rohrer, Sr. Director, Product Management, Marketing and Regulatory Communications
  • Change HealthcareSusan Richards, Director, Information Security
  • CoalfireZachary Shales, Director, Healthcare Assurance
  • ConduentTroy Bos, Director, Client Assurance
  • CVS HealthSteve Meallo, Information Security Program Management
  • Frist Cressey VenturesChris Booker, Partner
  • Frazier & DeeterAndrew Hicks, VP, Risk Assurance
  • Google Sam Morales, Program Manager, Cloud Compliance
  • Health Care Service Corporation (HCSC)Chris Lodico, Sr. Director, Information Security
  • HumanaMatt Phillips, Enterprise Information Security
  • Mastercard Ashish Gupta, VP, Cyber & Data Product Management
  • Microsoft Azure David Houlding, Director of Healthcare Experiences
  • Rite AidRobert Lautsch, CISO
  • TeleperformanceJeffery Schilling, Global CISO
  • UnitedHealth GroupBrian Troen, Sr. Director, Risk Governance & Supplier Management
  • University of Pittsburgh Medical CenterJohn Houston, VP, Information Security & Privacy
  • Vonage Ordia Bryan, Sr. Manager, Global Security Compliance

To learn more, visit:

Industry professionals are invited to stay apprised of the HITRUST TPRM Council’s activities by joining HITRUST Central, a new online community. To join, visit

About HITRUST Third-Party Risk Management (TPRM)

The HITRUST TPRM and HITRUST CSF® Assurance Programs together can streamline and improve the TPRM process. HITRUST’s robust approach incorporates inherent risk, which helps to recommend controls required for inclusion and provides an appropriate level of assurance. Simplifying the TPRM process, in addition to layering in staff on-demand and software as a service, means that relying parties can streamline and scale their TPRM programs cost-effectively. Vendors benefit from being able to utilize a single assessment to be reported out in multiple ways for an Assess Once, Report Many™ approach.


Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from the public and private sectors, HITRUST develops, maintains, and provides broad access to its widely adopted common risk and compliance management frameworks as well as related assessment and assurance methodologies. For more information, visit


Mike Canale: | (469) 269-1193

Release Summary

HITRUST announces the formation of the HITRUST Third-Party Risk Management Council to address global risk management challenges.


Mike Canale: | (469) 269-1193