Health3PT Launches the First Steps Towards Better TPRM
Companies with e1, i1, or r2 HITRUST certifications or planning to submit a verified assessment in the next year, are eligible to join the newly introduced Health 3rd Party Trust Vendor Directory. The Health 3rd Party Trust (Health3PT) Initiative will manage the directory, simplifying the process of finding trustworthy vendors and speeding up the selection and contracting stages. This could be beneficial for you and give your company an edge by letting potential clients know you meet their information risk management needs during the vendor selection process.
The Health3PT Initiative has made significant progress since its inception this year. It began when numerous healthcare organizations united to find effective, efficient, and creative methods of minimizing cyber risks within the healthcare sector’s third-party network. Members have already informed over 15,000 vendors about the need for reliable, consistent assessments, as proprietary questionnaires often don’t have suitable controls, scope, or guarantees. By providing a HITRUST Assessment (e1, i1, or r2), vendors can reduce the response time to multiple similar assessment requests and collaborate with Health3PT member organizations more efficiently and smoothly.
Why Is Third-Party Risk Management Critical in Healthcare?
Third-party risk management is essential in healthcare because the industry’s digital transformation has made medical facilities more susceptible to third-party liabilities. The Ponemon Institute’s report showed that 54% of third-party respondents experienced at least one data breach involving PHI in the last two years, while 41% had six or more breaches within the same timeframe.
Being a prime target for cybercriminals due to the value of patient data, the healthcare sector faced the highest number of incidents by industry in 2019, with 41% of facilities reporting a breach. Vendors often hold PHI and other crucial data but may have weaker security and compliance measures than healthcare facilities. Without proper risk management, they become more vulnerable to attacks and compromises.
Why Is THRM a Challenge for Healthcare?
Managing third-party risk in healthcare remains challenging as organizations increasingly outsource key functions to vendors. A 2022 report revealed that 60% of surveyed healthcare organizations admitted their third-party risk management and compliance strategies needed improvement. The Cloud Security Alliance (CSA) cited several reasons for this, including a lack of automation, costly and time-consuming risk assessments, and partially or undeployed critical vendor management controls.
The growing number of vendors handling sensitive data increases complexity in data stewardship, access management, and other areas. The pandemic-induced rapid digital transformation has amplified risks as organizations adopted new technologies without fully considering security implications. Since reverting to pre-pandemic practices is impossible, continuously expanding vendor ecosystems will present new risk challenges. Cybercriminals are aware of this, causing a rise in third-party data breaches in the healthcare sector.
What is the Health 3rd Party Trust Initiative?
The Health 3rd Party Trust (Health3PT) Initiative aims to introduce standards, assurance models, and automated workflows to resolve third-party risk management issues and protect sensitive information.
Comprised of leaders from health providers, insurers, and services, the Health3PT Council works together to share best practices in managing third-party risk and protect sensitive information. The Health3PT Initiative is focused on creating a standardized approach for third-party risk management through collaboration with the industry and government. Health3PT is supported by HITRUST (an industry-recognized risk and compliance standards body) and CORL (a healthcare third-party risk management services and solutions provider).
The initiative has gained the support of national healthcare leaders. With members from major organizations such as HCA Healthcare, Humana, UPMC, Walgreens, and CVS, Health3PT emphasizes the importance of reliable, standardized assessments for vendors. Undergoing HITRUST certification helps vendors demonstrate their commitment to security and compliance, providing a competitive advantage and encouraging adherence to high standards to reduce data breaches and other security incidents.
Health 3PT Roadmap for 2023
Health3PT’s initial priority is developing best practices for handling third-party risk, which includes pinpointing tools and methodologies, as well as addressing regulatory demands. The initiative is anticipated to release its first output in the first quarter of 2023, concentrating on industry benchmarking. Additionally, Health3PT intends to form working groups and organize a summit that brings together vendors, stakeholders, and assessor organizations to exchange ideas and insights.
- Health3PT Third Party Risk Industry Survey: This research will offer valuable insights for healthcare organizations and vendors, providing risk metrics and benchmarking the industry. The results will be published in June 2023.
- Health Industry Recommended Practices for Third Party Risk Management (TPRM): A set of guidelines to help the healthcare sector manage TPRM and keep up with emerging threats such as cloud and AI technologies.
- Health3PT Vendor Directory: A list of vendors with HITRUST e1, i1, or r2 certifications that help organizations identify trustworthy vendors more easily during the selection process.
- Health3PT Third Party Risk Virtual Summit: An industry event on June 7th, 2023, that allows vendors to learn from customers and ask questions about risk reporting requirements.
Why Should HITRUST-Certified Organizations Join Health3PT?
Companies with HITRUST certification should join the Health3PT initiative because it demonstrates their commitment to robust security and compliance standards in the healthcare sector. By participating in the initiative, these companies contribute to a centralized effort, working alongside other industry-leading organizations to establish best practices for managing third-party risk.
By doing so, they strengthen their competitive advantage, build trust with healthcare organizations, and contribute to enhancing the overall security of healthcare’s digital ecosystem. Joining Health3PT also provides networking, knowledge-sharing, and collaboration opportunities, paving the way for better risk management in the sector.
Who Are Vendors in the Context of Health3PT?
In the context of the Health3PT initiative and the healthcare industry, vendors refer to third-party companies or service providers that offer various products, services, or solutions to healthcare organizations. These vendors play a crucial role in the healthcare ecosystem by supporting key functions or processes, such as IT services, data management, electronic health records, billing and administrative services, medical equipment and devices, and cybersecurity tools.
Vendors often have access to sensitive information, such as protected health information (PHI), making their adherence to security standards and efficient risk management vital for the overall security and reliability of the healthcare sector.
Related article: How HITRUST Supports the TEFCA Program and the Qualified Health Information Network.
Resources
- Business Wire; Dan Gaffney, “Ponemon Institute Research Reveals Majority of Healthcare Vendors Have Experienced a Data Breach Exposing Protected Health Information,” March 2020.
- Health 3PT; Leslie Kesselring, “Health3PT Initiative Gains Momentum and Announces First Deliverables in Mission to Solve the Third Party Cyber Risk Problem,” April 2023.
- Health IT Security; Jill McKeon, “Healthcare CISOs Form Health3PT Council to Improve Third-Party Risk Management,” January 2023.
- HITRUST, “Health3PT Vendor Risk Management Summit,” 2023.
- Kiteworks, “2022 Sensitive Content Communications Privacy and Compliance Report,” April 2022.
