Quickly Evaluate Third-Party Business Partners with HITRUST® Risk Triage

HITRUST® continues its mission to streamline compliance processes for organizations working with sensitive data with the newly released HITRUST Third-Party Assurance (TPA) Risk Triage Methodology™. Originally launched in 2019, this methodology was designed to standardize and accelerate the process of selecting vendors and business partners.

The same alliance that has simplified the risk management and compliance attestation process for organizations, covered entities, and their business associates in the healthcare industry, and beyond, with the HITRUST CSF®, now has another helpful security tool. The HITRUST TPA Risk Triage Methodology is part of the HITRUST CSF Assurance Program. As such, it was built to help reduce the costs and complexity of compliance, while increasing the effectiveness of risk management programs.

Interested to learn how it can make the process more efficient for your organization? Keep reading.

Need for Consistency in Evaluating Risk When Working with New Third Parties

Regulatory compliance is becoming more complex as cyberthreat rises, security requirements increase, and regulatory standards evolve. Internally, organizations are spending more and more time ensuring that their cybersecurity measures meet standards and attesting to compliance with multiple, often overlapping, sets of regulations. Plus, organizations also need assurance that their external business partners also uphold the required security standards.

Until now, the process for vetting the security posture of vendors desperately needed to be simplified. There was no common or consistent way to determine which information risk assurances were needed for an organization to share sensitive data with a third party. Naturally, this caused confusion and created problems for organizations. Here some examples:

• Requiring high-level assurance from businesses that presented low risk,
• Not requiring enough assurance when engaging in higher-risk business relationships,
• Relying on inappropriate information protections when qualifying third parties,
• Inappropriate evaluation of the effectiveness of a third party’s security and privacy controls,
• All the resulting overlaps and gaps, and
• All the resulting inefficiencies, unnecessary risk, and extra costs.

“Until today’s release of the HITRUST TPA Risk Triage Methodology, there was no consistent approach to determining what type of assurance a third party should provide and maintain in cases where information or intellectual property is shared,” says Taylor Lehmann, co-chair of Provider TPRM Council. “This void either creates inefficiencies as organizations are seeking greater assurances from their third parties than is warranted, or they are not seeking the level of assurance needed to meet compliance requirements and avoid unnecessary risk exposure.”

In the same way that the HITRUST CSF provides a standard framework for assessing security and privacy, the HITRUST TPA Risk Triage Methodology is meant to standardize the process of evaluating risk when selecting new vendors.

HITRUST Third-Party Assurance (TPA) Risk Triage Methodology

Every link in the entire supply chain, where sensitive data and/or PHI is transmitted, needs to be safeguarded from cybersecurity threats. The HITRUST TPA Risk Triage Methodology helps organizations qualify links before adding them to their supply chain. It’s a reliable, consistent way to assess the inherent risk that would come with doing business with a selected vendor.

The HITRUST TPA Risk Triage Methodology enables a business to quickly determine the type and rigor of assurance required of vendors and business partners. It does this through:

1. Highlighting the information organizations need to efficiently assess inherent risk – categorized as organizational, compliance, and technical risk – and triage third parties.
2. Outlining a standardized guide to choosing a risk assessment that will deliver the right level of assurance for the risk posed by each vendor.
3. Providing a reliable HITRUST CSF Trust Score™ for self-assessments used to evaluate the progress of third parties between the HITRUST CSF Readiness Assessment and the HITRUST CSF Validated Assessment.
4. Carrying out a gap analysis of a third party’s existing and target security measures, along with the creation of fitting corrective action plans (CAPs).
5. Assessing and reporting on risk relative to control maturity and potential control failure.
6. Formalizing risk acceptance with management addressing residual risk and security objectives.

Related article: Time to Talk to Your Business Associates About HITRUST CSF Certification?

HITRUST Risk Triage Methodology FAQs

Let’s try to answer some of your most pressing questions about this methodology.

How does using the HITRUST TPRM Methodology help my organization save time when it comes to compliance?

The risk triage methodology uses an automated approach and is easily repeatable. It facilitates a standardized evaluation of a vendor’s risk early in the vendor selection process so that your organization can make smart business decisions and make them faster.

Clear benchmarking allows you to quickly compare the levels of information security and individual privacy risk posed by competing vendors. Then, it will also expedite identifying and implementing the right measures to prevent and mitigate potential breach attacks.

“This risk triage methodology can be used as the first step in an organization’s third-party risk management process to quickly assess the risks inherent in the sharing of information with a particular third party and determine an appropriate assurance mechanism, thereby increasing efficiency and effectiveness of the process,” explained John Houston, Vice President, Information Security and Privacy, Associate Counsel at UPMC, and co-chair of Provider TPRM Council.

What type of organizations can utilize the HITRUST TPRM Methodology?

It’s a standard qualifying process that can be used by organizations of any size, working in any industry, and operating both domestically and internationally.

Though it is standardized, the methodology can also be flexible. For example, organizations can choose to weigh some factors more heavily than others when evaluating risk.

What other advantages come with utilizing the HITRUST TPRM Methodology?

This method was designed to support the entire supply chain. It helps organizations manage third-party risk consistently, efficiently, and effectively at a reduced cost. With widespread adoption, third parties will also be able to use the same TPRM assessment as attestation for multiple clients, further decreasing the time and expense of regulatory compliance.

Expert Help with HITRUST Assurance

Contact the team of professional assessors at I.S. Partners for help getting started with HITRUST assurance – from assessment preparation, to certification, to third-party risk management.

About The Author

Robert Godard

Robert is a Principal with I.S. Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining I.S. Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.