Health3PT Unveils First Actions to Address Third-Party Risk Management

April 26, 2023 - The Health 3rd Party Trust (Health3PT) Initiative has unveiled its first deliverables to tackle third-party cyber risk management (TPRM) in healthcare, backed by a rapidly growing membership of national healthcare leaders.

Health3PT was formed in early 2023 with the goal of implementing new standards, automated workflows, and assurance models for third-party risk. The Health3PT council comprises security and risk executives from prominent organizations, including HCA Healthcare, Humana, UPMC, Walgreens, and CVS.

In its latest announcement, Health3PT stated that its healthcare CISOs have contacted over 15,000 third-party vendors to encourage standardized risk assessments.

The member organizations have communicated to vendors the necessity for dependable, standardized evaluations instead of proprietary questionnaires that often need more adequate controls, scope, and assurances.

By undergoing a HITRUST Assessment, vendors can more effectively demonstrate their dedication to security and compliance. This offers a notable advantage for vendors seeking contracts with healthcare organizations, giving them a competitive edge over those without the certification. Furthermore, it helps ensure that all vendors adhere to the same high standards, decreasing the chances of data breaches and other security incidents.

“I think it is fair to say that most healthcare CISO’s want to effectively manage third party risk but have struggled to do it efficiently because there lacked a consistent set of requirements or practices; we could align as an industry and with our vendor partners,” said John Houston, CISO, UPMC. “Health3PT is solving that challenge for the industry.”

One of Health3PT's initial priorities is the development of a “Third Party Risk Industry Survey,” which aims to provide valuable insights for healthcare organizations and vendor stakeholders. This independent research, expected to be published in June 2023, will deliver third-party risk metrics and establish benchmarks for the industry's current status.

“The Health3PT Initiative will significantly help to provide standards and resources that will streamline the cyber risk process with documenting the contractual and regulatory obligations for the organization or business line. Passing those requirements to vendors is an important step you must take in protecting your data,” said Lane Sullivan, SVP, chief information security officer of Magellan Health (a Centene Corporation company) and a Health3PT participant.

Additionally, the council has planned to introduce the Health Industry Recommended Practices for TPRM. According to the press release, these practices have been created to ensure a consistent set of TPRM guidelines for the healthcare industry, addressing emerging cyber threats and the integration of Cloud, AI, and other industry solutions while remaining in line with contemporary risks.

Another tool that the council has introduced is the Health3PT Vendor Directory. This directory lists vendors who have obtained certifications such as HITRUST e1, i1, or r2, making it easier for organizations to identify trusted vendors and quickly make informed decisions about which vendors to work with based on their information risk management requirements.

Finally, the council is hosting the Health3PT Third Party Risk Virtual Summit on June 7th, 2023. This industry-wide event will bring together vendors and customers to discuss their expectations and risk reporting requirements, as well as provide vendors with an opportunity to ask questions and better understand the needs of their customers. Overall, this summit will be an essential platform for promoting collaboration and best practices in TPRM within the healthcare industry.

These developments emerge as TPRM continues to pose a significant challenge for healthcare organizations. This issue is highlighted by the many third-party data breaches reported to HHS in 2022. As healthcare organizations increasingly expand their vendor networks, existing TPRM strategies need to be improved, as experts expressed during a panel session at the 3rd Annual HealthITSecurity Virtual Summit.

Besides these emerging initiatives to tackle TPRM, industry professionals emphasized the importance of fostering a robust relationship with potential vendors from the outset. Panelists suggested that well-defined and succinct contract language is essential for obtaining security assurances and promoting transparency and collaboration throughout the vendor relationship.