- A new HITRUST exchange aims to help entities as they request and receive third-party security and privacy risk assessment information, streamlining the vendor risk management process.
The HITRUST Assessment Exchange will utilize the HITRUST CSF Assurance Program to simplify how organizations manage and monitor third party privacy and security information, according to a HITRUST announcement.
“Any program designed to streamline the vendor risk management process must avoid assessment shortcuts and be based on a comprehensive, transparent, scalable and broadly adopted assessment approach such as the CSF Assurance Program,” HITRUST CEO Daniel Nutkis explained in a statement. “Until now assessment exchanges have lacked widespread acceptance, comprehensive assessment criteria, transparency and consistency, or simply haven’t supported exchanging the right level of assessment details with the company’s existing vendor risk management systems.”
The Assessment Exchange is especially relevant for healthcare organizations, HITRUST maintained. Healthcare covered entities must utilize business associate agreements with their chosen business associates, and need to ensure that PHI will remain secure with any third parties.
Organizations in all sectors will also offload administrative and time-consuming activities with the Assessment Exchange. This includes identifying the appropriate individual or function at a vendor, communicating assurance requirements, and receiving status information.
HITRUST explained that entities can also removing the administrative burdens and related distractions for information security and procurement departments.
Finally, organizations can deliver a HITRUST CSF assessment report in a format that can be put into existing vendor risk management systems.
Health Care Service Corporation DSVP and Chief Information Security Officer Kevin Charest noted that being able to utilize HITRUST CSF assessments for vendor risk management proves efficient for both parties.
“We were still left with the highly inefficient task of identifying the appropriate person at each vendor organization, communicating with them, obtaining the HITRUST CSF Assessment Report and getting the information into our vendor risk management system,” Charest said in a statement. “The HITRUST Assessment Exchange automates the entire process for us across all our vendors.”
Organizations leveraging the Assessment Exchange will also be given progress updates, and can engage when a vendor is not meeting the necessary privacy and security requirements, according to HITRUST.
“The HITRUST Assessment Exchange is intended to integrate with, and not replace, an organization’s existing vendor risk management system, allowing specific vendors and assessments to be assigned to the HITRUST Assessment Exchange and to receive the HITRUST CSF Assessment report in a fully consumable format – eliminating the manual posting of key assessment details,” HITRUST explained.
The Assessment Exchange also aims to assist vendors, and help them streamline and simplify how they work with business partners. Vendors often work with numerous organizations, and might have numerous third-party assessment approaches. This will help vendors “assess once, report many,” according to HITRUST.
“With HITRUST's ability to engage with a vendor on behalf of multiple organizations, it streamlines the communications and interactions for that vendor by reducing the number of organizations making similar requests and automating the process, making business engagements much more efficient,” HITRUST noted.
Improving how organizations create and maintain their privacy and security programs is a priority for HITRUST, and was also proven with its recent partnership with the Electronic Healthcare Network Accreditation Commission (EHNAC).
That partnership also focused on streamlining and simplifying privacy and security, as EHNAC can now provide HITRUST CSF services. Security and compliance assurances can be streamlined, helping healthcare organizations specifically approach those tasks.
Toward the end of 2016, EHNAC reported that it would replace its HIPAA-related privacy and security criteria with the HITRUST CSF provisions and controls. However, EHNAC will still maintain its stakeholder-specific benefits to the accreditation process.
“We are now the only organization in the industry with the ability to provide both EHNAC accreditation and HITRUST CSF certification,” EHNAC Executive Director Lee Barrett told HealthITSecurity.com in an earlier interview. “Organizations that obtain a CSF certification may also leverage that assessment in obtaining accreditation for any of EHNAC’s 18 stakeholder-specific accreditation programs.”