Market Overview

Nation's Health CISOs Take Lead to Manage Third-Party Risk


Recommend approach to manage third-party risk and streamline supply
chain ecosystem

Prominent Chief Information Security Officers (CISOs) from leading
health systems and providers throughout the country have come together
to establish the Provider
Third Party Risk Management Council
to develop, recommend and
promote a series of practices to effectively manage their information
security-related risks in their supply chain and to safeguard patient
safety and information.

Members of the Council observed their supply chains are filled with
third parties who support the care delivery process and require access
to patient information. Properly vetting and monitoring these third
parties is a major challenge, and in some cases, insurmountable for many
organizations who simply don't have the expertise or resources. Through
innovation and industry leadership, the Provider Third Party Risk
Management Council are developing common vetting and oversight practices
that will benefit health systems, hospitals and other providers in the
United States and around the world.

"Health systems and other providers need to be more active in assessing
and monitoring risks posed by third parties to protect patient
information while delivering effective care," says Taylor Lehmann, CISO
of Wellforce, parent organization of a health system that includes Tufts
Medical Center and Floating Hospital for Children. "The primary
challenge is organizations can engage with vendors of various sizes,
maturity and complexity without really knowing whether the vendor should
be engaged in the first place based on their beliefs and investment in

Lehmann says third parties may have a small number of customers or
possibly hundreds or thousands to serve. For third parties, this
challenge has resulted in lost time and resources in attempting to
comply with each organization's risk management requirements and ensure
efficiency for both parties.

The council is working with the HITRUST
and its assurance programs for this initiative to better manage
risk. The organizations on the council have each independently decided
to require their third-party vendors to become HITRUST CSF Certified
within the next 24 months. The HITRUST CSF Certification will serve as
their standard for third parties providing services that require access
to patient or sensitive information and will be accepted by all the
council's organizations. The HITRUST CSF Assurance Program is already
the most widely adopted assessment approach used by healthcare
organizations and used by third parties to evaluate and communicate
their information privacy and security posture. HITRUST will continue to
work closely with council members and their organizations to ensure its
programs are the hallmark for the industry.

"Our patients expect us to not only deliver robust healthcare to keep
them healthy, but also to preserve the trust they have in us by
safeguarding their sensitive data. When our patients' sensitive data is
shared with our third parties, it's important that we have adequate
controls in place. By aligning our third parties' controls to HITRUST
CSF, a leading industry framework that evolves with the changing cyber
landscape, our customers feel more confident their sensitive data is in
good hands," says Omar Khawaja, VP and CISO, Allegheny Health Network
and Highmark Health.

Goal of the Provider Third-Party Risk Management Council

The Provider Third Party Risk Management Council* recognizes that
a more efficient approach to third-party assurance is necessary and
strives to improve how the industry approaches assessing, monitoring,
and responding to risks posed by third parties. By choosing to adopt a
single comprehensive assessment and certification program, healthcare
organizations represented by the council are prioritizing the safety,
care, and privacy of their patients by providing clarity and adopting
best practices that their vendors can also adopt, while providing
vendors the expectation of what it takes to do business with their

"We believe the healthcare industry as a whole, our organizations and
our third parties will benefit from a common set of information security
requirements with a standardized assessment and reporting process," says
John Houston, Vice President, Privacy and Information Security &
Associate Counsel, UPMC. "We are strongly encouraging other provider
organizations to follow suit and adopt these principles."

Council member organizations have each announced they will accept
HITRUST CSF Certification in lieu of a separate assessment,
questionnaire, audit or certification report.

*The founding member organizations for the Provider Third Party Risk
Management Council include:

  • Allegheny Health Network
  • Cleveland Clinic
  • University of Rochester Medical Center
  • UPMC
  • Vanderbilt University Medical Center
  • Wellforce/Tufts University

Learn more about the council and how your organization can utilize its
policies and practices at Provider
Third Party Risk Management Council

About the Provider Third Party Risk Management Council

Representing Chief Information Security Officer from leading health
systems and hospitals, the Provider Third Party Risk Management Council
strives to share best practices in managing third party risk to deliver
on their organizations' mission of safeguarding sensitive information.
The Council is collaborating with industry and HITRUST to create a
comprehensive set of practices that organizations can adopt to
effectively manage third-party risk that is efficient for both their
organizations and the entire third-party ecosystem.


is a not-for-profit organization whose mission is to
champion programs that safeguard sensitive information and manage
information risk for organizations across all industries and throughout
the third-party supply chain. In collaboration with privacy, information
security and risk management leaders from both the public and private
sectors, HITRUST develops, maintains and provides broad access to its
widely adopted common risk and compliance management and
de-identification frameworks; related assessment and assurance
methodologies; and initiatives advancing cyber sharing, analysis and

Learn more at

View Comments and Join the Discussion!