Denys Rudyi - Fotolia
- Kathleen Richards, Information Security
CISOs are making strides in some industries to drive support for a common set of information security requirements to help manage third-party security risk.
Taylor Lehmann, CISO of Wellforce, the parent organization of Tufts Medical Center, and Omar Khawaja, CISO of Alleghany Health Network and Highmark Health, joined forces with security leaders from the healthcare industry to create the Provider Third-Party Risk Management Council. Announced in August, the council is working with the Health Information Trust Alliance (HITRUST) to develop industrywide best practices for managing third-party security risk associated with supply chain vendors and their information security-related systems.
The goal is to create and adopt a common third-party assessment and certification process for healthcare industry providers and their vendors -- companies that have to spend considerable time and money attempting to meet the information security requirements of different hospitals and health plans.
The founding members of the healthcare Provider Third-Party Risk Management Council include Allegheny Health Network, Cleveland Clinic, University of Rochester Medical Center, University of Pittsburgh Medical Center, Vanderbilt University Medical Center and Wellforce/Tufts Medical Center.
The healthcare consortium is working with the nonprofit HITRUST Alliance, an organization whose Common Security Framework is purportedly consensus-driven, to meet security requirements for sensitive healthcare data such as electronic protected health information and personally identifiable information. According to HITRUST, the risk-based framework derives its control requirements from the International Organization for Standardization and other sources, such as NIST, PCI and HIPAA. Council members will require their third-party vendors to have a HITRUST Common Security Framework (CSF) certification -- irrespective of other third-party security risk assessments, audits and certifications -- within 24 months. The CSF framework is already used by about 80% of hospitals and health plans, according to HITRUST. Some international companies have adopted the CSF framework, but it is primarily used by those that supply U.S. health providers.
Analysts expect more industries to begin to work together in consortiums to ease the burden of third-party security risk assessments and audits with information sharing and standardized certification and reporting requirements. CISOs, at least in healthcare, are out in front of this effort.