January 11, 2023
By David Raths
Chief information security officers and risk management officials from 20 healthcare organizations have come together to identify new approaches to reduce cyber risk across the healthcare industry’s third-party ecosystem. The Health 3rd Party Trust Initiative and Council (Health3PT) will seek to bring standards, credible assurance models, and automated workflows to solve the third-party risk management problem.
Leaders of the new group pointed to a survey published in the HIPAA Journal in August 2022 in which 55 percent of healthcare organizations reported suffering a third-party breach in the past year. They also note that Gartner research suggests that only 23 percent of security and risk leaders monitor third parties in real time for cybersecurity exposure.
The methods to manage third-party risk exposures are burdensome and inadequate, the Health3PT says, with each vendor handling their assessments differently and often manually, resulting in blind spots on risks, limited follow-through on remediation of identified risks, complacency regarding continuous monitoring, and insufficient assurance programs to prove that the right security controls are in place. This is especially true for smaller organizations that have limited resources and are where many breaches occur.
The nonprofit Health3PT will focus first on a series of common practices to effectively manage information security risks associated with vendors and other third-party service providers. These include methodologies and tools that address multiple best practice frameworks, foster standardization and transparent assurances and validation, and address legislative and regulatory requirements.
“Managing third-party risk in a comprehensive and sustainable way requires collaboration between healthcare organizations and their suppliers to find solutions that are efficient and effective for both sides. That’s why the Health3PT is so important to Centura Health and our partnerships. In order for this to work, we need more healthcare organizations to adopt common, standardized processes,” said Shenny Sheth, Deputy CISO for Centura Health, in a statement.
The Health3PT is supported by HITRUST, the risk and compliance standards and certification body, and CORL, a healthcare third-party risk management services and solutions provider. It will publish its first deliverable in the first quarter of 2023: Research on third-party risk metrics to benchmark the state of the industry. In addition, in 2023, the Health3PT will establish working groups and will host industry-wide events including a summit for vendors, healthcare third-party risk management stakeholders, and assessor organizations.
The Health3PT is comprised of security and risk executives from 20 healthcare providers, health systems, health payers/insurers, and healthcare service organizations:
- Patricia Yarabinetz, Director, Information Risk Management, AmeriHealth Caritas
- Cindy Shuna, Cyber Risk Management, Amerisource Bergen
- Rick Kratz Director, Cyber Risk Management, Amerisource Bergen
- Glen Braden, Principal, Attest Health Care Advisors
- Dr. Omar Sangurima, Principal Technical Program Manager, Governance, Risk, & Program Management, Memorial Sloan Kettering Cancer Center
- Shenny Sheth, Deputy CISO, Centura Health
- Natalie Henderson, Executive Director, Third Party Risk Governance, CVS
- Eric Sinclair, VP, Information & Cyber Security, Evolent Health
- Matthew Webb, AVP – Product Security, Chief Product Security Officer, HCA Healthcare
- Brenda Callaway, Divisional VP, Operations Performance Management, Health Care Service Corporation (HCSC)
- John Chow, CISO, Healthix
- Jeff Lockwood, VP of Enterprise Technology Services, HealthStream
- Karin Balsley, Sr. Director, Information Security, HealthStream
- Omar Khawaja, CISO, Highmark
- Health Heather Ryan, Project Manager, Highmark BCBS
- Joe Dylewski, Cyber Data Protection Manager, Humana
- Purvik Shah, Project Manager, Memorial Sloan Kettering Cancer Center
- Walsy Saez-Aguirre, Cyber Security Governance, Risk and Compliance Analyst, Memorial Sloan Kettering Cancer Center
- Monique Hart, Executive Director of Information Security, Executive Director of Information Security, Piedmont Healthcare
- Dr. Adrian Mayers, VP, CISO, Premera Blue Cross
- Joel Seymour, Deputy CISO, Premera Blue Cross
- Shawna Hofer, CISO, St. Lukes Health System
- Brian Cayer, CISO, Tufts Medicine
- Alan Labianca-Campbell, Director of Information Assurance, Tufts Medicine
- John Houston, VP, Information Security and Privacy, UPMC
- Ryan George, Sr. Director – IT, IAS, UPMC
- Alex Zhivov, Vice President, Information Security, Virtual Health
- Bhavesh Merai, Senior Manager, Technology, Risk & Compliance, Walgreens