Healthcare IT Security
January 11, 2023

By Jill McKeon

More than 20 healthcare leaders have come together to form the Health 3rd Party Trust (Health3PT) Initiative and Council, aimed at introducing new standards, automated workflows, and assurance models to the third-party risk management (TRPM) conversation.

Third-party risk management remains a top challenge for healthcare security practitioners. In fact, the majority of the top ten largest healthcare data breaches reported to HHS in 2022 stemmed from third-party vendors.

“It’s clear that TRPM is broken in the healthcare industry,” John Chow, CISO for Healthix and member of the Health3PT, explained in the press release. “We need to come together as an industry to establish a sustainable approach to third-party risk management.”

Security and risk executives from major organizations such as HCA Healthcare, Humana, UPMC, Walgreens, and CVS joined the new initiative with the goal of furthering the sector’s mission to safeguard sensitive health information as it continues to expand its vendor ecosystem. The Health3PT is actively seeking participation from all healthcare organizations.

The Health3PT’s first focus will be on creating best practices for managing third-party risk, from identifying tools and methodologies to addressing regulatory requirements. The initiative is expected to publish its first deliverable in the first quarter of 2023, focused on benchmarking the state of the industry.

The Health3PT also plans to establish working groups and host a summit for vendors, stakeholders, and assessor organizations to gather and share ideas.

“Society has evolved to demand speed of delivery, and this is no different in the healthcare space. However, we cannot sacrifice security for speed,” suggested Joel Seymour, deputy CISO at Premera Blue Cross.

“A standardized and measurable standard for assessing third parties will bring both speed and efficiency, while potentially increasing security. A standardized and measurable assessment mechanism will be the cornerstone in securing people’s most precious information.”


Third-party risk management is a clear pain point for security practitioners across the sector. It was one of the most popular topics of discussion at the 2022 HIMSS Healthcare Cybersecurity Forum, held in Boston in December.

At the forum, Erik Decker, assistant vice president and chief information security officer (CISO) at Intermountain Healthcare, noted the lengthy and time-consuming nature of managing third-party risk assessments on a transaction-by-transaction basis.

“Do we feel that this is the right way to approach this problem, or could we be doing better?” Decker asked the audience.

Panelists suggested several strategies to improve the process — information sharing between different organizations and getting to a state of constant vendor surveillance rather than transaction-by-transaction risk assessments have the potential to reduce friction.

The challenge is coordinating those efforts and employing solutions that actually save organizations time and labor while also reducing risk.

As organizations continue to engage with new vendors and non-traditional third parties, having industry-wide best practices and standards in place will likely prove crucial to maintaining security.