Health3PT Council unites over 20 healthcare leaders to innovate and standardize third-party risk management and protect the nation’s healthcare ecosystem against increasing supply chain attacks
January 11, 2022 – Dallas –
Amid heightened threats to the nation’s healthcare systems, more than 20 leading healthcare organizations have come together to identify effective, efficient, and new innovative approaches to reduce cyber risk across the healthcare industry’s third-party ecosystem. The Health 3rd Party Trust (Health3PT) Initiative and Council, announced today, is committed to bringing standards, credible assurance models, and automated workflows to solve the third-party risk management problem and advance the mission to safeguard sensitive information.
Healthcare is one of the top industry sectors targeted by cyber attackers due to the value of sensitive electronic patient records, the potential impact on critical life-saving IT systems and medical devices, and the lack of security around the third-party vendors and suppliers delivering vital services. According to one survey, 55% of healthcare organizations suffered a third-party breach in the past year. However, most healthcare organizations do not have effective measures in place to identify these risks. Only 23% of security and risk leaders monitor third parties in real time for cybersecurity exposure, according to Gartner data.
With increasing government warnings—such as HHS’ Health Sector Cybersecurity Coordination Center recent alerts on ransomware and last December’s alert from CISA, FBI and NSA to mitigate Log4j software supply chain vulnerabilities—as well as anticipated regulatory guidance for cross-sector Cybersecurity Common Performance Goals, healthcare organizations are looking for ways to understand and ensure the security, integrity, and availability of services provided by third parties and the associated sensitive information they handle.
Unfortunately, today’s methods to manage these third-party risk exposures are burdensome and inadequate, with each vendor handling their assessments differently and often manually, resulting in blind spots on risks, limited follow-through on remediation of identified risks, complacency regarding continuous monitoring, and insufficient assurance programs to prove that the right security controls are in place. This is especially true for smaller organizations who have limited resources and are often where many breaches occur.
In response, the Health3PT is collaborating to overcome these challenges and achieve greater efficiencies throughout the ecosystem. The Health3PT will focus first on a series of common practices to effectively manage information security risks associated with vendors and other third-party service providers. These include methodologies and tools that address multiple best practice frameworks, that foster standardization and transparent assurances and validation, and that address legislative and regulatory requirements.
The Health3PT will publish its first deliverable in Q1 2023: Research on third-party risk metrics to benchmark the state of the industry. In addition, in 2023, the Health3PT will establish working groups and will host industry-wide events including a Summit for vendors, healthcare third-party risk management stakeholders, and assessor organizations.
The Health3PT has overwhelming support from key industry stakeholders and is comprised of security and risk executives from 20 leading healthcare providers, health systems, health payors/insurers, and healthcare service organizations:
Patricia Yarabinetz, Director, Information Risk Management, AmeriHealth Caritas
Cindy Shuna, Cyber Risk Management, Amerisource Bergen
Rick Kratz, Director, Cyber Risk Management, Amerisource Bergen
Glen Braden, Principal, Attest Health Care Advisors
Dr. Omar Sangurima, Principal Technical Program Manager, Governance, Risk, & Program Management, Memorial Sloan Kettering Cancer Center
Shenny Sheth, Deputy CISO, Centura Health
Natalie Henderson, Executive Director, Third Party Risk Governance, CVS
Eric Sinclair, VP, Information & Cyber Security, Evolent Health
Matthew Webb, AVP – Product Security, Chief Product Security Officer, HCA Healthcare
Brenda Callaway, Divisional VP, Operations Performance Management, Health Care Service Corporation (HCSC)
John Chow, CISO, Healthix
Jeff Lockwood, VP of Enterprise Technology Services, HealthStream
Karin Balsley, Sr. Director, Information Security, HealthStream
Omar Khawaja, CISO, Highmark Health
Heather Ryan, Project Manager, Highmark BCBS
Joe Dylewski, Cyber Data Protection Manager, Humana
Purvik Shah, Project Manager, Memorial Sloan Kettering Cancer Center
Walsy Saez-Aguirre, Cyber Security Governance, Risk and Compliance Analyst, Memorial Sloan Kettering Cancer Center
Monique Hart, Executive Director of Information Security, Executive Director of Information Security, Piedmont Healthcare
Dr. Adrian Mayers, VP, CISO, Premera Blue Cross
Joel Seymour, Deputy CISO, Premera Blue Cross
Shawna Hofer, CISO, St. Lukes Health System
Brian Cayer, CISO, Tufts Medicine
Alan Labianca-Campbell, Director of Information Assurance, Tufts Medicine
John Houston, VP, Information Security and Privacy, UPMC
Ryan George, Sr. Director – IT, IAS, UPMC
Alex Zhivov, Vice President, Information Security, Virtual Health
Bhavesh Merai, Senior Manager, Technology, Risk & Compliance, Walgreens
“Society has evolved to demand speed of delivery, and this is no different in the healthcare space. However, we cannot sacrifice security for speed. A standardized and measurable standard for assessing third parties will bring both speed and efficiency, while potentially increasing security. This also could drive reduced costs through efficiency. A standardized and measurable assessment mechanism will be the cornerstone in securing people’s most precious information,” said Joel Seymour, Deputy CISO for Premera Blue Cross.
“It’s clear that TPRM is broken in the healthcare industry. We need to come together as an industry to establish a sustainable approach to third-party risk management. The common process of sending and receiving self-attested proprietary questionnaires is inefficient and potentially unreliable. We need a practical pathway to supplier assurances that are reliable and not self-attested, have inadequate controls or over burdening for the risk posed. The lack of standardization today results in vendor confusion due to the different question sets and requirements, resulting in confusion, frustration, and eventually…lack of response,” said John Chow, CISO for Healthix, Inc., a large, public New York State based HIE.
“Managing third party risk in a comprehensive and sustainable way requires collaboration between healthcare organizations and their suppliers to find solutions that are efficient and effective for both sides. That’s why the Health3PT is so important to Centura Health and our partnerships. In order for this to work, we need more healthcare organizations to adopt common, standardized processes,” said Shenny Sheth, Deputy CISO for Centura Health.
The Health3PT is seeking participation from all healthcare organizations. To join the initiative and for more details, visit Health3PT.org.