Health System CISOs Form Group to Address Third-Party Risk

Aug. 30, 2018
Chief information security officers from six large health systems have formed a council to develop best practices around managing the information security-related risks in their supply chain.

Chief information security officers from six large health systems have formed a council to develop best practices around managing the information security-related risks in their supply chain and to safeguard patient safety and information.



The founding members of the Provider Third Party Risk Management Council include:

• Allegheny Health Network

• Cleveland Clinic

• University of Rochester Medical Center

• UPMC

• Vanderbilt University Medical Center

• Wellforce/Tufts University

One goal of the new organization is developing common vetting and oversight practices that will benefit health systems, hospitals and other providers in the United States and around the world.



In a prepared statement, Taylor Lehmann, CISO of Wellforce, parent organization of a health system that includes Tufts Medical Center and Floating Hospital for Children, described the challenge: “Health systems and other providers need to be more active in assessing and monitoring risks posed by third parties to protect patient information while delivering effective care. The primary challenge is organizations can engage with vendors of various sizes, maturity and complexity without really knowing whether the vendor should be engaged in the first place based on their beliefs and investment in cybersecurity.”



Supply chains are filled with third parties who support the care delivery process and require access to patient information. Properly vetting and monitoring these third parties is a major challenge, and in some cases, insurmountable for many organizations who simply don’t have the expertise or resources.

The council is working with the HITRUST Common Security Framework (CSF) and its assurance programs for this initiative to better manage risk. The organizations on the council have each independently decided to require their third-party vendors to become HITRUST CSF Certified within the next 24 months.

Sponsored Recommendations

Improving Workplace Safety and Patient Care in Behavioral Health

In 2023, Vail Health enhanced safety in their behavioral health clinic, but the impact went beyond their expectations. Read their case study to see how prioritizing workplace ...

Transforming Hospital Capacity Through Smarter Patient Progression Strategies

Helping patients move seamlessly through every stage of their care, from admission to discharge, is critical to ensuring patient safety, improving outcomes, and optimizing capacity...

Beyond the AI Buzz: How Clinicians Can Leverage AI for Value-Based Success

Watch on-demand to explore the impact of implementing AI in primary care settings to reduce burnout and thrive in value-based care. Including practical takeaways on driving clinician...

Building the Connected Hospital: Bridging Operational Gaps Through Technology

Join industry leaders to explore how advanced technologies like RFID, AI, EMR, and ERP systems are transforming hospitals into connected ecosystems that enhance efficiency, streamline...