Health System CISOs Form Group to Address Third-Party Risk

Aug. 30, 2018
Chief information security officers from six large health systems have formed a council to develop best practices around managing the information security-related risks in their supply chain.

Chief information security officers from six large health systems have formed a council to develop best practices around managing the information security-related risks in their supply chain and to safeguard patient safety and information.



The founding members of the Provider Third Party Risk Management Council include:

• Allegheny Health Network

• Cleveland Clinic

• University of Rochester Medical Center

• UPMC

• Vanderbilt University Medical Center

• Wellforce/Tufts University

One goal of the new organization is developing common vetting and oversight practices that will benefit health systems, hospitals and other providers in the United States and around the world.



In a prepared statement, Taylor Lehmann, CISO of Wellforce, parent organization of a health system that includes Tufts Medical Center and Floating Hospital for Children, described the challenge: “Health systems and other providers need to be more active in assessing and monitoring risks posed by third parties to protect patient information while delivering effective care. The primary challenge is organizations can engage with vendors of various sizes, maturity and complexity without really knowing whether the vendor should be engaged in the first place based on their beliefs and investment in cybersecurity.”



Supply chains are filled with third parties who support the care delivery process and require access to patient information. Properly vetting and monitoring these third parties is a major challenge, and in some cases, insurmountable for many organizations who simply don’t have the expertise or resources.

The council is working with the HITRUST Common Security Framework (CSF) and its assurance programs for this initiative to better manage risk. The organizations on the council have each independently decided to require their third-party vendors to become HITRUST CSF Certified within the next 24 months.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?