Chief information security officers from six large health systems have formed a council to develop best practices around managing the information security-related risks in their supply chain and to safeguard patient safety and information.
The founding members of the Provider Third Party Risk Management Council include:
• Allegheny Health Network
• Cleveland Clinic
• University of Rochester Medical Center
• UPMC
• Vanderbilt University Medical Center
• Wellforce/Tufts University
One goal of the new organization is developing common vetting and oversight practices that will benefit health systems, hospitals and other providers in the United States and around the world.
In a prepared statement, Taylor Lehmann, CISO of Wellforce, parent organization of a health system that includes Tufts Medical Center and Floating Hospital for Children, described the challenge: “Health systems and other providers need to be more active in assessing and monitoring risks posed by third parties to protect patient information while delivering effective care. The primary challenge is organizations can engage with vendors of various sizes, maturity and complexity without really knowing whether the vendor should be engaged in the first place based on their beliefs and investment in cybersecurity.”
Supply chains are filled with third parties who support the care delivery process and require access to patient information. Properly vetting and monitoring these third parties is a major challenge, and in some cases, insurmountable for many organizations who simply don’t have the expertise or resources.
The council is working with the HITRUST Common Security Framework (CSF) and its assurance programs for this initiative to better manage risk. The organizations on the council have each independently decided to require their third-party vendors to become HITRUST CSF Certified within the next 24 months.