By Omar Khawaja, CISO, Highmark Health, Will Long Sr., Vice President & CISO, Children’s Health in Dallas; and Jim Purvis, Information Security Officer, University of Rochester Medical Center
Healthcare providers and insurers have long faced a difficult challenge attempting to manage the security risks of the IT systems they share—within their own organizations, other providers, insurers, and especially with their third-party vendors. Like many others, all three of our organizations once relied on security assessment questionnaires that we asked third parties to complete.
But with this approach, providers and insurers invest an inordinate amount of time vetting vendors and trusting that vendors honestly complete the questionnaires used to measure security postures. And even if the answers are accurate, they are not independently validated, and they only represent a single point-in-time. A strong security posture today may lack sufficient controls in six months as new security threats evolve.
At the same time, vendors invest significant time filling out the lengthy and varying questionnaires each provider and insurer requires. This delays how quickly a vendor can be brought on board. Providers and insurers may thus not be able to leverage a vendor’s product and services as quickly as they need to, which in turn could impair patient services.
An Independently Validated Security Program for the Healthcare Industry
Wanting to play a role in helping the healthcare industry solve the challenges of third-party risk management, we joined other healthcare organizations to create the Provider Third-Party Risk Management (PTPRM) Council. The group launched the PTPRM Initiative, which strives to achieve three key objectives:
- Champion the acceptance of proven IT security best practices, processes and technologies as collectively documented by the Council.
- Leverage those best practices to drive the acceptance of the PTPRM Initiative as a common, transparent and independently validated program.
- Drive security posture best-practices and distribute our learnings on how to manage third-party risk—wider and deeper than ever before.
With these objectives in mind, the council made the choice to leverage the HITRUST CSF®—a model already widely used throughout the healthcare industry—to measure vendor security postures. This enables the PTPRM program to serve as an instrument through which the security postures of end-to-end, third-party healthcare ecosystems can be measured—in an “assess-once, certify-many” model. That means each organization and vendor in a supply chain completes attestation once, and then presents their validated security posture to any organization, vendor or customer with which they want to do business.
The PTPRM Initiative also opens the door for vendors to do business with a specific healthcare organization, and when the vendor passes certification, they can easily extend their business to other PTPRM members. In this sense, earning certification provides a market advantage for vendors over competitors who are not certified.
A Supply Chain Security Model That Every Industry Can Leverage
What gives the initiative strength is the vast experience of the PTPRM Council members. We have seen what it takes to secure the healthcare supply chain ecosystem—what works, what doesn’t, where there’s waste, and where there’s opportunity for improvement.
Our initiative is backed by the ability for security assessments to be audited by independent security assessment professionals, and then validated by HITRUST® in order to maintain the highest level of quality across the board. This enables each participant within the initiative to move swiftly and accurately through the third-party risk management process—regardless of their size, their vendor function, and their scope of work as part of the overall vendor ecosystem.
The net result is a more secure supply chain that protects digital assets and personal information across entire supply chain ecosystems. And that enables healthcare organizations to focus on their primary mission—deliver innovative care services that improve the lives of patients.
While the model has been proven within the healthcare industry, it can also be applied to other industries and their third-party ecosystems of vendors. That means every industry can transform into a consortium of providers and vendors who help each other manage IT risks more efficiently and with greater impact to the business and its bottom line.
For More Information
For healthcare providers and insurers who want to get involved in the PTPRM Council, contact https://www.ptprm.org/participation-pledge
To learn more about the PTPRM Council visit, https://www.ptprm.org/
About the Authors
- Omar Khawaja is the CISO at Highmark Health, one of the largest integrated healthcare delivery and financing systems in the US.
- Will Long Sr. is the Vice President & CISO at Children’s Health in Dallas, the eighth-largest pediatric healthcare provider in the nation.
- Jim Purvis is the Information Security Officer at the University of Rochester Medical Center, one of the top academic medical centers in the country.
Key Benefits of the PTPRM Initiative for Each Author’s Organization
Children’s Health: Compared to the previous method of measuring risk by using questionnaires, the HITRUST approach creates an acceptable form of measuring risk that the Children’s Health IT security team can trust. And as the PTPRM Initiative gains more and more industry acceptance, the healthcare organizations that Children’s Health partner with and its vendors will all realize the benefits of risk assessments that are conducted in a standard way and validated by an independent auditor. It’s a win-win that not only generates significant time and cost savings for Children’s Health and the organizations it conducts business with, but also improves the security postures of the individual organizations in the healthcare provider’s entire supply chain ecosystem.
Highmark Health: When it comes to protecting sensitive information and complying with other regulations and standards, a major HITRUST benefit for Highmark Health is that HITRUST continually rationalizes, harmonizes and aligns its framework with all of the major regulations and standards. Organizations also have to attest to HITRUST certification on a regular basis. So as new security requirements come on to the market, Highmark Health and its supply chain partners always know if each entity has a strong security posture or if any new security control measures need to be taken.
University of Rochester Medical Center: The PTPRM Initiative is having a big impact on the security culture across the University of Rochester Medical Center organization. The organization is also seeing this new culture permeate into partner and vendor organizations. Previously, business unit leaders were determined to do business with certain vendors and would push back when the IT security team told them that a vendor was not completing a questionnaire or had an issue with their security controls. But the PTPRM Initiative has opened the eyes of business unit leaders at the medical center; they now realize just how critical it is for all partners and vendors to have strong security postures, and they ask about security and HITRUST certification early in the relationship-building process. Because everyone knows one weak link in the medical center’s supply chain could put its digital assets and the sensitive information of patients at risk, the business units at the University of Rochester Medical Center now work more collaboratively with the IT security team—by picking third parties that meet the organization’s security requirements.