CISO Council to Address Vendor Risk Management ChallengesHITRUST Certification Will Be Used as a Security Measuring Stick
Story has been updated
A new council of healthcare CISOs hopes to work together toward improving uniformity and efficiency in the way organizations review the security controls and practices of third-party vendors that handle sensitive patient data.
The Health Information Trust Alliance is providing assistance to the new council. Among the founding members are the CISOs of Allegheny Health Network, Cleveland Clinic, University of Rochester Medical Center, University of Pittsburgh Medical Center, Vanderbilt University Medical Center and Wellforce/Tufts University.
HITRUST is best known for its Common Security Framework, and that framework is a key part of the council's approach for ways that the sector can better manage third-party and supply chain risks.
In a statement issued Wednesday, the Provider Third Party Risk Management Council says its member organizations will require their vendors to become HITRUST CSF Certified within the next 24 months.
"The HITRUST CSF certification will serve as their standard for third parties providing services that require access to patient or sensitive information and will be accepted by all the council's organizations," the statement says.
A spokeswoman for the council says that while the new group is working with HITRUST, it is independent. The council will also consider other partnerships to facilitate additional issues, such as breach response and continuous monitoring, she says.
'The Four Cs'
John Houston, CISO and chief privacy officer at UPMC and a member of the new council, tells Information Security Media Group: "The issue is that there is a significant variance between the security and controls that different vendors implement. And without a provider performing an in-depth security assessment, it is impossible to determine what level of security and controls a vendor has."
By ensuring that vendors have adopted a single information security and privacy assessment and certification program - as offered by HITRUST - healthcare entities can benefit "plain and simple ... with four 'Cs,' - consistency, cost, commitment and completeness," Houston contends.
To help with consistency, each provider must assess each of its vendors and attempt to understand what security controls it uses, Houston says. "With this new initiative, a provider can be assured that if a vendor is HITRUST certified, the vendor has implemented an adequate level of security and controls. HITRUST provides the objective standards," he says.
Meanwhile, costs can be reduced because a provider's security team will not need to spend valuable resources to attempt to understand a vendor's security and controls, he claims. "Likewise, a vendor can reduce the time and effort associated with responding to the myriad of information requests from its customers."
By getting certified, Houston says, "the vendor has demonstrated that it is committed to implementing the security and controls that are necessary to protect a provider's data. And [for completeness], a provider can be assured that all applicable regulation and industry-accepted security standards have been addressed."
The initiative has the potential to help improve security and controls across the healthcare industry, Houston says.
"Since many small to mid-sized providers do not have the capability to assess the security and controls of their vendors, this initiative helps all providers - large and small - to ensure that their data remains secure," he says. "Those providers can access the HITRUST information via a portal during the procurement process to ensure that the vendors that they are considering have implemented adequate security and controls."
Vendors and other business associates have been implicated in hundreds of the largest health data breaches reported to federal regulators over the years.
As of Aug. 30, the largest health data breach reported in 2018 to the Department of Health and Human Services involving a business associate was a hacking incident at Med Associates, a New York-based billing vendor, according to HHS' "wall of shame" website of breaches affecting 500 or more individuals. That incident impacted 270,000 patients at dozens of physician practices.
Healthcare entities make plenty of mistakes when it comes to managing their vendor risks, but there are three common blunders that stand out, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"Too many are depending solely on publicly accessible data to determine vendor risk. This is a recipe for failure," Herold says. "For most organizations, the public view of their systems is just a small portion of the full risk environment for an organization. The Titanic saw an iceberg far away, but look what happened as a result of the danger that was not viewable under the water. The concept for vendor management is the same: The viewable online data certainly must be a factor, but it is not the only determination risk factor."
Another common mistake many healthcare entities make is depending solely on contracts with "hold harmless clauses" to manage their risks, Herold says.
"Hold harmless clauses do not prevent breaches, do not typically cover the liabilities that vendors bring to the organizations using them and certainly are not preventive controls," she says. "Definitely include security and privacy requirements within vendor contracts - but don't stop there. Implement a complete program based upon a simple, high-level framework that takes vendor categories and associated risks into consideration."
Some healthcare entities also make the mistake of attempting to size up vendors "using long questionnaires and nothing more," Herold notes. "Too many think that asking vendors to complete hundreds of questions, many to most of which don't even apply to the vendor's services, will effectively management their vendor risks. The truth is, the more complicated and more questions you require your vendor to answer, the more likely that the answers will not reflect the actuality of the vendor's business," she says.
"Vendor management must be more tailored and more pragmatic than depending on a survey with hundreds of questions and basically no critical thinking considerations built in."
While member organizations of the new vendor risk management council plan to vet their vendors based on their use of the HITRUST CSF, healthcare organizations can also leverage other frameworks when reviewing the security controls and practices of vendors, Herold points out.
"Organizations need to use a high-level but comprehensive framework that addresses each of the major risk areas," she says. For example, they can use the National Institute of Standards and Technology's Cybersecurity Framework in conjunction with the organization's primary legal requirements framework, such as HIPAA, she says.
"While NIST is not specific to vendor management, it covers all the parts of an information security program that every organization, including vendors, should have in place. And by including the specific compliance requirements topics from the primary and most comprehensive set of legal requirements, such as HIPAA, or GDPR [General Data Protection Regulation], all major areas of the vendor management program will be covered," she says.
"Organizations also need to understand that the oversight of vendor risk must be ongoing; it cannot be a once-a-year or one-time-only type of activity," she adds.
"There is definitely not a one-size-fits-all framework that can simply be plugged into an organization and used as-is."
— Consultant Rebecca Herold
"There is definitely not a one-size-fits-all framework that can simply be plugged into an organization and used as-is," she notes. "I've found too many, especially small to mid-sized organizations, using purchased - and, quite frankly, overly expensive - frameworks trying to do this. As a result, they spend more time trying to get into compliance with not only the proprietary framework, but also then still needing to address the underlying regulations and laws that should be their primary focus."
Herold argues that it's cost-effective to "start with a basic, high-level vendor risk management framework, and then determine what is necessary to mitigate risks for the various categories of vendors that the organization has contracted. The risks involved with a one- to three-person transcriptionist service that uses one method of obtaining and then sending results back to their healthcare clients is going to be different from the vendor used to constantly monitor and process the data within the same provider's patient implanted medical devices."