Health3PT and HITRUST Solutions for Healthcare Risk Management

Originally published by BARR Advisory.

A recently released survey conducted by Health3PT confirms 72% of vendors believe today’s third-party risk management practices are not effective. Health3PT and HITRUST Assurance Program have partnered together to provide capabilities and efficiencies to solve the third-party risk management problems in healthcare.

HITRUST enables organizations to implement practices presented in Health3PT’s Recommended Practices & Implementation Guide.

We sat down with Steve Ryan, attest services manager, to break down the partnership between the HITRUST initiatives and the Health3PT guide that are meant to provide the healthcare industry with third-party risk management solutions.

Steve, what is Health3PT and how does it relate to HITRUST?

“Health3PT stands for the “Health Third Party” initiative. Recognizing that overlapping customer and vendor relationships are common throughout the healthcare industry, Health3PT is an expansion of the third-party risk management initiative (also known as the TPRM) established in 2018. It is designed to include a broader spectrum of organizations in the healthcare industry along with TPRM thought leaders, such as HITRUST.

The Health3PT initiative has been established to evaluate, identify, and implement actionable and practical solutions that healthcare organizations can adopt to provide more reliable assurances, consistent information security program reporting, and better visibility into downstream relationships with third parties and beyond.”

Let’s dig into the recently released Health3PT Recommended Practices & Implementation Guide. We know that HITRUST supports practices two through six, so let’s start with practice two, which covers what’s called a risk-tiering strategy. What does a risk-tiered strategy mean, and how can organizations implement that type of strategy into their healthcare compliance program?

“Third parties with lower inherent risk may be more likely to experience data breaches, as they often have not established foundational cybersecurity. A risk-tiering strategy ensures all third parties follow appropriate security requirements, irrespective of risk levels. Consistent risk analysis is necessary to evaluate organizational, compliance and technical risk factors, identify risks to the third party, and the healthcare organization, and determine the required level of assurance. A HITRUST risk triage approach for Health3PT supports calculation of the risk score for vendors and selection of the appropriate level of assurance.”

The third recommendation is to obtain reliable and transparent assurances. What does it mean to be a reliable assurance and what assessments does HITRUST offer for healthcare organizations?

“Reliable assurances ensure the third party has taken proper measures to safeguard the data of its partner organizations and customers. The HITRUST e1, i1 and r2 assessments support different levels of assurance for different risk levels as defined in the Guide. These assessments all are based upon the same framework. HITRUST assurances follow a consistent methodology and provide the required accuracy and quality of assurance based on evidence, assessor independence, and a robust quality assurance system.

For over a decade, HITRUST has offered the needed reliability, quality, and transparency in its assurance system now selected by Health3PT. All HITRUST assessments and assurance reports are based on the HITRUST CSF and allow healthcare entities and third parties to progressively achieve higher assurances by sharing common control requirements and inheritance of control maturity provided by leading Cloud Service Providers.”

Practice four recommends the implementation and tracking of corrective action plans. Tell us a little more about CAPs and how they help organizations in the healthcare industry achieve compliance.

“An important value of an assurance system is the identification of controls that are not implemented properly and tracking of remediation progress to completion. The HITRUST MyCSF SaaS platform supports the documentation of corrective action plans for all assurance reports for a third party so they may track their progress on milestones, the state of remediation, and share remediation progress with the healthcare industry companies they serve.”

In practice five, we see the recommendation for frequent assurance updates. Talk to us about that process.

“As new threats emerge, security requirements change continuously. Assurance requirements must also change to reflect control adjustments needed in response to ongoing changes in the threat landscape. The HITRUST CSF is threat-adaptive by leveraging threat intelligence data to remain relevant and focused on the latest threats. Healthcare industry companies are therefore able to know that later assurance reports in the relationship with third parties are appropriate to the then current threat landscape.”

The sixth recommendation includes a required systematic risk management approach. What does this type of approach look like, and does HITRUST help organizations share their risk management reports?

“Healthcare is a complex industry with organizations having relationships with multiple third parties. A systematic and technically-enabled approach is required to manage its exponential scale. This includes a system that tracks progress across stakeholders, facilitates the sharing of results, integrates with existing systems, supports business relationships, and enhances business value and risk management for healthcare.

The HITRUST Results Distribution System (RDS) allows third parties to efficiently share their assessment reports with the multiple healthcare industry companies that they support and equally supports healthcare industry companies receiving reports from multiple third party vendors.”

Lastly, tell us a little bit about how organizations can get started on implementing these best practices.

“Health3PT has approved HITRUST as the first assurance supplier supporting these recommended practices for the healthcare industry. The HITRUST e1, i1 and r2 assessments all support healthcare industry organizations seeking to collect evidence of appropriate, reliable, and consistent assurance of their vendor’s security capabilities. And the HITRUST Assurance Program provides the supporting infrastructure needed for the industry to collect assurances, report-on risk, track risk, and manage risk across the industry.