cyBARR Chats: HITRUST Edition Episode 15, Health3PT Initiatives for Risk Management Solutions

Transcript:

Hello everyone, and welcome to today’s episode of cyBARR Chats. I’m Kyle Cohlmia, associate content writer at BARR Advisory. Today we’re joined by Steve Ryan manager for BARR’s attest and HITRUST services.

A recently released survey conducted by Health3PT confirms that 72% of vendors believe today’s third party risk management practices are not effective.

The Health3PT guidance and the HITRUST Assurance Program have joined together to provide capabilities and efficiencies to solve the third party risk management problem in healthcare. HITRUST specifically enables organizations to implement practices number two through six presented in the Health3PT’s Recommendation Practices and Implementation Guide. Steve is here to break down the partnership between HITRUST and Health3PT and the HITRUST initiatives in the Health3PT guide that are meant to provide the healthcare industry with third party risk management solutions.

Let’s begin.

Steve, our first question is, what exactly is Health3PT and how does that relate to HITRUST?

Yeah, thanks for having me on Kyle. So Health3PT stands for the Health Third Party Initiative. Recognizing that overlapping customer and vendor relationships are common throughout the healthcare industry, Health3PT is an expansion of the Provider Third Party Risk Management Initiative, also known as the TPRM, that was established in 2018, to include a broader spectrum of organizations in the healthcare industry along with TPRM thought leaders such as HITRUST.

The Health3PT initiative has been established to evaluate, identify, and implement actionable and practical solutions that healthcare organizations can adopt to provide more reliable assurances, consistent information security program reporting, and better visibility into downstream relationships with third parties and beyond.

Great. So let’s dig more into the recently released Health3PT recommended practices and implementation guide. We know that HITRUST supports these practices numbers two through six. So let’s start with practice number two, which covers what’s called a risk-tiering strategy. What exactly is a risk-tiered strategy, and how can organizations implement that type of strategy into their healthcare compliance program?

Yeah, absolutely. So, third parties with lower inherent risk may be more likely to experience data breaches, as they often have not established foundational cybersecurity. A risk-tiering strategy ensures that all third parties follow appropriate security requirements, irrespective of risk levels.

Consistent risk analysis is necessary to evaluate organizational compliance and technical risk factors, identify risk to the third party and the healthcare organization, and determine the required level of assurance. A HITRUST risk triage approach for the Health3PT supports the calculation of risk support for vendors and selection of the appropriate levels of assurance.

Great, thank you so much. The third recommendation is meant to obtain reliable and transparent assurances. What does it mean to be a reliable assurance and what assessments does HITRUST offer for healthcare organizations?

Yeah, so reliable assurances ensure that the third party has taken proper measures to safeguard the data of its partner organizations and customers. The HITRUST e1, i1, and r2 assessments support different levels of assurance for different risk levels as defined in the guide. These assessments are all based upon the same framework.

HITRUST assurances allow a consistent methodology to provide the required accuracy and quality of assurance based on evidence, assessor independence, and a robust quality assurance system. For over a decade, HITRUST has offered the need of reliability, quality, and transparency in its assurance system now selected by the Health3PT.

All HITRUST assessments and assurance reports are based on the HITRUST CSF and allow healthcare entities and third parties to progressively achieve higher assurances. By sharing common control requirements and inheritance of control maturity provided by leading cloud service providers.

Great, that makes sense.

Alright, now practice four recommends the implementation and tracking of corrective action plans. Tell us a little bit more about corrective action plans, or CAPs, and how they help organizations in the healthcare industry achieve compliance.

Absolutely. So an important value of an assurance system is the identification of controls that are not implemented properly and tracking a remediation progress towards completion.

The HITRUST MyCSF SaaS platform supports the documentation of corrective action plans for all assurance reports for a third party. So they may track their progress on milestones, the state of the remediation, and share those remediation progresses with the healthcare industry companies they serve.

Great. Now let’s move to practice five where there’s the recommendation for frequent assurance updates. Talk to us about that process.

Yeah. So as new threats emerge, security requirements change continuously.

Assurance requirements also change to reflect control adjustments needed in response to ongoing changes in the threat landscape. The HITRUST CSF is actually threat adaptive and by leveraging threat intelligence data to remain relevant and focused on the latest threats. Healthcare industry companies are therefore able to know that later assurance reports in the relationship with their third parties are appropriate to the current threat landscape.

Great. And that takes us to the final and sixth recommendation in the Health3PT Guide, which includes a required systematic risk management approach. What does this type of approach look like, and does HITRUST help organizations share their risk management reports?

Absolutely. So as we know, healthcare is a complex industry with organizations having relationships with multiple third parties, a systematic and technically enabled approach is required to manage its exponential scale.

This includes a system that tracks progress across stakeholders, facilities, the sharing of results, integrates with existing systems, supports business relationships, and enhances business value and risk management for healthcare. The HITRUST Results Distribution System, or RDS, allows third parties to efficiently share their assessment reports with multiple healthcare industry companies that they support and equally supports healthcare industry companies receiving reports from multiple third party vendors.

Great. Thank you so much, Steve. These recommendations are extremely helpful for organizations as they navigate a complex threat landscape, as you mentioned. For our last question, talk to us a little bit more about how organizations can get started on implementing these best practices just in general and also through BAR’s high trust services.

Of course. Health3PT has approved HITRUST as the first assurance supplier supporting these recommended practices for the healthcare industry. The HITRUST e1, Ii, and r2 assessments all support healthcare industry organizations seeking to collect evidence of appropriate, reliable, and consistent assurance of their vendor security capabilities.

And, the HITRUST Assurance Program provides the supporting infrastructure needed for the industry to collect assurances, report on risk, track risk, and manage risk across the industry. Organizations can contact BARR at any stage of their HITRUST journey. The team and I are always happy to help walk you through these practices in order to simplify the process and create stronger risk management practices all around for the healthcare industry.

Great. Well, that’s extremely helpful, Steve. Thank you so much for sharing all your valuable insight on how the recently released Health3PT and HITRUST initiatives are creating these solutions for stronger risk management in the healthcare industry. We definitely appreciate you joining us as always on our cyBARR Chats HITRUST edition, and we look forward to seeing everyone next time.

Always a pleasure, Kyle.