Third-Party Risk
Why do your hospital clients need HITRUST Certification? Numerous studies have documented that third parties create a significant amount of cyber-risk for hospitals. The Ponemon Institute, in their study Data Risk in the Third-party Ecosystem, found that 56% of organizations in that study experienced a breach caused by a vendor or third party. Another study, performed by cyber security consultant Cynergistek in their April 2019 Annual Report, cataloged deficiencies in the security programs of the vendors serving 600 healthcare organizations. Highlights of this study were that 17% of vendors had deficiencies in their risk assessment process, 12% had data security deficiencies, and 10% had data governance gaps.
None of this is particularly new. For years, the dominant approach to managing third-party risk has been to use security questionnaires such as The Standardized Information Gathering (SIG) tools from Shared Assessments. After collecting the responses, various follow-up, including site visits and phone conferences, are performed. From the vendor’s perspective, this process is repeated with each and every customer. After conducting thousands of assessments, some leaders in the hospital industry have concluded that this approach is fundamentally broken, as the above statistics demonstrate.
A New Approach to Third-Party Risk Management
One year ago a consortium of a dozen leading hospitals, including the Cleveland Clinic, UPMC, Tufts, the Mayo Clinic and others, announced the formation of the Provider Third Party Risk Management Council, and introduced a new approach to third-party risk management. The solution is simple – any vendor of a certain size who wishes to do business with one the member hospitals must successfully complete – and annually maintain — a certification using the HITRUST CSF. Member hospitals will accept a HITRUST certification as evidence of a robust security program. No questionnaires or further dialog is necessary.
The benefit to the vendor is that the investment in a single certification will satisfy many customers. Hospitals receive validation via independent third-party certification that the vendor’s security program is robust.
The dozen or so hospitals in the Provider Third Party Risk Management Council include some of the largest and most prominent hospitals in the U.S. However, in total, they represent less than 5% of the U.S. hospital market. Time will tell whether HITRUST certification surpasses the SSAE 18 SOC 2 as the gold standard for vendors seeking to play in the hospital market. Clearly, it is gaining momentum.
Recently, Eagle Consulting Partners announced an affiliation with The Drummond Group in order to provide HITRUST certification to our clients. Using the HITRUST process, via a single assessment, a HITRUST certification and a SSAE 18 SOC 2 can be provided. Please contact us for more information.
