Health3PT: Healthcare Security Leaders Rethink Third-Party Risk Management

Third-party risk management (TPRM) remains one of the top security challenges for healthcare organizations. In 2022, the U.S. Department of Health and Human Services (HHS) received healthcare data breach reports from 590 organizations. The reported data breaches impacted over 48 million people.

And a recent report by HealthITSecurity found that the majority of the ten largest data breaches occurred at third-party vendors with access to protected health information. Three of the ten breaches were caused by third-party tracking pixels that inadvertently sent sensitive information to tech companies, like Meta.

For many healthcare organizations, dealing with third-party risks is difficult and inefficient. Vendors evaluate risks differently, often manually, resulting in blind spots, and there is limited follow up on identified risks. Complacency about continuous monitoring is commonplace, as is having no assurance program to ensure adequate security controls are in place. 

There is an especially high risk of a breach occurring in smaller organizations with fewer resources. A recent survey conducted by the Ponemon Institute on behalf of the Healthcare and Public Health Sector Coordinating Councils (HSCC)  found significant differences in capability and budget between large and small healthcare organizations when it comes to managing and reducing supply chain risks. However, organizations of all sizes reported that they have difficulty managing supply chain risks.

What Is Health3PT? 

In response to growing cybersecurity threats, over 20 leading healthcare organizations, including UPMC, Centura Health, Memorial Sloan Kettering Cancer Center, Highmark Health, Tufts Medicine, Humana, and Walgreens, are collaborating to address ongoing third-party risk management challenges. Together, they formed Health 3rd Party Trust Initiative and Council (Health3PT).

On January 11, 2022, Health3PT announced its commitment to providing credible assurance models, creating standards, and automating workflows across the healthcare ecosystem. As a first step in their collaboration, Health3PT plans to create a series of common practices for managing vendor risk.

HITRUST Requirement for Third-Party Vendors

Health3PT member organizations will require all third-party vendors to become HITRUST certified. HITRUST is a security framework designed to help healthcare organizations comply with regulations and standards. Requiring HITRUST certification from vendors allows companies to collect and maintain information privacy and security assurances from third parties using a uniform, standardized approach. HITRUST certification will allow vendors to devote more time and resources to security measures instead of responding to hundreds of proprietary questionnaires.

Health3PT member Omar Sangurima, Principal Technical Program Manager of the governance, risk, and program management for Memorial Sloan Kettering Cancer Center, stated in an interview with SC Media, “while HITRUST may not be ideal for all provider entities, Health3PT aims to use a "nutrition label" model as a way to provide smaller entities with assurance that certain vendors, tools, or service providers are leveraging best practice security measures.”

Health3PT member, Omar Khawaja, Highmark Health CISO explained, “Leveraging market forces helps not only the ‘have-nots,’ it turns out that's the only way to help the ‘have's’ as well. The "nutritional label" is accessible to everyone, and is scalable, actionable, and understandable. When someone is looking to avoid certain ingredients, they check the label without needing to understand every aspect."

Health3PT’s Goal in Third-Party Risk Management 

The members of Health3PT view the third-party risk management issue as an ecosystem issue rather than an issue facing an individual organization or enterprise. By sharing their knowledge and resources, creating standards, and building a solid framework, larger organizations hope to support smaller organizations, and create an ecosystem solution to help close the gaps in TPRM. 

The goal of Health3PT is to create third-party risk management solutions that work for both organizations and third-party vendors.

Health3PT is actively seeking participation from all healthcare organizations. In Q1 2023, the Health3PT will publish its first deliverable: research on third-party risk metrics. Additionally, the Health3PT will host industry-wide events in 2023, including a summit for vendors, third-party risk management stakeholders, and assessors.