- The Health Information Trust Alliance (HITRUST) has unveiled as third-party assurance (TPA) risk triage methodology, which provides a framework for assessing the risk exposure of third-party IT relationships in the healthcare supply chain.
The methodology provides a standardized approach to determine the type and rigor of assurance required of vendors and business partners.
When an organization fails to evaluate the effectiveness of a third party’s security and privacy controls, it could be exposing itself to greater risk. At the same time, unnecessarily requiring third parties to provide higher levels of assurances increases costs for all parties, HITRUST explained.
“Until today’s release of the HITRUST TPA risk triage methodology, there was no consistent approach to determining what type of assurance a third party should provide and maintain in cases where information or intellectual property is shared,” said Wellforce VP and CISO Taylor Lehmann, who is also co-chair of the Provider Third-Party Risk Management Initiative Council.
The council, which was set up last year by healthcare CISOs, includes the Allegheny Health Network, Cleveland Clinic, University of Rochester Medical Center, University of Pittsburgh Medical Center, Vanderbilt University Medical Center, and Wellforce/Tufts University as members.
“This void either creates inefficiencies as organizations are seeking greater assurances from their third parties than is warranted, or they are not seeking the level of assurance needed to meet compliance requirements and avoid unnecessary risk exposure,” Lehmann said.
The TPA risk triage methodology, when used with the HITRUST CSF and the HITRUST CSF Assurance Program, allows organizations to ensure their third parties are implementing a sufficient level of due care and diligence for the protection of sensitive information and patient privacy.
The methodology can differentiate risks among third parties by identifying common factors that group risk into three areas: organizational, compliance, and technical.
- Organizational risk factors reflect the value of the data shared with third parties
- Compliance factors address fines or penalties an organization can face due to breach by a third party, which also influences the probable impact of a data compromise
- Technical factors relate to how a third party accesses, processes, stores and/or disposes of an organization’s data
HITRUST also explained that the methodology incorporates a risk scoring model to help quantify third-party risk and offer specific recommendations for the type and rigor of the assessment and the maturity of the organization’s information protection.
The risk scoring model estimates the relative likelihood of a data breach by the third party based on five technical risk factors and the relative impact of such a breach based on three organizational risk factors and four compliance risk factors. These estimates provide a risk score that can then be used to determine one of five levels of assessment a third party would be required to complete.
Organizations also can weight some factors more heavily than others when calculating the likelihood and impact of a third party’s inherent risk to address its specific risk tolerances.
“This risk triage methodology, another component in HITRUST’s comprehensive approach, helps organizations determine their risk management priorities when assessing the risk their third-party business partners present,” said HITRUST VP of Standards and Analysis Bryan Cline. “With limited resources, this process determines how much assurance organizations need from a supplier to ensure they’re managing information risk and compliance.”
Security risks posed by integration of third-party services will be a continuing concern for healthcare organizations, commented Johns Hopkins University and Medicine CISO Darren Lacey during a panel discussion at HIMSS Healthcare Security Forum held in Boston last fall.
“Third-party issues are going to a problem for a long time, especially as we try to integrate patient portals, health information exchanges, and those types of things,” he said.