CISO’s Mission Resonates with Healthcare Peers

Provider Third Party Risk Management Council Gathers Momentum and
Increases Membership

BOSTON–(BUSINESS WIRE)–lt;a href=”” target=”_blank”gt;#CISOlt;/agt;–The vision of a standardized method to assess the risk management
posture of third party suppliers to healthcare firms envisioned by the
recently-formed Provider Third Party Risk Management Council is gaining
momentum and support throughout the industry as security leaders from
both healthcare providers and their suppliers embrace the unified

Led by Governing Members consisting of prominent Chief Information
Security Officers (CISOs) throughout the healthcare sector, the Council
and its growing number of participants are adopting a consistent
approach that address the issues affecting information security-related
risks in their organization’s supply chain and safeguarding patient
safety and information.

“The Council is committed to improving risk management for providers and
efficiencies for third parties who support healthcare organizations
throughout the sector,” says Taylor Lehmann, CISO of Wellforce, Founding
Participant of the Council, and Governing Member. “As industry leaders
we need to collaborate to solve problems, and we will actively engage
with HITRUST to lend our leadership to benefit the healthcare sector.”

One of the goals for the Council is to address the inefficiencies found
in the third party supply chain ecosystem. Suppliers are commonly
required by their customers to respond to unique questionnaires or other
assessment requests relating to their risk management posture. By
reducing the multiple audits and questionnaires, the financial savings
will allow business partners to invest in substantive risk reduction
efforts and not redundant assessments.

“By reducing wasted effort and duplication, suppliers will find their
products and services will be acquired more quickly by healthcare
providers,” says Founding Participant and Governing Member, Omar
Khawaja, VP and CISO of Allegheny Health Network and Highmark Health.
“This will also reduce the complexity of contracts and provide third
parties with better visibility regarding the requirements to do business
with providers.”

Since the Provider Third Party Risk Management Council and associated
program was announced in August, an expanding number of healthcare
organizations – from providers to supply chain business associates and
vendors – are advocating the value of a more efficient approach to third
party assurance is necessary and strives to improve how the industry
approaches assessing, monitoring, and responding to risks posed by third

“The desire to establish a standard, effective and scalable method for
assessing the privacy and security of third parties is resonating with
providers of all sizes,” says John Houston, Vice President, Privacy and
Information Security & Associate Counsel of UPMC, Founding Participant
of the Council, and Governing Member. “The leaders throughout the
industry recognize their responsibility and role in improve the
protection of patient and sensitive information and streamline the
assurance process.”

In addition to the original Founding Participants, the Governing Members
have been expanded to include: Nuance, The Mayo Clinic, Multicare,
Indiana University Health, Children’s Health Dallas, Phoenix Children’s
Hospital, and Banner Health.

The Council recognizes the value of the HITRUST CSF® and its assurance
programs to better manage risk, and each organization on the Council
will be requiring their third parties to become HITRUST CSF Certified.
The HITRUST CSF Certification will serve as the standard for third
parties providing services where they require access to patient or
sensitive information and be accepted by all the Council’s
organizations. The HITRUST CSF Assurance Program is already the most
widely adopted assessment approach by healthcare organizations and used
by third parties to evaluate and communicate their information privacy
and security posture. HITRUST will continue to work closely with Council
members and their organizations to ensure its programs are the hallmark
for the industry

The Founding Participant organizations for the Provider Third Party Risk
Management Council include:

  • Allegheny Health Network
  • Cleveland Clinic
  • University of Rochester Medical Center
  • UPMC
  • Vanderbilt University Medical Center
  • Wellforce, parent of Tufts Medical Center

More information on the Provider Third Party Risk Management Council and
how your organization can join, contribute to and adopt its policies and
practices can be found at

Register here for a webinar about the Provider Third Party Risk
Management Council on Thursday, December 13th at 12 p.m.

About the Provider Third Party Risk Management Council

Representing Chief Information Security Officer from leading health
systems and hospitals, the Provider Third Party Risk Management Council
strives to share best practices in managing third party risk to deliver
on their organizations’ mission of safeguarding sensitive information.
The Council is collaborating with industry and HITRUST to create a
comprehensive set of practices that organizations can adopt to
effectively manage third party risk that is efficient for both their
organizations and the entire third party ecosystem.

Members of the Council observed their supply chains are filled with
third parties who support the care delivery process and require access
to patient information – properly vetting and monitoring these third
parties is a major challenge, and in some cases, insurmountable for many
organizations who simply don’t have the expertise or resources. Through
innovation and industry leadership, the Provider Third Party Risk
Management Council has developed and adopted common vetting and
oversight practices that will benefit health systems, hospitals and
other providers in the US and around the world.


on behalf of HITRUST

, on behalf of the Provider Third Party Risk Management
Kesselring Communications