ORLANDO, Fla., March 14, 2022 /PRNewswire-PRWeb/ -- The Provider Third Party Risk Management Council (PTPRM), comprised of prominent Chief Information Security Officers (CISOs) from leading health systems and provider organizations, has updated and published its member 3rd party assurance guidance to expand beyond high-risk vendors with protected health information (PHI) to include moderate risk vendors with personally identifiable (PII) and other confidential information. The announcement was made to coincide with the Health Information and Management Systems Society (HIMSS) conference taking place this week in Orlando.
"Cyberattacks on third-party vendors in healthcare continue to increase, especially ransomware and phishing attacks," said James Purvis, Clinical & Administrative Information Security Officer for University of Rochester. "We need to be diligent in ensuring vendors have appropriate security controls and protections in place including those controls associated with cyber threats."
The PTPRM Council, organized in 2018, develops, recommends, and promotes best practices to effectively manage information security-related risks in their supply chains and to safeguard patient information. The council's vision is to create a common efficient approach to improve third-party information risk management for both the member organizations who need to rely on the assurances and the vendor community who needs to obtain them.
"Low and moderate risk vendors can cause significant adverse impact, just look at the entry point of an HVAC vendor in a large retail breach, not to mention it is challenging to track when lower risk vendors become higher risk, which is why we need a reliable information assessment targeting the low and moderate risk," said Omar Khawaja, Vice President & Chief Information Security Officer for Highmark Inc.
The Council members will now instruct a broader group of their vendor partners (specifically moderate risk vendors) to provide information security assurances through the HITRUST i1 certification, rather than providing other third-party assurance mechanisms such as a SOC2 report. This is to ensure suitability of control, transparency, and quality of the assessment findings.
"We have listened to the needs of our vendor community to enable an assessment and assurance mechanism that balances the effort of completion while ensuring that organizations are effectively managing risks associated time and time again with breaches," said Brian Cayer, Chief Information Security Officer of Tufts Medicine. "The HITRUST i1 Validated Assessment is a great fit because it addresses the relevant threats."
PTPRM Council Governing Organizations include:
- Allegheny Health Network
- Cleveland Clinic
- University of Rochester Medical Center
- Tufts Medicine
- Shriner's Hospitals for Children
- Mayo Clinic
Learn more about the PTPRM council and how to utilize its policies and practices at Provider Third Party Risk Management Council. The Council is encouraging health systems and other health providers of all types and sizes to join this initiative to protect patient data, reduce the administrative cost of operating proprietary TPRM programs, and reduce the burden on the vendor community by standardizing on expected levels of assurance.
About the Provider Third Party Risk Management Council Representing Chief Information Security Officers from leading health systems and hospitals, the Provider Third Party Risk Management Council strives to share best practices in managing third party risk to deliver on their organizations' mission of safeguarding sensitive information. The Council is collaborating with industry and HITRUST to create a comprehensive approach that organizations can adopt to manage third-party risk that is effective and efficient for both their organizations and the entire third-party ecosystem.
For media inquiries: [email protected]
Michele Whitton, PTPRM, 1 469-631-6164, [email protected]