Standards, Regulations & Compliance , Vendor Risk Management

Healthcare CISO Group Focuses on Third-Party Risk Challenges

Health 3rd Party Trust Council Aims to Raise the Bar on Assessing Vendors
Healthcare CISO Group Focuses on Third-Party Risk Challenges
John Houston, vice president of information security and privacy at UPMC, and Omar Khawaja, former CISO at Highmark Health

A coalition of healthcare sector firms including heavyweights CVS and Walgreens on Wednesday launched an effort to put pressure on vendors to improve their cybersecurity.

The Health 3rd Party Trust, or Health3PT, includes a council of nearly two dozen healthcare sector CISOs and other security risk leaders.

The group is supported by healthcare standards and framework certification body HITRUST, and CORL, a healthcare third-party risk management services and solutions provider.

The council hopes it can oblige vendors to meet certification requirements of HITRUST's Common Security Framework.

Having HITRUST-certified vendors is a way for organizations to take a more standardized, consistent approach to obtaining, maintaining and monitoring information privacy and security assurances from third parties - without entities having to send their vendors a mountain of proprietary and often redundant questionnaires and single-use assessments, says John Houston, vice president of security and privacy at UPMC.

He and Omar Khawaja, former CISO of Highmark Health, are members of the group.

"We're going to the industry, to third parties, and saying, 'If you want to do business with us and provide services to us, then you need to be HITRUST-certified and implement it in a mature fashion,'" Houston says.

Health3PT members hope that collectively their market power can "convince our third parties that they really need to be HITRUST-certified," Houston says. "We're trying to move the market to say, 'This is the cost of doing business in the healthcare space.'"

"The third-party risk problem is an ecosystem problem and not an individual organization or enterprise problem," Khawaja says.

Other members of the new Health3PT Council include CISOs and security risk leaders of healthcare sector organizations including: AmeriHealth Caritas, Amerisource Bergen, Attest Health Care Advisors, Memorial Sloan Kettering Cancer Center, Centura Health, Evolent Health, HCA Healthcare, Health Care Service Corp., Healthix, HealthStream, Humana, Memorial Sloan Kettering Cancer Center, Piedmont Healthcare, Premera Blue Cross, St. Luke's Health System, Tufts Medicine, and Virtual Health.

Health3PT says it will publish its first documents, which contain research on third-party risk metrics to benchmark the state of the industry, in the first quarter.

Also in 2023, Health3PT will launch working groups and host educational events, including a summit for vendors, healthcare third-party risk management stakeholders, and assessor organizations.

In the joint interview (see audio link below photo), Houston and Khawaja also discuss:

  • Top vendor risk management challenges facing healthcare;
  • Common security assessment issues involving vendors;
  • Health3PT plans looking forward.

Houston, an attorney, is vice president of information security and privacy at UPMC, formerly known as the University of Pittsburgh Medical Center. He also serves as UPMC associate counsel.

Khawaja last week wrapped up nine years as vice president and CISO for Pittsburgh, Pennsylvania-based Highmark Health and is in the midst of transitioning to a new career opportunity. Previously, he worked at Verizon Enterprise Solutions, where he was responsible for a portfolio of security solutions.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.