Simplifying Vendor Security Risk ManagementUPMC's John Houston Explains New CISO Council's Effort to Reduce Third-Party Risk
Why did CISOs at a half-dozen leading healthcare organizations launch a new council aimed at standardizing their vendor risk management programs? John Houston, CISO of UPMC and a member of the council, explains why the group was launched, how it will work and why managing cloud vendor risks is a top priority.
"We're really looking at those vendors that provide services in the cloud ... who handle our data," Houston says in an interview with Information Security Media Group.
"The reason we're focused on that subset is [because] in the past, when [healthcare] providers were running their own systems and the data was within their data centers, providers in essence could have control over the security of those information systems. Now we're really in a different era, where we're dependent upon and have to trust these third parties that they have the appropriate security and controls in place to ensure that our data remains secure."
Monitoring whether vendors with access to PHI are doing enough to safeguard the data is very demanding, he says.
"If each provider has to go to each of its vendors and test their security, or at least evaluate their security, and ask the vendor to fill out a questionnaire, it's difficult because the vendor is having to answer many hundreds of questionnaires from all of its customers - and likewise, each [healthcare] provider has to do that evaluation for each of its vendors," he says.
"That's difficult to scale on both sides of the equation. If you look at the small to midsized provider community, they often don't have the financial wherewithal to do those types of assessments with all of their vendors ... that are holding their data and performing their processing."
To streamline assessing vendors, the new Provider Third Party Risk Management Council says its member organizations will require that within the next 24 months, their vendors become certified in using the common security framework from HITRUST, formerly known as the Health Information Trust Alliance.
"What we're really trying to do in this particular case is develop an environment in which the provider ... can review the HITRUST certification report [about vendors] and hopefully get comfort from the maturity of the security program that the third party has in place," Houston says.
In the interview (see audio link below photo), Houston also discusses:
- How vendors become HITRUST CSF certified, and how UPMC - a healthcare delivery system - is going through that process itself;
- Other cybersecurity issues, such as continuous monitoring, that the CISO council plans to address;
- UPMC's top cybersecurity priorities for the year ahead.
Houston is vice president of information security and privacy and associate counsel at UPMC. Formerly known as the University of Pittsburgh Medical Center, UPMC is a $19 billion organization with 85,000 employees, 40 hospitals, 600 doctors' offices and outpatient sites, and a 3.4 million-member insurance services division. Houston, who has been an information security leader at UPMC for more than 20 years, has also been involved in a variety of startups, including both a regional health information exchange and cloud-based identity management company.