HITRUST® 2019 was another successful conference. It covered several topics from new quality standards and outlining assessment best practices, compliance in the cloud, cross-industry adaptation of HITRUST, as well as the ever-changing privacy landscape. Organizations adopting HITRUST continue to expand and the attendance at this year’s conference confirms that this will continue in the years to come.

One key interest this year was the growth of the Provider Third-Party Risk Management Council’s network. Nearly one year since the council’s assembly, it has grown in both awareness and participation.

Here is a brief overview of its origin, objectives, and the challenges it’s helping organizations overcome.

What is the Provider Third-Party Risk Management Council?

The Provider Third-Party Risk Management (PTPRM) Council is relatively new, announced in 2018. A group of prominent Chief Information Security Officers (CISOs) came together to solve a common challenge: vetting and monitoring third-party organizations in their supply chains.

They created the PTPRM Council to “develop, recommend, and promote practices to manage information security-related risks in their supply chain and to safeguard patient safety and information.”

The council upholds its mission by promoting HITRUST as a portion of its requirements by requiring its third parties that involve the disclosure of protected health information (PHI) to provide a certified HITRUST CSF™ Assessment prior to providing services and annually thereafter. How does this help? The HITRUST CSF certification serves as a standard for third parties that use patient or sensitive information. These third parties can become certified, participate in the network and, as a result, more easily work with other members.

The Provider TPRM Council’s Objectives

The PTPRM Council’s objectives are designed to improve the cybersecurity posture of participating organizations. Its main goals are to:

  • Bring uniformity to the vendor risk management life cycle (VRMLC);
  • Reduce the cost and increase the value that organizations expect from their VRMLC processes;
  • Address difficult problems efficiently and respond to emerging threats; and
  • Demonstrate commitment to industry-wide acceptance and adoption.

The council is working to achieve these goals.

How does this help the participating organizations?

Participating organizations can ensure that others in the PTPRM network are following vital security standards and that their compliance has been validated. Because participants are HITRUST CSF certified, working within the network gives organizations inherent initial trust, making the process of onboarding vendors and providers less cumbersome.

This initiative helps save these organizations time and money since resources that previously went toward vetting new providers and vendors can now be used elsewhere.

While this initiative is based on security, it’s also clear that joining this network is a competitive advantage as well. An organization will more likely choose to work with another participating organization due to the assurance of security standards and time efficiency.

The Potential of PTPRM’s Growth

Many organizations on the PTPRM Council have already seen rapid adoption of HITRUST from their vendors. This initiative has allowed vendors or service organizations to reduce security audits, questionnaires, and the time spent filling out vendor forms. This change affects not only organizations on the council but others, considering that HITRUST CSF is a widely-recognized security framework and certification. Since its inception, the number of participating providers has grown as well as the addition of BA/Vendor Council members.

If you would like more information about the HITRUST CSF certification, contact LBMC Information Security to learn more and schedule a consultation.

Learn more about HITRUST