The Health 3rd Party Trust (Health3PT) Initiative announced the release of the Health3PT Recommended Practices & Implementation Guide, a key deliverable in its mission to solve the third party cyber risk problem in the healthcare industry. The Health3PT Recommended Practices & Implementation Guide is the result of collaboration among a council representing the nation's leading healthcare organizations and provides an instructional framework of actionable steps organizations can take to ensure due diligence and due care throughout the healthcare ecosystem-while improving effectiveness, reducing inefficiencies, and leading the way for standardization in Third-Party Risk Management (TPRM).

There is a wide range of TPRM practices adopted across the healthcare industry. Many of these are decades old and adopted from processes used by other industries, making them ill-equipped to meet the modern challenges presented by adopting new technology innovations such as cloud and AI in the healthcare industry and the ensuing cyber threats that follow. These numerous and outdated TPRM approaches result in inconsistent and unclear risk management outcomes, as evidenced by vendor-related security events and breaches of PHI and other sensitive Information by business associates.

An industry survey conducted by Health3PT confirms the challenges facing current healthcare TPRM processes and reveals that both covered entities and vendors are overwhelmed. Sixty-eight percent of covered entities and 79% of vendors believe the current TPRM process is inefficient. Vendors experience audit fatigue from the sheer volume and variability of proprietary security questionnaires they receive from their customers, and covered entities can't keep pace with the volume of questionnaire responses they receive. The legacy process is a resource and productivity drain for the healthcare industry, and neither covered entities (60%) nor vendors (72%) see the status quo as an effective process to prevent data breaches.

The survey found the aspects of TPRM that covered entities are most dissatisfied with are: Keeping pace with the volume of security assessments they receive (50%); Getting vendors to address and fix identified information security deficiencies (48%); Excessive turnaround time for assessments (43%); and Receiving transparent assurances from vendors to satisfy the request the first time (38%).

"The average cost of a healthcare data breach is around $10 million, including significant judgments that have been recently levied against organizations for violations of HIPAA and PHI privacy rules," said John Houston, VP Information Security and Privacy, UPMC. "Our experience is that 90% of breaches within healthcare involve a third party or a vendor that has a provider's data. At the end of the day, we're all spending a lot of money on third-party risk management, and we're not necessarily sure that we're getting our value out of the money spent." 

The aspects of TPRM that vendors are most dissatisfied with are: Customers unwilling to accept third-party validated assessments and certifications in lieu of proprietary control questionnaires (47%); Handling the variability of questionnaires and audits (39%); and The resources and time required to meet compliance requirements (27%).

"Smaller organizations are challenged with staffing and affordability. What can we do with the number of people we have within a reasonable budget? So, the fewer questionnaires, the better," said Glen Braden, Principal, CFO, and CIO, Attest Health Care Advisors. "We embraced the HITRUST standard years ago, and we expect our clients to accept it as well because we don't have the staff to answer hundreds of separate questionnaires. At the end of the day, it's about providing reasonable assurance. But we have to be able to do it in a manner that is affordable, that can scale, and responds to the needs of our customers." 

The survey was conducted in coordination with the Health3PT Third Party Risk Virtual Summit, an industry-wide virtual event held on June 7, 2023. Over 400 experts in the healthcare third-party risk management community across covered entities and vendor organizations participated in panel discussions to transparently share their concerns on the inadequacies of current healthcare TPRM practices and work toward new, innovative solutions. 

Organizations that implement the recommended practices will meet both the spirit and the letter of Health Insurance Portability and Accountability Act (HIPAA) Security Rule requirements regarding the provision of 'satisfactory assurances' from their third parties as well as help qualify for potential mitigations from regulatory fines and penalties.

Six recommended practices are addressed in the Health3PT Recommended Practices & Implementation Guide:

1. Concise contract language tying financial terms to a vendor's transparency, assurance, and collaboration on security matters
2. Risk tiering strategy that drives the frequency of reviews, the extent of due diligence, and the urgency of remediation
3. Appropriate, reliable, and consistent assurances about the vendor's security capabilities
4. Follow-up through to closure of identified gaps and corrective action plans
5. Recurring updates of assurance of the vendor's security capabilities
6. Metrics and reporting on organization-wide vendor risks

At the summit, Health3PT also announced the availability of its Vendor Directory. Over 70 organizations have submitted applications to be qualified and listed in the first release of the directory. The tool makes it easy for healthcare organizations to identify trustworthy vendors that meet their information risk management requirements based on their HITRUST certification status to streamline the vendor selection and contracting process. The directory is now available at health3pt.org/vendor-directory.

To date, over 150 organizations have joined Health3PT. The Initiative is dedicated to bringing standards, credible assurance models, and automated workflows to solve the third-party risk management problem and advance the mission to safeguard sensitive information.

Download the Health3PT Recommended Practices & Implementation Guide and the Health3PT "The State of Healthcare Third Party Cyber Risk Management" Survey: https://health3pt.org/resources