HITRUST® announced today the formation of the HITRUST Third-Party Risk Management (TPRM) Council to foster collaboration between companies, third-party vendors, and advisory service firms. The mission for the TPRM Council is to drive efficiencies and effectiveness as it relates to identifying, assessing, and mitigating risk in the complex supply chain ecosystem.
Founding members of the TPRM Council are global security, risk, compliance, and audit executives representing a diverse cross-section of organizations. TPRM Council members are committed to identifying and supporting approaches to improve the current TPRM process—with a focus on increasing effectiveness and reducing inefficiencies.
“One of our goals for the Council is to ensure organizations are considering the impact on the supply chain as they mandate assurance requirements on their third parties,” said Dr. Bryan Cline, Chief Research Officer at HITRUST. “We are providing a collaborative forum for customers, their vendors, and their advisors to discuss these challenges, identify actionable solutions, and provide inputs directly to HITRUST on the approach toward doing just that—in the most effective, efficient manner.”
The need to ensure appropriate privacy and security over sensitive and confidential information, such as protected health information (PHI) or personally identifiable information (PII), with third-party vendors has never been more important. However, many current approaches to managing third-party risk have unintended, widespread impacts on companies and their vendors. Challenges exist around inconsistent and uncoordinated requirements that lead to redundant assessments. The results are inefficient uses of time, higher costs, increased burdens, and ineffective mitigation strategies.
“The HITRUST TPRM Council will serve to bring together customers, vendors, and partners across the ecosystem, helping to establish standards for both effectiveness and efficiency,” said Ashish Gupta, Vice President, Cyber & Data Product Management at Mastercard. “These objectives are in line with what we do every day at Mastercard, enabling better, more rewarding, and more secure experiences for businesses and individuals alike.”
The founding members of the TPRM Council include:
- Amazon Web Services (AWS)– Hadis Ali, Security Assurance Manager
- AT&T – Vecky Juko, Associate Director, Supplier Governance, Global Benefits
- Broadridge Financial – Sandra Rohrer, Sr. Director, Product Management, Marketing and Regulatory Communications
- Change Healthcare– Susan Richards, Director, Information Security
- Coalfire – Zachary Shales, Director, Healthcare Assurance
- Conduent – Troy Bos, Director, Client Assurance
- CVS Health – Steve Meallo, Information Security Program Management
- Frist Cressey Ventures– Chris Booker, Partner
- Frazier & Deeter– Andrew Hicks, VP, Risk Assurance
- Google – Sam Morales, Program Manager, Cloud Compliance
- Health Care Service Corporation (HCSC) – Chris Lodico, Sr. Director, Information Security
- Humana – Matt Phillips, Enterprise Information Security
- Mastercard – Ashish Gupta, VP, Cyber & Data Product Management
- Microsoft Azure – David Houlding, Director of Healthcare Experiences
- Rite Aid – Robert Lautsch, CISO
- Teleperformance – Jeffery Schilling, Global CISO
- UnitedHealth Group – Brian Troen, Sr. Director, Risk Governance & Supplier Management
- University of Pittsburgh Medical Center – John Houston, VP, Information Security & Privacy
- Vonage – Ordia Bryan, Sr. Manager, Global Security Compliance
To learn more, visit: https://hitrustalliance.net/business/third-party-risk-management/
Industry professionals are invited to stay apprised of the HITRUST TPRM Council’s activities by joining HITRUST Central, a new online community. To join, visit https://go.hitrustalliance.net/HITRUST-Central-Apply-Now.
About HITRUST Third-Party Risk Management (TPRM)
The HITRUST TPRM and HITRUST CSF® Assurance Programs together can streamline and improve the TPRM process. HITRUST’s robust approach incorporates inherent risk, which helps to recommend controls required for inclusion and provides an appropriate level of assurance. Simplifying the TPRM process, in addition to layering in staff on-demand and software as a service, means that relying parties can streamline and scale their TPRM programs cost-effectively. Vendors benefit from being able to utilize a single assessment to be reported out in multiple ways for an Assess Once, Report Many™ approach.
Since it was founded in 2007, HITRUST has championed programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from the public and private sectors, HITRUST develops, maintains, and provides broad access to its widely adopted common risk and compliance management frameworks as well as related assessment and assurance methodologies. For more information, visit www.hitrustalliance.net.