Why health systems should work together to manage cloud cybersecurity risk

Chief Information Security Officers highlight cloud cybersecurity risk and a common certification program for vendors serving health care

The resources required to properly vet and monitor third party cloud service providers can be a major challenge for health systems looking to manage cloud cybersecurity risk. In some cases, the time, resources, and expertise needed is too great an undertaking for smaller health care organizations.

SIGN UP FOR THE CCM WEBINAR, “BUILDING TRUST IN THE CLOUD”

That’s why a group of information security professionals from a variety of health systems formed the Provider Third Party Risk Management Council. The Council is developing common vetting and oversight practices to ensure the cloud security of vendors working with health systems, hospitals and other providers.

Taylor Lehmann and John Houston discuss cloud cybersecurity risk at CCM — Taylor Lehmann, left, and John Houston at the Top of Mind 2019 Summit

What is HITRUST CSF Certification?

Taylor Lehmann, Chief Information Security Officer at Wellforce/Tufts, and John Houston, Vice President of Privacy and Information Security and Associate Council at UPMC, described their work as founding members of the Council during a presentation at the Top of Mind 2019 Summit.

The organizations on the Council, including Wellforce/Tufts, UPMC, Cleveland Clinic, and others, will require their third-party vendors to become HITRUST CSF Certified within the next 24 months. The certification will serve as their standard for vendors that access to patient or sensitive information. Certification will be accepted by all of the council’s participating organizations.

“We’re actually providing the playbook for how to securely operate and work with large health systems two to three years before you’re actually ready to do so,” Lehmann said during the Top of Mind 2019 Summit.

Becoming certified allows vendors to save time and effort answering questions from every health system they want to do business with, and instead use that time creating more secure products, Lehmann said. It’s a win for health systems because they don’t need to spend extra time vetting the security of every vendor.

“I would have to summarize this in one word: Frictionless. We’re trying to build a frictionless environment while ensuring a high level of security,” Houston said.