Here's a grassroots way to rethink security when working with cloud vendors
Many hospital security and legal teams embark on a painful process every time they evaluate a cloud vendor. Think gnarly spreadsheets or lengthy questionnaires that the vendors struggle to complete and, even when they do, the results don't necessarily deliver what the customer actually needs to know about protecting sensitive data in that particular cloud.
Wouldn't it be simpler for everyone – health systems, insurance companies, even the cloud vendors themselves – if a critical mass agreed to everyone employing one approach?
That's the assertion of the Provider Third-Party Risk Management Council, a new nonprofit spearheaded by top security executives from UPMC, Highmark Health and Wellforce.
"Everyone has the exact same problem, and everyone needs and wants the same things," said Taylor Lehmann, CISO at Wellforce, a system comprising Tufts Medical Center, Lowell General Hospital and others. "The beauty is that there's been so much work on this topic it can be as simple as saying, 'Yeah, let's just agree' on what we need from vendors."
Lehmann added that he has already talked to approximately 100 hospital systems and, in so doing, learned that they already seek out HITRUST certification.
You're HITRUST-certified? Then you're good in my shop
Members of the Provider Third-Party Risk Management Council, which began in September of 2018, have committed to do away with all of their own questions and requirements if, but only if, a cloud vendor earns HITRUST certification, according to John Houston, vice president, privacy and information security & associate counsel at UPMC.
"This makes it a lot easier to get past vetting a vendor through a spreadsheet or questionnaire and allows us to have a deeper and more meaningful conversation about the product we're buying and how we can use it correctly and safely," Lehmann said. "That's a conversation we don't have enough because we're so busy working in those spreadsheets and questionnaires."
Council's motivation: Patient safety and care delivery
Infosec's next wave is about more than just protecting patient data because strong security enables innovation and, in turn, helps hospitals make patients safer.
Cybersecurity, after all, is increasingly viewed as a patient safety issue and a social responsibility. To that end, Lehmann stressed that no money is exchanging hands as part of the PTPRM Council and, instead, participating organizations do so on their own dime.
"We're not asking for money," Lehmann said. "We must stay impartial for our voice to be heard."
Lehmann, in fact, has declined vendor interest in sponsoring the council.
"The biggest and most important point is that hospitals' priority needs to be spending money on patient care," Lehmann said. "The majority of every dollar hospitals spend should go to patient care."
Roster of participants
As of press time, some 60 organizations had signed on to participate, Lehmann said, whether as full-fledged members already up and running or others in the process of negotiating terms of participation, and about 10 who have verbally agreed.
Among the health systems already onboard are the Mayo Clinic, Cleveland Clinic, Vanderbilt University Medical Center, Phoenix Children's Hospital, Indiana University Health and more.
"There are several hundred other organizations we haven't been able to connect with yet who want to talk to us," Lehmann added. "It's a matter of capacity."
Houston said the group settled on HITRUST for two reasons.
"It's as an amalgam of healthcare-relevant frameworks and regulations, such as NIST Cobit, PCI, HIPAA, etc. By applying HITRUST we do not need to try to make sense of each individual framework or regulation to determine how it applies," Houston explained. "And it provides a certification process using independent assessors to perform the assessment and HITRUST to do the certification scoring and quality assurance."
Lehmann added that HITRUST has a quality standard that exceeds what accounting firms have for themselves – and it's completely independent.
About the cloud vendors
Although it's early and the major cloud providers are not members yet, Lehmann described them as excited because reporting HITRUST will be much easier for them, many of whom have already achieved it, than completing thousands of non-standard forms every year.
Most of the bigger cloud vendors, in fact, are already HITRUST certified. That means they've already done the hard part and it's just a matter of packaging it up into a HITRUST report.
"We have a ton of large tech cloud vendors who are just like 'hell year' and they fall into that category that we just haven't connected with yet," Lehmann said.
There's no guarantee that the PTPRM Council will work, of course. But Lehmann said the intention is to remain a nonprofit and keep money, other than cost-savings, out of the equation, not to become a member-dues driven entity.
"It's a grassroots thing, and we want to keep it that way," Lehmann said. "It's a multiplier effect. We started in September, 60 organizations have joined in some capacity, and hundreds more are interested."