HITRUST® Introduces Methodology to Triage Third-Party Risk

Addresses Risk and Cost Inconsistencies In Assessing Supply Chain

a leading data protection standards development and certification
organization, today announced the availability of the HITRUST Third
Party Assurance (TPA) Risk Triage Methodology, providing an efficient
and effective way to determine the inherent risk exposure of a third
party relationship and provides a standardized approach to quickly
determine the type and rigor of assurance required of vendors and
business partners.

Currently many organizations are requiring and relying upon
inappropriate information protection and assurance requirements which
creates inefficiencies, poses additional risk, and increases costs for
organizations and their third parties across the entire supply chain.
When an organization fails to appropriately evaluate the effectiveness
of a third party’s security and privacy controls, they are exposing
themselves to greater risk. Alternatively, unnecessarily requiring third
parties to provide higher levels of assurances increases costs for all
parties needlessly.

While applicable to vendors and supply chains in any industry, the TPA
Risk Triage Methodology was developed in consultation and coordination
with the Provider
Third Party Risk Management (TPRM) Council
, which recognized the
need for an approach that assesses the inherent risk a third party poses
and prescribes the appropriate level of assurance necessary to protect
sensitive information and support regulatory compliance.

“Until today’s release of the HITRUST TPA Risk Triage Methodology, there
was no consistent approach to determining what type of assurance a third
party should provide and maintain in cases where information or
intellectual property is shared,” says Taylor Lehmann, Vice President
and CISO, Wellforce and co-chair Provider TPRM Council. “This void
either creates inefficiencies as organizations are seeking greater
assurances from their third parties than is warranted, or they are not
seeking the level of assurance needed to meet compliance requirements
and avoid unnecessary risk exposure.”

Triaging third parties based on inherent risk allows organizations to
gain better assurances at a reduced cost and greater efficiency by only
seeking the assurance level consistent to the risk posed by the third
party. The TPA Risk Triage Methodology, when used with the HITRUST CSF®
and the HITRUST CSF Assurance Program, enables organizations to ensure
their third parties are implementing an appropriate level of due care
and due diligence for the protection of sensitive information and
individual privacy.

The HITRUST TPA Risk Triage Methodology is unique in its ability to
differentiate inherent risk among third parties by identifying common
factors that categorize risk in three areas: organizational; compliance;
and technical.

  • Organizational risk factors reflect the value of the data shared with
    third parties;
  • Compliance factors address fines or penalties an organization can face
    due to breach by a third party, which also influences the probable
    impact of a data compromise, and;
  • Technical factors relate to how a third party accesses, processes,
    stores and/or disposes of an organization’s data and can affect the
    likelihood data will be compromised.

“The Provider TPRM Council has been actively engaging with industry to
reduce risks and increase efficiencies around third-party risk
management through promoting a standardized set of policies, practices
and approach,” says John Houston, Vice President, Information Security
and Privacy; Associate Counsel, UPMC and co-chair Provider TPRM Council.
“This risk triage methodology has been a missing component and can be
used as the first step in an organization’s third-party risk management
process to quickly assess the risks inherent in the sharing of
information with a particular third party and determine an appropriate
assurance mechanism, thereby increasing efficiency and effectiveness of
the process.”

The HITRUST TPA Risk Triage Methodology also incorporates a risk scoring
model to help quantify the risk and offers specific recommendations for
the type and rigor of the assessment and the maturity of the
organization’s information protection. The scoring model estimates the
relative likelihood of a data breach by the third party based on five
technical risk factors and the relative impact of such a breach based on
three organizational risk factors and four compliance risk factors.
These estimates provide a risk score that can then be used to determine
one of five levels of assessment a third party would be asked to
complete. Organizations also have the flexibility of weighting some
factors more heavily than others when calculating the likelihood and
impact of a third party’s inherent risk to address its specific risk

“This risk triage methodology, another component in HITRUST’s
comprehensive approach, helps organizations determine their risk
management priorities when assessing the risk their third-party business
partners present,” says Dr. Bryan Cline, Vice President, Standards and
Analysis, HITRUST. “With limited resources, this process determines how
much assurance organizations need from a supplier to ensure they’re
managing information risk and compliance.”

The HITRUST TPA Risk Triage Methodology can be found at https://hitrustalliance.net/risk-triage/

HITRUST will be an exhibitor
(booth #1287) at HiMSS 2019 in Orlando, February 11-14 where our experts
will be available to discuss the HITRUST TPA Risk Triage Methodology and
will be presenting on HITRUST Third-Party Assurance, HITRUST Journey to
Certification and the HITRUST Assessment XChange™.

In addition, HITRUST will be hosting a webinar on Tuesday, March 19 at
12 noon to 1 p.m. (CDT) to discuss how to implement the HITRUST TPA Risk
Triage Methodology. Registration here.

About Provider Third Party Risk Management (TPRM) Council

The Provider TPRM Council represents chief information officers from
leading health systems and hospitals striving to share best practices in
managing third-party risk to deliver on their organizations’ mission of
safeguarding sensitive information. For more information, visit https://provider-tprm.org/.


Founded in 2007, HITRUST Alliance is a not-for-profit organization whose
mission is to champion programs that safeguard sensitive information and
manage information risk for organizations across all industries and
throughout the third-party supply chain. In collaboration with privacy,
information security and risk management leaders from both the public
and private sectors, HITRUST develops, maintains and provides broad
access to its widely adopted common risk and compliance management and
de-identification frameworks; related assessment and assurance
methodologies; and initiatives advancing cyber sharing, analysis and

HITRUST actively participates in many efforts in government advocacy,
community building, and cybersecurity education. For more information,
visit www.hitrustalliance.net.


Kevin Lightfoot

error: Content is protected !!