HITRUST v11 and Third-Party Risk: Insights from HITRUST Leadership

Subscribe on your favorite platform:

About the Podcast: The CyberPHIx is a regular audio podcast series that reports and presents expert viewpoints on data security strategy for organizations handling patient health or personal information in the delivery of health-related services. These timely programs cover trends and data security management issues such as cybersecurity risk management, HIPAA and OCR compliance strategy and vendor risk management. Meditology Services, the healthcare industry's leading security and compliance firm, moderates the discussions with leaders in healthcare data security.

Join us for this episode of The CyberPHIx podcast where we hear from Ryan Patrick, Vice President of Adoption at HITRUST.  

Ryan works with clients to understand and implement the HITRUST-validated assessments that best suit their organization’s risk profile. Prior to this role, he spent many years as a security practitioner and IT lead in a wide range of organizations from the US Army to Covered Entities to healthcare cybersecurity consulting firms. He has a wealth of practical security experience that informs every discussion about security or HITRUST.  

Topics covered in this session include:  


  • The new HITRUST v11 and what it means for organizations who are considering the HITRUST journey 
  • HITRUST’s traversable levels of assurance from e1 to i1 to r2 
  • A newly created threat adaptive control selection process they use 
  • How broken and unsustainable TPRM (Third Party Risk Management) is today 
  • How HITRUST services fit into the third-party risk landscape 
  • A discussion about the new Health Third Party Trust (H3PT) council and what that group is trying to do to solve TPRM 
  • An invitation to meet either of us in person at HIMSS in Chicago April 17 – 21 
  • And a cool update on HITRUST’s Results Distribution System (RDS) and the automation opportunities it will provide 


Britton Burton: Welcome to The CyberPHIx, your audio resource for cyber security, privacy risk, and compliance for the healthcare industry. I am your host, Britton Burton. One of our goals on The CyberPHIx is to try to bring pertinent information from thought leaders in healthcare, cyber security, and risk roles. And in today's episode, we will be speaking to Ryan Patrick. Ryan is the Vice president of adoption at HITRUST, where he works with clients to better understand and implement the various HITRUST-validated assessments that best suit that organization's risk profile. Prior to this role, he spent many years as a security practitioner and an IT lead in a wide range of organizations, all the way from the US Army to covered entities in healthcare to healthcare, and cybersecurity consulting firms. He has a wealth of practical security experience that informs every discussion that he has about HITRUST, and I'm really excited to talk to him today. In today's conversation, he and I will discuss the new HITRUST version 11 and what it means for organizations who are considering the HITRUST journey. The traversable levels of assurance from E1 to I1 to R2 and the threat adaptive control selection process that HITRUST uses and how they view their services fit into the third-party risk landscape. So I'm really excited to talk to Ryan. Let's dive into another great conversation. Hello and welcome to CyberPHIx, the leading podcast for cybersecurity risk and compliance, specifically for the healthcare industry. I'd love to welcome our special guest today, Ryan Patrick Ryan, How are you doing? 

Ryan Patrick: [00:01:44] Not too bad. Britton Thanks for having me. 

Britton Burton: [00:01:47] Yeah, thanks for joining. I'm really excited to talk to you today. So let's start pretty simply for today's conversation. For anyone listening who may not be super familiar with HITRUST and what it is, can you share a little bit about what HITRUST is and maybe a brief history of how it's evolved over the years? 

Ryan Patrick: [00:02:04] Yeah, sure. So HITRUST at its simplest form is a standards development organization. So over 15 years ago, our founder and several other industry stakeholders came together to solve the subjectivity, the vagueness of HIPAA. So if you remember back when HIPAA was probably fully enacted, not so much when it was signed into law, it was very vague. And what it was asking organizations to do and there were lots of questions. So our founder came together with others, as I mentioned, and tried to put some prescriptiveness against what HIPAA was asking to really answer the question for healthcare organizations in order for them to demonstrate their compliance against the law. So that's really where we were born. We were born in healthcare. We, you know, have had, you know, like any new organization, some learnings, if you will, and we've learned to constantly evolve. So that is really, I think what makes HITRUST different from other organizations is we're constantly evolving. We're constantly trying to maintain our relevancy and bring to the market really questions or answers to questions that people are asking. So even though we were born in healthcare, HITRUST has now become industry agnostic. So we haven't forgotten our roots. We still very much are focused on HIPAA and what that means to the healthcare industry. But we've built the framework out so that it can be adapted for organizations of any industry, especially those organizations that are working in multiple industries. 

Britton Burton: [00:03:50] Yeah. And I think we'll definitely touch on some of those elements of learning and adapting through today's conversation. Can you tell us a little bit about your role as VP of adoption? 

Ryan Patrick: [00:04:01] Yeah, for sure. So I always kind of stumble to be honest with this, because my role is multifaceted and it's really hard to kind of put it in a box. But what I like to tell people is I'm, you know, one part of AngelList, one part strategist, if you will, do a bunch of consulting, tons of education around, you know, not only what is HITRUST doing and what's new with HITRUST, but also speaking with a lot of different industry entities, stakeholders and what have you, in order to learn from them about what they're doing and what their pain points are. So I can bring that back internally to HITRUST and educate our stakeholders on where we need to be looking in the future and how HITRUST can help. 

Britton Burton: [00:04:48] So that's probably a great way to segue to if anyone is familiar with HITRUST and was keeping up with the news earlier this year, CSF Version 11 was released early in the first quarter and would love to give you an opportunity to tell us what that means. What are the key changes with version 11? First of all, tell us what CSF means, if you would, because again, if you're not familiar, CSF means cybersecurity framework in CSF, right? So tell us what CSF means. And then just kind of big high level, what are the changes with V 11? 

Ryan Patrick: [00:05:21] Yeah. So the CSF went HITRUST first was, was founded and formed, stood for common security framework. It's now it doesn't it's just the CSF at this point because what we did is added privacy to the framework. So it's not just a security framework anymore. So now it's more of just an acronym and a brand if you will. So our framework version 11 came out super, super exciting. So it's the first major release in about two years. Now, HITRUST is committed to updating our framework on an annual basis. And truthfully, what usually happens is we're updating it multiple times a year with minor releases. But version 11 was released in mid-January this year and it brought a lot of different elements to the framework to address a lot of the problems that the industry not only has felt with adopting HITRUST but also with what is happening within the industry. So for those who are familiar with HITRUST, we've always had. HITRUST validated assessment, which I like to call a significant emotional event. I think anybody who's listening and who has gone through that assessment understands what I mean when I say a significant emotional event. It's really, really comprehensive. It's very, very rigorous. It's very, very thorough. We looked at we look at five levels of maturity in every single assessment. So is there a policy? Is there a process? Is the control actually implemented in functioning? Are you measuring the effectiveness of that control? And then ultimately, based on that measurement, are you managing it? So if you learned that there's an inefficiency or a noneffective part of the control, are you going back to the first three levels, the policy process implementation and making changes in order to improve the effectiveness of that control? So the average size assessment was roughly 350 controls. 

Ryan Patrick: [00:07:31] You multiply that by five levels of maturity. That's a whole lot of stuff to do because HITRUST is not a check-the-box exercise. It's not binary. Yes or no. You actually have to prove you're doing the things that you say you're doing. So that was rebranded as the R2 assessment last year with the release of 9.6. We in version 11 actually released a new assessment type called our E1, which stands for Essentials one year. So it is a certifiable assessment. It is good for one year. And it's really designed to be exactly what it sounds like, the absolute essentials. This is the bare minimum that any organization should be doing from a cybersecurity perspective or what I like to tell people is you probably need to rethink your life because you're about to introduce headache or heartache. Because if you're not doing these things, the attack surface is compounded, and the threats are compounded. And, you know, ultimately it will likely cause an incident within your environment. 

Ryan Patrick: [00:08:44] So that E1 is, like I said, designed to hit the bare minimum. But what we found is even though it was originally conceptualized to apply to low-level or low-risk organizations, those organizations that present the lowest risk to their business partners, whether they're a vendor, you know, some a collaborator, some kind of partner. That's what that E1 was originally designed to tackle. But what we found, because we've nested all of the assessments in the framework, is that E1 became a really, really good on ramp to adopting HITRUST. So you can start with the E1 and because the E1 controls are in our one, I know I'm throwing out a new assessment type that I haven't mentioned, but we'll get into that, I promise. All the E1 controls are nested in the E1. The I1 controls are now nested in the R2. You can start working on HITRUST in incremental pieces and mature over time. So there was this hidden benefit that we found. A lot of organizations have become really, really creative in how they're using the assessment portfolio, whether it be internally or with their third parties. So pretty exciting stuff. Um, that was, that was probably, the biggest element of V 11 aside from the threat adaptiveness. But I think we're going to get into that in the future QUESTION Yeah. 

Britton Burton: [00:10:17] Great. So just a little bit more on the E1 is that you've mentioned, the nesting ability. I think I read in some of your materials that y'all put out in terms of marketing and such kind of call it like the Traversable portfolio. And so it sounds like Can you explain that a little further? Basically, to me it sounds like maybe if you test a certain control at the E1 level, then you don't necessarily have to retest it within the E1 level for it to be included in that final product of the validated assessment. Is that essentially what we're talking about, or is it something different, something more? 

Ryan Patrick: [00:10:53] Yeah, it's less about alleviating the need to test because every single HITRUST assessment goes through the same rigor, goes through the same assurance process, the same quality process, and you have to test everything within a 90 day period prior to submission. So you're not necessarily removing the need to test that control again. But what you now have is you have already done the work against that control in the E1. So you just need to regenerate the evidence as opposed to actually having to remediate that control because it's a brand new control as you mature, right? So if you start with the E1 and you want to go to the I1, it's not a whole new mix of controls. It's here are these 44 controls that you know very, very well. You already have generated the evidence. You know that they're functioning. You just need to regenerate that evidence, provide it to your auditor, and then move on and start to work on those new controls. So it's a reuse of work, but you still have to go through the testing because we want to see that it's still a functioning control. 

Britton Burton: [00:12:03] Right? So trying to balance the controls is still valid but not force the rework of kind of the full quote unquote retest make sense? And then I'm curious, I don't know if this is specific to V 11 or and it may not be specific to E1. It could be across any of the E1, E1, R2 levels. Do you find organizations interested in certifying validated assessment at an at a product level or usually more at the organization level between those two? Or is it a little bit of both, depending on just what the scope of the person wants? 

Ryan Patrick: [00:12:39] So it's usually very organizationally dependent, right? At at at the surface level, HITRUST does not certify organizations. Right? That's somewhat of a common misnomer. People always say, oh, we're HITRUST certified. It's not true, but it's true. At the same time, HITRUST certifies implemented systems. So the selection of what you actually want to get certified. Usually, when I'm posed with this question, I usually ask a series of questions that help kind of pinpoint what is important to that organization and what they want to put in the scope of their assessment. One, the first question always is, is someone asking you to get HITRUST certified? Because there are a number of organizations in health care and beyond who actually leverage HITRUST assessments as a part of their third-party risk management program. So if the answer is yes, then I usually ask, Well, did they tell you which assessment they want you to get assessed against and certified against? The answer is no. Then I usually encourage them to go back and ask that question. Right. So then they've got an answer to the test, right? If they are not being mandated and they want to do something from you know, I just really care about security. And HITRUST is, you know, the gold star, the gold standard if you will. 

Ryan Patrick: [00:14:02] We want to adopt it because I want to do all the right things. Then we start to talk about, well, what's important in your environment? Where is your data? What kind of data do you have? That could start to lead to what is more appropriate. Maybe the I1, maybe the R2. Especially if you have a really sensitive data set. Others want to differentiate their quote-unquote products. Hitrust doesn't certify products, you know, on paper, but the different systems. That's the first question I ask those folks, okay, you want to differentiate yourself, Well, what are you going to market with? What are you trying to sell, folks? That's what you probably need to put in the scope of your assessments because that's really what you want to go public and say. That is HITRUST certified. That's what you want to put on your website. When you go to conferences, you want to put a little trophy on your desk saying, I'm HITRUST certified. You need to make sure you put those systems in scope so that it is actually serving the function that you need them to serve. So I always ask, why are we here? Why are we talking about HITRUST? And then dig into some of those types of questions. 

Britton Burton: [00:15:11] Yeah. Yeah, that totally makes sense. On the E one, can you tell us a little bit about how you chose the control set for that? You mentioned I believe said it's 44 controls. I know I one's more R2 is even more, you know, any security person who's ever been through that. Let's choose key controls for an assessment and I think we've probably all done it in our careers like, okay that makes total sense. But man, when you actually get down to doing it, it's really, really hard. So how did you all arrive at that? 44 And maybe you could just a couple of examples of a controller too, that's in there if you know him off the top of your head. 

Ryan Patrick: [00:15:52] So you may challenge me on on that last question. I'm sure I can find them pretty quickly though. Hitrust is really a framework of frameworks, right? So if for those of you out there who are not super familiar with HITRUST, we've mapped to what we call 40 authoritative sources, so other standards, regulations, laws, and so on and so forth. So we really what we're, what we're really focused on is the whole mindset of reducing the redundancy, of having to do an assessment for each requester, right? So if you're, you know, a healthcare organization, you need to do a HIPAA assessment, but maybe you're taking credit card information, you need to do PCI o, but you may be doing business with the federal government. So you also need to do NIST because we've mapped to all of those ideas. You do one assessment and then you can report against all of those. So it reduces that redundancy, that audit fatigue. So I say all that to offer that the one. Is based on some other standards, primarily NIST standards. Some essential stuff that NIST has put out. But what we really did is we looked at what is happening in the threat environment today, and we build controls to protect against the most heinous or most common threats that are happening out in the wild today, so that organizations, whether the organization is being assessed or an organization who's going to rely on the output of that assessment, can walk away knowing that the results of this assessment mean that it's protecting against the threats that are happening today. 

Ryan Patrick: [00:17:41] So we built the control set, really. Because it's essential. Essentials protect, you know, the bare minimum. We want it to capture what was happening. And that's really what drove the control selection. Some controls are probably in there. I mean, I can't quote the exact phraseology of them, but you're going to look at multifactor. You're going to look at encryption in transit at rest, you know, and beyond. They're still going to want you to have a security program, some kind of governance program to make sure that these controls still are functioning. They're still being managed. Um, so it really it's kind of across the spectrum because HITRUST is not just an IT or a security certification. It's really it looks at the organization kind of across the board because everybody has a role in protecting data. So you're going to see very technical controls, but you're also going to see more administrative controls in there as well. 

Britton Burton: [00:18:44] So you touched on the threat adaptive control concept there. That was definitely something I wanted to get into. It sounds like maybe it's sort of a mix of what maps the best to the most authoritative sources in terms of like, yeah, there's a lot of really smart people that have poured into these authoritative sources and are telling us over and over these controls really matter. You know, encryption and transit encryption at rest. That's those are the kinds of things we get asked about by clients every time. Like, are you checking for this, especially in a HIPAA world? Right. But then combined with something relevant to are you actually stopping modern-day threats? And you'll love to see that that was included there. Can you go a little bit more into detail in terms of, you know, variables that help you select those from the threat adaptive concept? Like you don't have to give away the secret sauce, but like what? What is HITRUST definition of a threat, adaptive control set, and kind of how do you evaluate that because that's another term that so many of us like? Yeah, that makes sense. But then you sit down and try to do it and it's like, well, this is really hard. So we'd love to hear more about how you all cracked that nut. 

Ryan Patrick: [00:19:47] Yeah. So I'm definitely not the genius or the big brain behind all of this. I mean, we really, really have a lot of talented folks working at HITRUST, so our standards and innovation team really are the folks that are doing this work on a quarterly basis. So HITRUST is looking is ingesting threat data on a quarterly basis. And what's happening is that's being overlaid against the miter attack framework. So we're looking at, you know, how is this being actually used and, you know, exploited in the wild? And what we do is we actually take the outputs of that and we map it to our current control settings to make sure that, you know, are we protecting against everything that we're seeing? So if we actually identify a gap in our control set based on the threats and the attacks or the exploits that are happening today, we will make adjustments to the control set. So we will remove ones that are not being exploited as much and put in ones that are going to protect against, you know, this newly identified threat and exploit to ensure that we've got coverage. And probably more importantly, the entities that are leveraging a HITRUST assessment slash certification are being protected. So, um, I would love to tell you all the ins and outs of it, but for two reasons I can't. 

Ryan Patrick: [00:21:20] One, I'm not the genius who is doing that work. And two, I think we have a patent pending on it. So it's probably not the best idea to dig into that. But I'm actually to me as a security professional, that's probably what I'm most excited about when it comes to VI11 is this threat-adaptive nature of the assessment portfolio and this movement from compliance to actual security, which you hear a lot about, Right? Everybody is moving in this direction. The federal government, lots of state governments, a lot of big organizations, you know, regardless of industry, they want to get away from compliance. Right. I don't need to prove that I'm compliant against every single control and framework because 15% of those don't matter. Right? I want to prove that I am actually mature against the things that are going to protect me against the threats that are happening today. So I'm really excited about it. I think the industry is going to see the benefits of it, the value of it over time. I think we're still in an education phase, which I'm again, super excited that you invited me here so we could talk about it, but I think there's a lot of merit to it. 

Britton Burton: [00:22:36] Yeah. I got to say, I specifically love the use of miter. I believe it or not, in my previous role on the practitioner health care organization side, we were attempting to use Miter as essentially the backbone of our risk management framework, meaning obviously controls and things like that are the backbone of it. But using miter to map to the controls we had in place to try to illustrate some level of which controls matter the most, which is exactly what it sounds like you all have done. And it is not a simple undertaking, but it did give us a way, instead of just focusing on control effectiveness of hundreds or really at our size, thousands of controls, does it really matter how effective this control is? If you can't tell me what attack technique it's preventing or what vulnerability it's protecting against, right And miter, we viewed miter as a way to kind of begin to solve that problem where you're bringing in a second factor of not just control for the sake of control, but control against the thing, the things that are coming after us. And it's a really powerful data point. It's a lot of data to keep up with, but I can see how if you're just trying to tell the industry these are the most important controls if you're going to start somewhere with something like an E one, that's just the basics to get you on the right footing. This is a way we can sort of devise that. So I really like that.

Ryan Patrick: [00:24:00] To me, it's about the hidden value it really boils down to if you focus solely on compliance, right? Take NIST 853. I mean, there are hundreds and they don't all matter. And in a world where. You have to be able to show where you stand against those hundreds. That takes time and that takes a lot of effort. And there's not a lot of value if all those controls don't matter. So if you're able to scale that down to the controls that actually matter, you're actually able to provide assurances in a much more timely fashion. Right. So organizations who have leveraged HITRUST in the past for their third-party risk management program would say, hey, we want you to go get an R2. And that could take anywhere from 18 to 24 months because it's that significant emotional event in what people don't realize is that for the first 18 to 24 months, the requesting organization has no visibility whatsoever. They're waiting for a report to come back. Whereas when you have this kind of slimmed-down, focused assessment, you can provide that visibility and that transparency a lot faster. Even if what you're seeing isn't great, at least you have some actionable intelligence where you can go back to that business partner and say, hey, thanks so much. We still would like to do business with you. We still would like you to pursue this more rigorous assessment. Keep working on that. But we noticed that these two things you don't have MFA or you don't have encryption at rest are not in place. We really need you to fix that now and then you can build a corrective action plan as they're continuing to mature their organization, but address those gaps or vulnerabilities for lack of a better term, as soon as possible to try to bring the risk level down.

Britton Burton: [00:26:00] And I guess that's where the nesting concept comes into play. And that on the ramp you were talking about that the EA one can be if we can get more of our third parties to just adopt something from an assurance standpoint, right? And it's the most critical set of controls. And then if they are at higher risk, if they're dealing with millions of records, you may want them to pursue something a little further. But like like an I one or an R2. But yeah, you're right. I mean, having sat in the seat of being the person telling a COO or a CFO, you know, we're going to have to wait another three months to implement this vendor product because I can't get to the assessment or whatever. It's not a great place to be to tell them to wait and you're definitely not going to tell them to wait two years for a full cert turned around or whatever. So can we get any kind of inclination that they're doing at least the most important things? Right? Because if they're doing those things right, it's a pretty good indicator. There's some level of trust we can have with them. And then let's see how they do on, on the more fine-grained controls or the more maybe, maybe fine-grained isn't the right word, but the higher volume of controls. 

Ryan Patrick: [00:27:07] Yeah, think. Think. The really compelling thing is you can move at the speed of business, leveraging the portfolio now for HITRUST, right? Because you can get that one done in a matter of weeks if you can onboard vendors much quicker, gain that visibility and then work with them over time. And know you and I have talked about this in other forums. You know, this collaboration with third parties is imperative to actually solve the third-party problem in health care. It's not a us versus them issue or it shouldn't be right. There needs to be this collaborative effort where, you know, the two organizations can come together and make a plan on how to do business as opposed to just saying, hey, we need you to go get this thing or you're not going to give it to me, we'll go pound sand. We're not going to do business with you anymore. Now we can come together, get some immediate visibility all through the contracting process and figure out a way how do we do business faster. And I think in healthcare specifically, there are lots of movements, a lot of speed in healthcare right now with working with different organizations, wanting to share data where this is really, really imperative in order to make that happen. 

Britton Burton: [00:28:29] Yeah, Absolutely. I mean, I wanted to get into the third-party topic with you. You know, we are definitely at this tipping point where more and more covered entities are needing to outsource operations, share data, you know, whatever it is, because the speed of digital innovation, the speed of business, the cost pressures that health care institutions are under demanded, what used to be in-sourced now needs to be outsourced. The technology innovations in terms of medical care, like you just you're not going to create a lot of that in-house at a hospital system. And so the volume of third parties that are running the most critical operational services at a typical hospital is just exploding. So we have this glut of third parties coming in. And this conundrum that security people face of, you know, I've got to vet every single aspect of every third party that comes across. And you mentioned the partnership aspect. I can certainly, again through experience, speak to having more of an adversary approach to the vendor relationship part. Mostly my fault in my own right. And I'm sure vendors have felt the other side of that with folks like me asking them to answer a bunch of security questions. So just in general, I think we've talked about how HITRUST with these levels of offerings can help solve some of these problems in the onramp concept. But just curious to kind of take a step back with the experience you have in the industry, different aspects of it, whether you're at a covered entity doing consulting work, are there just some general lessons learned observations about what's wrong with the state of CRM today that from your years of experience that you'd like to get on the table? 

Ryan Patrick: [00:30:14] Yeah. I mean, you know, you and I definitely have chatted about how it's broken. It's unsustainable. I mean, if you look at the statistics, I think the last statistic that we looked at, I think 55% of security incidents are because of a third party. So you're just statistically more likely to have a breach from a third party than from an organic incident. So, um, there's a lot of problems with third-party risk. One, it's a multi-stakeholder environment, right? It's not just the CIO or the CSO that has to come to the table to figure out how to manage these third parties. You've got procurement, you've got legal, you've got finance. All these people need to come together to try to figure out one, what's our process? Two, what's our risk tolerance, and what are we willing to accept? And then three, you know, you know, what is that process going to be and how do we work with our vendors to actually make it as seamless as possible? Because we want to be able to operate at the speed of business and the speed of innovation. The other problem is that. Vendors or third parties are completely overwhelmed and burnt out because they may be doing business with 50 different health systems and they've got 50 different questionnaires that can range from 100 questions to one I saw recently was 900 questions. How does an organization continue to innovate, to continue to operate while actually trying to fill out these questionnaires? To be truthful with the questionnaires, which in and of itself is probably a separate issue, they're trying to just get through that process. So they're giving you the information that you need actually to make intelligent decisions. 

Ryan Patrick: [00:32:20] It's more than likely very binary. It's very. Yes. No. Yes, I have an antivirus. Yes, I'm I have encryption at rest when you know that. Logical questions for me. Well, how much of your environment is encrypted at risk rest? Is it actually all the systems that I'm going to be housing my data on? I don't know. But you said you've done it, so we must be good to go. So there's an absolute burnout for third parties at this point. They are just trying to survive. They're just trying to do business. And it really boils down to a need for standardization. If we just need to have a common language, we just need to have a common lexicon so that all parties involved know exactly what the expectations are. And oh, by the way, if I'm able to standardize on that standard if you will. Now. Don't have to spend time filling out a 900-question questionnaire. I just provide them with the results of my previous questionnaire which is now standard among all entities in that particular industry. So I think we're finally starting to wrap our arms around this. I mean, there are other issues with third-party risk management, but I think what we're seeing and, you know, the new initiative by the Health Third Party Trust Council is a great indicator that the industry is now trying to self-regulate and figure out this problem because they're tired of dealing with security incidents and breaches, that there's some momentum moving in that direction. So I'm very, um, I'm very bullish and very excited about what we're seeing, but we still have really a long way to go. 

Britton Burton: [00:34:12] I wanted to ask you about that health third Party Trust Council as well. I've seen announcements about it. Hitrust and Corl are obviously both involved as sort of facilitators, but it appears it's really more about getting those healthcare entity security leaders on board to kind of say we've got we got to end the chaos here. And, you know, I can definitely, again, call on my own experience sort of the lack of sophistication I had within the CRM space for the time I was responsible for it. Just kind of thinking that only myself and my team were overwhelmed with this whole third-party risk problem. And, you know, I'm the one who has to send out questionnaires and, you know, review all these responses. And we have so many vendors and products being purchased, like, how can I ever get my arms around it? Never had the sophistication to think my counterpart on the on that you know at that vendor feels the exact same way I have to respond to a hundred different questionnaires and I can't scale this and I have to people like what do you expect from me from what we what you know about three is the concept to kind of bring those audiences together and say hey, whether it's HITRUST, whether it's routine pen testing, whatever kind of the assurances that we can offer each other are, and just go, let's stop this. Is that kind of the goal around that council? 

Ryan Patrick: [00:35:35] Yeah. Think so you know it really to give a very brief history lesson on the council. About four years ago, a group of providers, some of the largest health systems in the country, came together and they said to themselves, there's about ten of them like this. This third-party stuff is really, really hard. It's not sustainable. We've got to do something about it. And they came together and standardized. And a lot of them I mean, I shouldn't say a lot all of them standard on standardize on HITRUST saying if you have gotten a HITRUST certification obviously you just want to throw a quick caveat, scope dependent, right? The scope really is important. Then I'm not going to put you through the wringer of due diligence. So I'm going to take that and I'm going to review it and make sure that, you know, everything's copacetic. But I'm not going to send you my own 900-question questionnaire. I'm going to take that and we can do business a lot quicker. So that started about 4 or 5 years ago. And what that group of organizations found out is, as much momentum as they were producing. They needed to generate more and they needed to expand kind of beyond just the provider space. So that's kind of the catalyst for the health third party trust or council is it's an expansion of that original provider, third party risk management council. 

Ryan Patrick: [00:37:06] So now it's inclusive of not only health systems and providers but payers. There are provider payers on the council, but they've invited in even business associates and vendors, and health tech companies because it's truly an industry problem and we need representatives from all industries as a part of this. And what we're starting to see, and it's still very young. I mean, it really started, I'd say about four months ago, is when it was publicly released. There were 26 founding members of the council. Now from what I'm told, there are upwards of 100 organizations that have applied to become participants of the council. And I think as more organizations learn about it, the more we're going to see that grow. And that's the really exciting part, is that this is not, you know, one entity trying to solve the world's problems. It's really everybody coming together in making decisions on what works best for the industry. So you're going to see things like, you know, acceptable security practices and acceptable security standards come out of that council. You'll probably see, you know, recommended third-party risk management processes that will come out of that council. It's really exciting stuff to see what these big brains are coming together and trying to figure out. 

Britton Burton: [00:38:40] Yeah, very cool. And it sounds like the kind of thing that is just needed. We all understand the pain a little more acutely now after, you know, a decade or more of really realizing the third-party risk. You know, ten years ago it was like third-party risk. Why would I care about that? And five years ago it was like, holy crap, this is really bad. What are we going to do about it? Let's send everyone a ton of questionnaires because we got to vet every single angle of every single vendor and you know, it's like five years later, it's like, we know it's bad. We know it's a problem. None of us can scale on either side vendor or health care entity. How are we going to do this more efficiently? And it truly does, I think, take that partnership approach. So it looks like I was just Googling while you were speaking about it. If it does looks like people can still join in some capacity. There's health pc.org is the website. There's a big join us button if any of the listeners have heard this and are like Hey, that sounds interesting, join up. Let's see what we can do to kind of shape the industry. Okay. 

Ryan Patrick: [00:39:40] So shameless plug, though. Go ahead. Um, so not next week, but the week after is hymns out in Chicago that council, if you're interested in learning more, there's going to be a pretty decent number of the members that actually are going to be at hymns. So feel free to come by the HITRUST booth. Uh, talk to some of those council members. There's actually going to be a reception as well. So there's, there's, there are opportunities to kind of pick people's brains in a more intimate fashion at hymns if you're going to be out there. 

Britton Burton: [00:40:13] Yeah. Outstanding. And Corl will be out at hymns, too. So I know I'll be on the ground. Would love to bump into any of you that are interested in talking about whether it be this topic or just all the stuff we cover on The CyberPHIx did a 45-minute soliloquy on the National Cybersecurity Strategy a couple of weeks ago, so we'd love to talk to any of you about that too. So okay, So I think to wrap it up here, one kind of last softball question for you, Ryan. Are there any other exciting announcements, maybe not to the level of a brand new version 11 or anything, but any other announcements or changes that folks should anticipate from HITRUST over the rest of the course of 2023? 

Ryan Patrick: [00:40:54] Yeah, absolutely. So HITRUST is committed to continuous innovation. So one of the things that we're working on right now is our results distribution system. So if you think about what you get after HITRUST assessment, Soc2 ISO NIST, whatever the mechanism maybe is you get this really long hundreds of-page PDF that is really not digestible in any way, shape, or form, especially going back to the third party risk management conversation. If you are actually ingesting those from your vendors, how do you look at the risk across all of your vendors? You know, again, I've been using the idea of MFA or encryption as the cliche example. How do you analyze how many of your vendors don't have MFA implemented? It's super hard to do that when you have a 500-page PDF for 500 vendors. Well, HITRUST has this new results distribution system where you can get the results of a HITRUST assessment in a digital format, and oh, by the way, it's quote-unquote secured in transmission so that there's no manipulation of those results. So you can actually start to dissect what's happening. 

Ryan Patrick: [00:42:18] Um, whether it's your own HITRUST assessment or the assessments of your vendors in a digital format which will make it so much easier. So you think about third-party risk management if you have, you know, a tool that you can ingest these results into, it makes it so much easier. You can look at your enterprise risk in a much more deliberate fashion, build your own intelligence on, you know, what are we willing to accept? Where do we want to? Which vendors do we want to go to fix these problems and why? So that's probably the thing that's biggest on the horizon for HITRUST is kind of closing the loop. You know, HITRUST has had these assessments and this framework for quite some time. And the results of that is kind of where there was a gap and we're looking to solve that gap. So be on the lookout for information on that. It's ready at this point. We're just getting our T's crossed and our I's dotted on bringing that to the market. 

Britton Burton: [00:43:15] That's love to hear that. That's sort of every article you read about how to solve third-party risk. It always automation is always one of the three strategic ways and then it's like no detail on what that means. Like what do you mean by automate? Like is it just every vendor going to just automatically, you know, have this security rating like a credit rating or something that they can show us. And so that what you're talking about there, I think is like an actual tangible there's an automation capability here that you can plug into, I would assume into your GRC or, you know, what other whatever systems you're using. And maybe there are 20 key controls that you want to sort of canvas across your entire population or whatever it might look like. And if you can automate the feeding of that into, you know, an actual reportable data set, that's the kind of stuff we're talking about at scale for your third parties that, you know, whether it be the HITRUST PDF or, you know, what a lot of people are doing there, spreadsheet-based questionnaires that you just can't do the kind of data analytics that you have to do that honestly the modern world of business runs on and so should the modern world of security. So very, very cool to hear about. Well, Ryan, I really appreciate you joining me today. Thanks for giving me the time. And if there's any parting shot that you'd like to say, I'll give you the floor for a second to say bye to the listeners. 

Ryan Patrick: [00:44:38] Well, one Britain, I want to thank you for inviting me. I always enjoy our conversations. And, you know, anytime anybody wants to geek out on whether it be HITRUST or anything, healthcare or cyber security, don't hesitate to reach out to me. I'm a resource to the industry, whether it be for HITRUST or beyond. So happy to help in any way I can. And Britain, I will see you. 

Britton Burton: [00:45:08] I would like to thank my guest, Ryan Patrick, the VP of adoption at HITRUST, for a great conversation today. I really appreciated Ryan's insights on the changes in HITRUST 11. There are traversable levels of assurance from E1 to I1 to R2, the threat adaptive control selection process, and how they view their services fitting into the third-party risk landscape that we're all so concerned about. As always, we would love to have your feedback and hear from our listeners. Feel free to drop us a note about any topics you'd like to hear about or a thought leader that you think would be a great interview subject. Our email address is [email protected]. Thanks again for joining us for this episode. Have a great week and we'll see you next time on The CyberPHIx.