Cyber Security Industry News

TMCNet:  HITRUST® Introduces Methodology to Triage Third-Party Risk

[February 07, 2019]

HITRUST® Introduces Methodology to Triage Third-Party Risk

HITRUST, a leading data protection standards development and certification organization, today announced the availability of the HITRUST Third Party Assurance (TPA) Risk Triage Methodology, providing an efficient and effective way to determine the inherent risk exposure of a third party relationship and provides a standardized approach to quickly determine the type and rigor of assurance required of vendors and business partners.

Currently many organizations are requiring and relying upon inappropriate information protection and assurance requirements which creates inefficiencies, poses additional risk, and increases costs for organizations and their third parties across the entire supply chain. When an organization fails to appropriately evaluate the effectiveness of a third party's security and privacy controls, they are exposing themselves to greater risk. Alternatively, unnecessarily requiring third parties to provide higher levels of assurances increases costs for all parties needlessly.

While applicable to vendors and supply chains in any industry, the TPA Risk Triage Methodology was developed in consultation and coordination with the Provider Third Party Risk Management (TPRM) Council, which recognized the need for an approach that assesses the inherent risk a third party poses and prescribes the appropriate level of assurance necessary to protect sensitive information and support regulatory compliance.

"Until today's release of the HITRUST TPA Risk Triage Methodology, there was no consistent approach to determining what type of assurance a third party should provide and maintain in cases where information or intellectual property is shared," says Taylor Lehmann, Vice President and CISO, Wellforce and co-chair Provider TPRM Council. "This void either creates inefficiencies as organizations are seeking greater assurances from their third parties than is warranted, or they are not seeking the level of assurance needed to meet compliance requirements and avoid unnecessary risk exposure."

Triaging third parties based on inherent risk allows organizations to gain better assurances at a reduced cost and greater efficiency by only seeking the assurance level consistent to the risk posed by the third party. The TPA Risk Triage Methodology, when used with the HITRUST CSF® and the HITRUST CSF Assurance Program, enables organizations to ensure their third parties are implementing an appropriate level of due care and due diligence for the protection of sensitive information and individual privacy.

The HITRUST TPA Risk Triage Methodology is unique in ts ability to differentiate inherent risk among third parties by identifying common factors that categorize risk in three areas: organizational; compliance; and technical.

  • Organizational risk factors reflect the value of the data shared with third parties;
  • Compliance factors address fines or penalties an organization can face due to breach by a third party, which also influences the probable impact of a data compromise, and;
  • Technical factors relate to how a third party accesses, processes, stores and/or disposes of an organization's data and can affect the likelihood data will be compromised.

"The Provider TPRM Council has been actively engaging with industry to reduce risks and increase efficiencies around third-party risk management through promoting a standardized set of policies, practices and approach," says John Houston, Vice President, Information Security and Privacy; Associate Counsel, UPMC and co-chair Provider TPRM Council. "This risk triage methodology has been a missing component and can be used as the first step in an organization's third-party risk management process to quickly assess the risks inherent in the sharing of information with a particular third party and determine an appropriate assurance mechanism, thereby increasing efficiency and effectiveness of the process."

The HITRUST TPA Risk Triage Methodology also incorporates a risk scoring model to help quantify the risk and offers specific recommendations for the type and rigor of the assessment and the maturity of the organization's information protection. The scoring model estimates the relative likelihood of a data breach by the third party based on five technical risk factors and the relative impact of such a breach based on three organizational risk factors and four compliance risk factors. These estimates provide a risk score that can then be used to determine one of five levels of assessment a third party would be asked to complete. Organizations also have the flexibility of weighting some factors more heavily than others when calculating the likelihood and impact of a third party's inherent risk to address its specific risk tolerances.

"This risk triage methodology, another component in HITRUST's comprehensive approach, helps organizations determine their risk management priorities when assessing the risk their third-party business partners present," says Dr. Bryan Cline, Vice President, Standards and Analysis, HITRUST. "With limited resources, this process determines how much assurance organizations need from a supplier to ensure they're managing information risk and compliance."

The HITRUST TPA Risk Triage Methodology can be found at

HITRUST will be an exhibitor (booth #1287) at HiMSS 2019 in Orlando, February 11-14 where our experts will be available to discuss the HITRUST TPA Risk Triage Methodology and will be presenting on HITRUST Third-Party Assurance, HITRUST Journey to Certification and the HITRUST Assessment XChange™.

In addition, HITRUST will be hosting a webinar on Tuesday, March 19 at 12 noon to 1 p.m. (CDT (News - Alert)) to discuss how to implement the HITRUST TPA Risk Triage Methodology. Registration here.

About Provider Third Party Risk Management (TPRM) Council

The Provider TPRM Council represents chief information officers from leading health systems and hospitals striving to share best practices in managing third-party risk to deliver on their organizations' mission of safeguarding sensitive information. For more information, visit


Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain. In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis and resilience.

HITRUST actively participates in many efforts in government advocacy, community building, and cybersecurity education. For more information, visit

[ Cloud Security's Homepage ]

Free Subscription