'Biggest risk' in cybersecurity: Why 8 health systems are working together

Information security leaders from Pittsburgh-based UPMC and Burlington, Mass.-based Tufts Medicine told Becker's they're fighting data breaches by working together.

They recently joined a consortium with six other health systems aimed at better assessing and managing third-party cybersecurity risk. The Health 3rd Party Trust Initiative and Council uses HITRUST IT security standards.

"If each third party hears from one of us or hears from us independently, they may say, 'Yeah, but I'm not interested in pursuing this,'" said John Houston, vice president of information security and privacy for UPMC. "When a whole bunch of us comes together as a group and says, 'The stakes are high in healthcare, if you want to do business with us, the big players, you need to be HITRUST-certified, you need to do these things to satisfy our concerns.'

"As a consortium we're much stronger, and we can get that message across in a more forceful way."

Healthcare had the most third-party data breaches of any industry in 2022, accounting for more than a third of them, according to cybersecurity researcher Black Kite. "If I look back at my own organization, almost everything we see is third-party related," Mr. Houston said. "It's by far the biggest risk we see."

With so many IT activities going to the cloud, many of these vendors offer software products health systems can't get anywhere else. But a lot of them are small and don't have much cybersecurity muscle.

Mr. Houston said using an independent vetting process like HITRUST "moves the needle" in terms of cyber confidence.

"My organization is HITRUST-certified," said Brian Cayer, chief information security officer of Tufts Medicine. "I've put an enormous amount of effort and stock into doing that for myself. So I drink my own Kool-Aid. I eat my own dog food. I'm not going to tell people to do something I don't do because I know what the value is to me."

He said third-party risk is one of the "top three" things that keep him up at night as a CISO.

"We're all going down the same path and are all like-minded individuals who have said, 'We work better together,'" Mr. Houston added.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars