Guest post contributed by: Kamal Govindaswamy CISSP, CIPP/US, CCSP Principal, RisknCompliance Consulting Group
I have written my opinion about HITRUST CSF/RMF and the HITRUST certification mandate starting with my first open letter to the HITRUST Alliance last fall, and subsequently – second and third letters.
More recently, I have been thinking about an alternative approach to the HITRUST certification mandate for Third Party Risk Management (TPRM) in healthcare. I’ll be publishing the details within the next few days.
For now, here is a preview of ten reasons why I think the proposal will be a simpler and better alternative to the HITRUST certification mandate.
- Focus on what matters. Shifts focus from means (controls and assessments or audits) to outcomes in risk management through verification of meaningful risk management objectives.
- Ownership and Accountability. Elevates ownership and accountability for demonstration of risk management outcomes at the Business Associates (BAs).
- Avoids foundational flaws with the HITRUST CSF/RMF frameworks and approaches. Helps stay clear of the flaws I discussed in my first and second letters to the HITRUST Alliance.
- Avoids flaws with the administration of the HITRUST Certification process and mandate. Helps stay clear of issues with competencies, skill sets, conflict of interest and other issues related the mandate I discussed in my first and third letters.
- Avoids expensive overheads. Helps avoid unnecessary and expensive overheads in terms of money, time and resources associated with certifications and recertifications.
- Avoids compliance and audit mindsets. Helps move mindsets from one of compliance to actual risk management and verifiable demonstration of outcomes through evidence and artifacts.
- Improves effectiveness and sustainability of vendor risk management programs both for customers (Covered Entities or upstream BAs) and vendors (BAs or downstream BAs).
- Promotes Business-As-Usual (BAU) security risk management through day-to-day monitoring of PHI access and periodic reporting of outcomes by the vendors.
- Avoids potential (perceived or real) violation of standards development principles that HITRUST CSF/RMF and the certification mandate might be scrutinized for.
- Avoids potential (perceived or real) antitrust or anti-competitive issues the mandate might be scrutinized for.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.