How to Leverage HITRUST for Third-Party Risk Management

For organizations that rely on vendors, service providers, and strategic partners, third-party risk is one of the most persistent and difficult cybersecurity challenges. HITRUST helps solve that challenge by providing a standardized, scalable, and proven assurance framework to evaluate and trust third parties — without rebuilding your third party risk management (TPRM) process from scratch.

Is your organization managing third party risks effectively? Schedule a consultation to find out!

 

Third Party Risk Management with HITRUST

HITRUST certification is one of the best ways to cover all of an organization’s needs with respect to information security and compliance. But its benefits are not limited to just internal security; implementing HITRUST controls is also an excellent way to manage third party risks.

Understanding how HITRUST applies to TPRM requires appreciating:

• What TPRM is and what falls under its purview
• How the HITRUST framework applies to TPRM
• How HITRUST assessments apply to TPRM

Ultimately, the best way to leverage HITRUST for TPRM will depend on the specifics of an organization’s own technology ecosystem and that of its partners. Working with a compliance advisor or TPRM service provider is the best way to develop a strategy perfect for your needs.

 

Understanding Third Party Risk Management

Third party risk management is a systematic approach to identifying, mitigating, and neutralizing risks and risk factors associated with third party partnerships. As an organization grows and adds to its network of strategic partners, it assumes some amount of risk for each new entity that shares its information technology (IT) environment. Even if an organization has excellent security, working with a partner that isn’t as well-defended can compromise all parties involved.

To combat the inherent risks that come with merging organizations’ IT systems, TPRM monitors and addresses threats and vulnerabilities related to third parties as though they were part of the host organization’s own IT environment. This often means subjecting third party devices and software to the same kinds of restrictions and configurations as the organization’s own assets.

Another critical component of TPRM is compliance. Very often, organizations that are subject to regulatory requirements need to make assurances that their third party partners are compliant as well—or at least that they do not compromise the host organization’s compliance. For example, the Health Insurance Portability and Accountability Act (HIPAA) notoriously applies both to covered entities within healthcare and to their business associates. These third parties are contractually obligated to uphold HIPAA compliance for the duration of the partnership.

 

 

How the HITRUST Framework Applies to TPRM

The HITRUST CSF is an omnibus framework that harmonizes controls from a variety of authoritative sources into a robust, unified matrix of security. Across its 14 Control Categories, 49 Objective Names, 150+ Control References, and thousands of specifications, it covers all elements of cybersecurity and most compliance frameworks’ requirements. The approach is comprehensiveness and flexibility; organizations generally do not implement every single control and specification, but a selection thereof commensurate to their specific needs.

This includes accounting for and managing third party risks, both directly and indirectly.

On one level, there are specific areas within the CSF that explicitly refer to and safeguard against third party threats and vulnerabilities. And there are other controls that do not explicitly mention third parties but nonetheless do apply to concerns related to them. And, on another level, the entire HITRUST CSF framework can be leveraged for third party risk management when applying its concepts across assets and systems that are used in third party partnerships.

 

HITRUST CSF Controls Directly Related to TPRM

The most obvious way that organizations can leverage the HITRUST CSF for TPRM is by implementing its controls that directly relate to third parties. These requirements ensure that third party systems are secured alongside or in the same ways as an organization’s own.

Under Control Category 05, Organization of Information Security, there is one Objective for Internal Organization and another that requires stringent control over external parties:

• Objective Name 05.02: External Party Security

• • Control Reference 05.i: Identify Risks Related to External Parties
  • Control Reference 05.j: Address Security When Dealing with Customers
  • Control Reference 05.k: Address Security in Third Party Agreements

And, under Control Category 09, Communications and Operations Management, there is an Objective that explicitly calls for organizations to safeguard third parties’ service delivery:

• Objective Name 09.02: Control Third Party Service Delivery

• • Control Reference 09.e: Secure Service Delivery
  • Control Reference 09.f: Monitor and Review Third Party Services
  • Control Reference 09.g: Manage Changes to Third Party Services

Additionally, all requirements under Control Category 10, Information Systems Acquisition, Development, and Maintenance, ensure security for assets and services third parties deliver:

• Objective Name 10.01: Security Requirements for Information Systems

• • • Control Reference 10.a: Security Requirement Analysis and Specification

• Objective Name 10.02: Correct Processing Across Applications

• • • Control Reference 10.b: Validate Input Data
    • Control Reference 10.c: Control Internal Processing
    • Control Reference 10.d: Ensure Message Integrity
    • Control Reference 10.e: Validate Output Data

• Objective Name 10.03: Cryptographic System Controls

• • • Control Reference 10.f: Cryptographic Control Policy
    • Control Reference 10.g: Cryptographic Key Management

• Objective Name 10.04: Security across System Files

• • • Control Reference 10.h: Control Operational Software
    • Control Reference 10.i: Protect System Test Data
    • Control Reference 10.j: Control Access Program Source Code

• Objective Name 10.05: Security In Development and Support Processes

• • • Control Reference 10.k: Implement Change Control Procedures
    • Control Reference 10.l: Secure Outsourced Development

• Objective Name 10.06: Technical Vulnerability Management

• • Control Reference 10.m: Control Technical Vulnerabilities

Finally, there is a lone Control Reference under Control Category 13, Privacy Practices, that calls for organizations to implement “Privacy Requirements for Contractors and Processors.”

 

 

Other CSF Controls Indirectly Related to TPRM

It can be argued that every single control in the HITRUST CSF applies to third-party systems and risks. However, beyond the controls that directly mention third parties, there are some that touch on areas that are connected to TPRM through logistical and other complications.

One of the most complex Control Categories is 06, Compliance, and it is especially critical for TPRM because of strategic partners’ own regulatory burdens. Its requirements include:

• Objective Name 06.01L Compliance with Legal Requirements

• • • Control Reference 06.a: Identify Applicable Legislation
    • Control Reference 06.b: Protect Intellectual Property Rights
    • Control Reference 06.c: Protect Organizational Records
    • Control Reference 06.d: Protect Privacy of Covered Information
    • Control Reference 06.e: Prevent Misuse of Information Assets
    • Control Reference 06.f: Regulate Cryptographic Controls

• Objective Name 06.02: Compliance with Technical and Security Policies

• • • Control Reference 06.g: Comply with Security Policies and Standards
    • Control Reference 06.h: Confirm Technical Compliance Regularly

• Objective Name 06.03: Information System Audit Considerations

• • Control Reference 06.i: Implement Information System Audit Controls
  • Control Reference 06.j: Protect Information Systems and Audit Tools

Control Category 07, Asset Management, can also apply to TPRM, especially in cases where organizations share ownership of critical assets with third parties. The requirements are:

• Objective Name 07.01: Responsibility for Assets

• • • Control Reference 07.a: Create an Asset Inventory
    • Control Reference 07.b: Formalize Ownership of Assets
    • Control Reference 07.c: Determine Acceptable Asset Uses

• Objective Name 07.02: Information Classification

• • Control Reference 07.d: Develop Classification Guidelines
  • Control Reference 07.e: Implement Secure Labeling and Handling

Organizations may identify other HITRUST controls more relevant to TPRM, depending on their needs and the structure of their IT environment and third-party network. To determine the best fit, they should engage a trusted compliance advisor for expert guidance.

 

How HITRUST Certification Impacts TPRM

Implementation is not the only component of HITRUST that applies to TPRM. Organizations also need to conduct an assessment to achieve certification and lock in their security and compliance assurance—both internally and for any third-party systems that control impact. For organizations that evaluate vendors, HITRUST assessments offer a trusted, scalable assurance mechanism. Each assessment level—e1, i1, and r2—provides a clearly defined set of controls, transparent scoring, and rigorous third-party validation that supports procurement, onboarding, and ongoing risk monitoring.

At present, there are three formal assessments organizations can pursue:

• HITRUST e1 Assessments – These are one-year validated assessments that comprise 44 controls to ensure “Foundational Cybersecurity.” They’re intended for smaller, newer organizations seeking fundamental security across their own and their partners’ IT.

• HITRUST i1 Assessments – These are also one-year validated assessments, but they require 182 controls that reflect “Leading Security Practices.” They facilitate a rapid re-assessment for a second year (~60 controls), and they’re a middle ground ideal for growing organizations or those looking to expand their security apparatus efficiently.

• HITRUST r2 Assessments – These are robust, two-year verified assessments that feature up to 250 controls and hundreds of individual security specifications on average for “Expanded Practices.” They’re an excellent fit for large enterprises or organizations with extensive third party networks looking for the most rigorous security assurance. 

Organizations can use all three assessments—e1, i1, and r2—for TPRM. Each assessment includes relevant controls within your defined scope. This makes third-party risk management an integral part of certification. The assessments also establish a secure baseline. You can use this baseline to evaluate current and potential third-party partners—or require them to adopt it.

 

 

Addressing AI Risks Across Third Parties

As artificial intelligence (AI) and machine learning (ML) become more integrated across service providers’ offerings, managing AI risk is becoming more critical to TPRM and overall security. An organization can get ahead of these risks proactively by leveraging HITRUST assessments tailored to the specific dynamics of AI risk management and AI security for their TPRM.

There are two assessments organizations can conduct to safeguard against AI risks:

• AI Risk Management Assessments – These assessments measure up to 51 controls from the CSF to determine how effective an organization’s approach to risk management for AI-related risks is. They are not verified assessments, but they can identify strengths and weaknesses with respect to risks from third parties’ use of AI tools and systems.

• AI Security Assessments and Certification – These verified assessments use up to 44 controls to assure broad security across AI systems, including those used by and for third party partnerships. They can be added to any HITRUST-verified assessment (i.e., e1, i1, or r2) to provide additional assurance for AI-specific tools and risk factors.

Both assessments are effective for addressing third-party AI risks. However, the Security Assessment offers a unique advantage: inheritance. Organizations can securely inherit AI controls and configurations from third parties with HITRUST certification. This streamlines the process and eliminates the need for additional assessments.

 

Rethink Your TPRM Strategy Today

Ultimately, organizations seeking effective and efficient TPRM solutions should look no further than HITRUST implementation. Deploying controls and assessing for certification is one of the best ways to manage third party risks, both through controls specifically designed for them and others that address these risk factors indirectly. Implementing the HITRUST CSF maximizes the effectiveness of TPRM with a robust, unified system for information security and compliance.

RSI Security has helped countless organizations implement effective TPRM, both through targeted implementations of HITRUST and general program advisory guidance. Whether you’re a covered entity building your TPRM program or a vendor meeting HITRUST expectations, RSI Security can help. Our team includes certified HITRUST assessors and third-party risk professionals. We’ll help you implement a scalable, efficient, and trusted framework for vendor security assurance. RSI Security protects your data—and your partners’—by doing things the right way. Our experts help you rethink TPRM and cybersecurity to maximize effectiveness and efficiency.

To learn more about our HITRUST and TPRM offerings, contact RSI Security today!

 

Contact Us Now!