News & Events

Cyber security in health care

Tufts Medical Center and seven other trusted hospital brands joined forces today to require third-party vendors to adopt standard cyber security measures and achieve certification to demonstrate their products and services are safe and secure for use in a hospital or other patient care settings. Tufts Medical Center, along with its Wellforce partners, and Cleveland Clinic, University of Florida Health, UPMC, Alleghany Health Network and University of Rochester Medical Center have teamed up to collaboratively define, adopt, and promote standards for vendors whose equipment or services interact with patients and their personal information.  The group, named the Provider Third Party Risk Management Council, will begin requiring certification for these types of vendors within the next 24 months.  

“We have seen an increase in threats by cybercriminals, compromising the networks and systems purchased by hospitals through third parties.  As health information technology continues to move to the Cloud and the role of third parties grows, these threats will increase.  We must insist patients and their information is guarded under the best programs available,” said Taylor Lehmann, Chief Information Security Officer at Wellforce and Tufts Medical Center.  “Through the Council and our third parties, we will build a more secure and safer healthcare system and one that will benefit every hospital and third party across the industry – regardless of their size or sophistication.” 

Most providers and hospital systems already use a set of information security standards when evaluating whether a third party is qualified to receive patient information. Those standards can range widely, and can lead to many hours or days of work on both sides as they try to come to an understanding of security protocols. Vendors often withstand many different evaluation processes between the health care systems they are looking to do business with.   The Council is looking to address that issue as well.

“Having all of the third parties who receive information about our patients get certified with the same framework means we can stop this waste, give our vendors a clear message on what is required, and improve our processes to investigate and monitor the security of any given platform,” said John Houston, Esq. and Chief Information Security Officer at UPMC, a Council member. “If a third party provides a certificate showing it has met these requirements, we are more assured that theirs is an acceptable product with no further verification needed.” 

Regulations and consumer expectations around protection of health records continue to change.  For example, nearly every state has different requirements when a data breach occurs. In addition, many states are adopting specific security and privacy rules which complement a myriad of existing federal laws. The complexity of the laws, regulations, and standards an organization needs to comply with are overwhelming. The Council has partnered with the HITRUST Assurance Program, which provides guidance and is a certifying body, to guide vendors through this process.

While the Council announced its intentions today, third parties looking to learn more should visit and e-mail