Skip Navigation
Contact Us
News + Media
Careers
Giving + Support
Referring MDs
Our Pediatric Hospital
Site Search
Patient Portals
Find a Doctor
Patient Care
+ Services
Research
+ Clinical Trials
Training
+ Education
About Tufts
Medical Center
Visit Tufts
Children's Hospital
I Am A:
Choose One
Patient
Family or Friend of Patient
International Patient
Referring Physician
Job Seeker
Researcher
Medical Student
Donor
Departments + Services
View All Patient Care + Services
View All Departments
Conditions We Treat
Your Hospital Stay
Visitor Information
Support Services
Paying Your Bill
myTuftsMedicalCenter Patient Portals
Financial Assistance
Share Your Story
Patient Rights
Nursing
Close
Research Institutes + Departmental Research
View All Research + Clinical Trials
Search Clinical Trials
About Research at Tufts Medical Center
Our Researchers
Careers + Opportunities
Partnerships + Collaborations
Research Offices + Contacts
Close
Residencies + Fellowships
View All Training + Education
Meet Our Residents and Fellows
Training + Education at Tufts MC
Continuing Medical Education
Medical Libraries and Resources
Graduate Medical Education Office
Medical Staff Office
Close
About Tufts Medical Center
Learn All About Tufts Medical Center
Who We Are
Helpful Phone Numbers
History of Tufts Medical Center
Locations + Directions
Share Your Story
Policies + Public Documents
Quality + Safety
Recent Awards + Recognitions
Volunteer Services
Close
Close
Tools
Print
Text
News & Events
Cyber security in health care
09/17/2018
Tufts Medical Center and seven other trusted hospital brands joined forces today to require third-party vendors to adopt standard cyber security measures and achieve certification to demonstrate their products and services are safe and secure for use in a hospital or other patient care settings. Tufts Medical Center, along with its Wellforce partners, and Cleveland Clinic, University of Florida Health, UPMC, Alleghany Health Network and University of Rochester Medical Center have teamed up to collaboratively define, adopt, and promote standards for vendors whose equipment or services interact with patients and their personal information. The group, named the
Provider Third Party Risk Management Council,
will begin requiring certification for these types of vendors within the next 24 months.
“We have seen an increase in threats by cybercriminals, compromising the networks and systems purchased by hospitals through third parties. As health information technology continues to move to the Cloud and the role of third parties grows, these threats will increase. We must insist patients and their information is guarded under the best programs available,” said Taylor Lehmann, Chief Information Security Officer at Wellforce and Tufts Medical Center. “Through the Council and our third parties, we will build a more secure and safer healthcare system and one that will benefit every hospital and third party across the industry – regardless of their size or sophistication.”
Most providers and hospital systems already use a set of information security standards when evaluating whether a third party is qualified to receive patient information. Those standards can range widely, and can lead to many hours or days of work on both sides as they try to come to an understanding of security protocols. Vendors often withstand many different evaluation processes between the health care systems they are looking to do business with. The Council is looking to address that issue as well.
“Having all of the third parties who receive information about our patients get certified with the same framework means we can stop this waste, give our vendors a clear message on what is required, and improve our processes to investigate and monitor the security of any given platform,” said John Houston, Esq. and Chief Information Security Officer at
UPMC
, a Council member. “If a third party provides a certificate showing it has met these requirements, we are more assured that theirs is an acceptable product with no further verification needed.”
Regulations and consumer expectations around protection of health records continue to change. For example, nearly every state has different requirements when a data breach occurs. In addition, many states are adopting specific security and privacy rules which complement a myriad of existing federal laws. The complexity of the laws, regulations, and standards an organization needs to comply with are overwhelming. The Council has partnered with the
HITRUST Assurance Program
, which provides guidance and is a certifying body, to guide vendors through this process.
While the Council announced its intentions today, third parties looking to learn more should visit
http://provider-tprm.org
and e-mail
info@provider-tprm.org