FoxPointe Security Hub

HITRUST Third Party Risk Management Methodology

HiTrust Assessor Logo

Third Party Risk Management

HITRUST puts on regular webinars to help educate individuals on the components, tools, and programs offered by the organization. As a HITRUST CSF Assessor, we make it a point to attend these webinars to stay up-to-date on the latest information. The webinar I listened to on 12/11 covered HITRUST’s Third Party Risk Management (TPRM) Methodology and below is a quick overview.

The Third Party Risk Management Methodology is a formal approach to effective and efficient management of the risk incurred from third-party relationships in which sensitive information is shared. Overall, it has six main steps as follows:

Initiate: Formally start an assessment

Collect: Gather information to determine inherent risk specific to a given relationship

Qualify: Then, evaluate residual risk for a specific relationship

Accept: Formally accept those residual risks

Select: Select the third-party (or decide to continue working with an established vendor) or determine it is too risky

Monitor: Ongoing monitoring of residual risk

The above are common to many risk management programs but many organizations do not have an approach that can be managed out of one space and through one type of questionnaire that can be generated/modified for different vendors depending on service offering, size, or risk exposure.

The HITRUST Assessment XChange® (XChange), which is a subsidiary of HITRUST, helps streamline and simplify third party risk management by providing organizations with tools, methodologies, and services to qualify for potential business relationships. The XChange is built on the foundation of the Third-Party Risk Management Qualification Methodology which is industry agnostic and is completed via an innovative platform (the XChange Manager) that helps automate and manage all vendors at all risk levels.

Please reach out to me at if you have any questions on HITRUST and how it may be a fit for your organization.

For more detail on TPRM and a full list of upcoming and recorded webinars, please visit the HITRUST website. HITRUST can also provide the detail needed for an organization to join the XChange program.