As the healthcare sector races to adopt AI-powered tools and manage an ever-expanding web of third-party vendors, the question of how to measure and govern that risk has never been more pressing. Jason Kor of HITRUST joins Sean Martin to unpack what the numbers reveal about supply chain exposure -- and why the next blind spot may already be embedded in software you use every day.
Third-party risk is no longer a background concern for healthcare organizations -- it is a frontline challenge. Jason Kor, Principal at HITRUST, works on the company's third-party risk management team, helping enterprises understand the security risk embedded in their supply chains. The numbers tell a stark story: according to Security Scorecard, 99% of the world's 2,000 largest companies are actively connected to a vendor that has experienced a breach in the past 18 months. And Verizon's Data Breach Investigations Report shows that the share of breaches tied to a third party has doubled year over year. HITRUST exists precisely to help organizations move from awareness to action.
HITRUST will be at HIMSS 2026 in Las Vegas, March 9-12, at Booth 11307. Stop playing whack-a-mole with vendor risk -- step into the VR challenge and win prizes. For organizations already holding a HITRUST certification, the team has something else waiting: a trophy recognizing the commitment to independent, external audits and rigorous security standards. For those exploring certification for the first time, the booth is a chance to understand how HITRUST compares to alternatives like SOC 2 questionnaires -- and why scalability and risk reduction make it the stronger choice for supply chain assurance. Kor puts it plainly: the audits are time-consuming and expensive because they are effective. And at the end of the process, someone reads that report and makes real business decisions based on what it contains.
Two major themes converge at this year's event: supply chain risk and AI. HITRUST has already launched an AI security assessment offering, and new CSF releases are on the horizon, including a report center feature enabling online review of assessments for anti-fraud and continuous monitoring purposes. On Tuesday, March 10, 2026, from 11:10 AM to 11:30 AM, Kor will deliver a 20-minute session titled "Understanding AI Security Risk -- The New Blind Spot in TPRM and Supply Chain Resilience." The session addresses a rapidly evolving challenge: as organizations build their own generative AI tooling -- or work with third parties that have integrated AI into their products -- questions around data sovereignty, input handling, and model provenance become critical, especially in healthcare where electronic health information is at stake.
Also on the HIMSS 2026 agenda from HITRUST: Ryan Patrick, Executive Vice President of TPRM Customer Solutions, joins John P. Houston of UPMC and Chuck Christian of Franciscan Health for a Brunch Briefing titled "Building Secure, Compliant, and Resilient Healthcare Systems Together" on Tuesday, March 10, 2026, from 10:30 AM to 11:45 AM at Level 1, Casanova 505. The session offers practical strategies, frameworks, and real-world lessons for organizations looking to reduce risk, enhance protection, and advance trust in an evolving threat and regulatory landscape.
This is a Brand Spotlight. A Brand Spotlight is a ~15 minute conversation designed to explore the guest, their company, and what makes their approach unique. Learn more: https://www.studioc60.com/creation#spotlight
GUEST
Jason Kor, Principal, HITRUST
https://www.linkedin.com/in/securityconsultantcissp/
RESOURCES
HITRUST: https://hitrustalliance.net
Jason Kor Session -- Understanding AI Security Risk -- The New Blind Spot in TPRM and Supply Chain Resilience (Tuesday, March 10, 2026, 11:10 AM - 11:30 AM): https://app.himssconference.com/event/himss-2026/planning/UGxhbm5pbmdfNDMyMTMxOA==
Building Secure, Compliant, and Resilient Healthcare Systems Together -- Brunch Briefing (Tuesday, March 10, 2026, 10:30 AM - 11:45 AM): https://app.himssconference.com/event/himss-2026/planning/UGxhbm5pbmdfNDMzNzQwMQ==
HIMSS 2026 Global Health Conference and Exhibition: https://www.itspmagazine.com/cybersecurity-technology-society-events/himss-global-health-conference-amp-exhibition-2026
Are you interested in telling your story?
▶︎ Full Length Brand Story: https://www.studioc60.com/content-creation#full
▶︎ Brand Spotlight Story: https://www.studioc60.com/content-creation#spotlight
▶︎ Brand Highlight Story: https://www.studioc60.com/content-creation#highlight
KEYWORDS
Jason Kor, HITRUST, Sean Martin, brand story, brand marketing, marketing podcast, brand spotlight, third-party risk management, TPRM, supply chain risk, healthcare cybersecurity, HIMSS 2026, AI security, generative AI risk, HITRUST CSF, cybersecurity certification, data sovereignty, electronic health information, vendor risk management
Tackling Third-Party Risk and AI Security in Healthcare | A Brand Spotlight Conversation with Jason Kor, Principal of HITRUST
[00:00:00]
[00:00:09] Sean Martin: And hello everybody. You're very welcome to a new brand Spotlight here and, uh, today I'm the pleasure of chatting with Jason Kor from HITRUST. How are you, Jason?
[00:00:22] Jason Kor: Hey, good. How you doing?
[00:00:24] Sean Martin: Very good. It's good to see you again. We crossed paths a few years back and, uh, it's good to catch up and see you're working with the HITRUST team.
[00:00:34] Jason Kor: Yeah, I agree. It's been, uh, it's been a long time in the assessor and consulting side of things and, you know, believed in the program and always loved what HITRUST has to offer. So here I am.
[00:00:46] Sean Martin: There you are, you're living the dream and you get to go to Vegas for HIMSS 2026. Lucky you.
[00:00:54] Jason Kor: Yeah, yeah, that's right.
[00:00:56] Sean Martin: It's gonna be a good event. Uh, we're having a few conversations around the event and, uh, yeah, I think the healthcare space is one that I particularly like. Why? Because we all need to be healthy and, uh, equally so the programs that drive healthcare need to be healthy as well. And that's where HITRUST comes in to help ensure that the exposure is managed and the risk is controlled and the controls are in place to let patients get the proper care they need. And the practitioners don't have to worry about all the system stuff. They can focus on the patient. Um, maybe a quick word for me, Jason, about your role at HITRUST and then we'll get into what you guys will be doing at HIMSS, and I think you're talking there as well, so we'll touch on that too. So, quick word about your role.
[00:01:50] Jason Kor: Yeah. So, I work on our third party risk management team. We work with enterprises, uh, to help understand the security risk that they incur through their supply chain and, um, you know, the threat landscape is changing rapidly, and we've got a number of metrics and reports that tell us where the biggest risk lies. And right now, if you look at the cybersecurity space and some of the most complex enterprises in the world, um, they're worried about third party risk management. Um, a couple of headline stats -- one report from Security Scorecard showed 99% of the 2000 biggest companies in the globe are actively connected to a vendor that's been breached in the recent 18 months. The other headline statistic is from Verizon's breach report, favorite of all of ours in cybersecurity. And it shows that the portion of breaches caused by a third party has doubled year over year. Uh, it's a real challenge and we're all figuring out how to grapple with some of these risks. And the first part is understanding them. So how do you measure the security posture of the companies you work with? And that's what we're here to do.
[00:03:06] Sean Martin: Yep. I love it. So you do that across industry, across sectors. HITRUST got its roots in the healthcare space. So it's an area that the team is extremely familiar with and makes perfect sense that you're off to HIMSS to look at all things healthcare and information and security and privacy and third party risk and all the other good stuff. Um, what booth number is it? I think it's 11307. Right. And what are you gonna be doing in the booth?
[00:03:45] Jason Kor: Uh, yeah, well come by. Uh, we'll tell you what's going on at HITRUST, give you a sneak peek at some of the things that we're working on. Talk to you about the steam that we are gaining in the marketplace. Um, we'll have a VR challenge set up -- the exact details of which you'll have to come by and see for yourself, and I look forward to the conversation.
[00:04:06] Sean Martin: VR challenge. Um, what do you expect some of the conversations to sound like? Who -- you come across there, certainly security folks go to HIMSS, but you also have overall IT and ops and technology, I imagine business leaders as well, but who do you expect to have chats with at the booth?
[00:04:29] Jason Kor: Yeah, that's a good question. And especially here at HITRUST, we have such a complicated business model. We've got a lot of different customers that we serve, and so a lot of the folks that'll stop by are what we call assessed entities or MyCSF subscribers. These are people who undergo HITRUST audits, and it's every level of that organization. We love talking to security professionals, but making the decision to do something like this is usually an enterprise decision. Folks from sales want to have the credentials as they go to market. Folks in finance want to avoid the costs associated with the breach, et cetera. Uh, we also talk to our assessors. And they work closely with us and our valuable customers and -- the customer that I'm focused on the most, not that the others aren't important, they certainly are -- who I'd really like to talk to are those that sit down and read the report. Like at the end of the day, we go through these audits. Uh, they're time consuming, they're expensive. Um, and that's because they're effective and ultimately someone's gonna read it and make some business decisions based on what's in that report. So if you're a reader of the report, come find me.
[00:05:37] Sean Martin: That's excellent advice and, uh, yeah, I think there are plenty of reports that get generated and scores that get created that don't mean anything. And that's not the truth -- not the reality for HITRUST. I think if you go through the effort and put the effort in and go through the work, uh, you're gonna get a good result. May not be a good result, right? You may have stuff to work on, but the point is you're gonna know where you are and have really a solid view of what's going on within the organization. Um, a word for existing customers, something that makes it worthwhile for them to come by the booth. And maybe that could be an assessor or the assessed entities. Um, and then a word for organizations that are listening to this and not really certain -- do I need HITRUST or not. What do you tell them? Those two outings?
[00:06:39] Jason Kor: Come on by. Uh, if you're from a company that has undergone it and achieved a certification, we'll get you a trophy. Um, we've got a big box full of them for those companies that really put security first and have demonstrated it through their participation in HITRUST and willingness to undergo independent external audits. Um, and we can tell you a little bit more about the program and what's coming. We're really excited about our AI security offering that's out now. Uh, and we've got some new releases to the CSF coming up in the next couple of years. Uh, one really interesting feature is what we call our report center, um, which is a way to review HITRUST assessments online, which excites us for purposes like anti-fraud and continuous monitoring. Um, for those who don't have HITRUST, come by and learn what it's all about. Uh, we'd love to know more about your customers and what they're asking for and who or why you might be interested in pursuing HITRUST. Um, and the last group I'll give a shout out to is those companies that are struggling with their supply chain risk. Um, you might ask them for SOC 2, you might do a questionnaire. It might be time consuming, and we'd love to tell you why HITRUST is the most scalable and the most effective, ultimately, in reducing risk in your supply chain.
[00:08:06] Sean Martin: So you said two things now that seem to be coming up in nearly every conversation I have had in the last number of weeks. AI -- we can't escape it -- but also supply chain. And I know you're doing a talk there at HIMSS. It's on Tuesday, March 10th at 11:10 AM and it's 'Understanding AI Security Risk: The New Blind Spot in Third Party Risk Management (TPRM) and Supply Chain Resilience.' Let's mix AI and supply chain and third party risk, all in this game of fun. And so what's that talk about and who do you expect to be in the room with you?
[00:08:46] Jason Kor: Yeah. Uh, come on by. I think the talk appeals really to anyone with accountability for cybersecurity outcomes. Um, that could be a TPRM manager. It could be a CISO, it could be ops or finance or some of the other roles that we talked about. Um, and the gist of the conversation is this -- the technology landscape has changed rapidly and quickly over the last two or three years with the rollout of large language models and other generative AI solutions. Um, and it presents a new risk to the business. Uh, and those risks are diverse and we're just now starting to think about them. Um, I think kind of the entry level considerations around who's uploading what to ChatGPT. Um, but that's just a start, right? Um, we have controls to get on top of that. We know how to do URL filtering and endpoint monitoring and things like that. Um, the more sophisticated risk comes when we start to build our own generative AI tooling, or when we work with third parties that have introduced AI tooling into their software. So the other day I was using a SaaS app -- I won't name who it was -- and I got on and a chat bot popped up and offered a large language model to me. And I wonder, okay, well, we thought this was a good idea. What are they doing with the inputs? Who sees it? Does it go to AWS Bedrock or OpenAI or any of the other models? Is it even in the US, especially in healthcare where we worry about things like data sovereignty and electronic health information? How do we get our arms around that? And there are a number of solutions out there, but you'll have to come to the talk to learn.
[00:10:34] Sean Martin: Yeah, it's a wide space and I'm excited to hear how that goes and maybe we can have a deeper dive on that topic at some point. It's certainly an area that needs some attention. So hopefully folks can meet with you there. That's Tuesday, March 10th at 11:10. And of course, that's part of the overall HIMSS conference, the Global Health Conference and Exhibition in Las Vegas, March 9th through the 12th. And you can meet Jason and the HITRUST team at Booth 11307 during those few days there in Vegas. Jason, it's good to see you, good to chat with you.
[00:11:13] Jason Kor: Yeah. Great catching up. Thanks for having me.
[00:11:15] Sean Martin: Thanks everybody for listening to this brand Spotlight. Uh, stay tuned for more and connect with the HITRUST team in Las Vegas at HIMSS. Take care.