- Having a stronger understanding of cybersecurity risk management is a key way for healthcare organizations to view potential risk areas and keep data secure, according to the Health Information Trust Alliance (HITRUST).
That was a driving factor behind HITRUST’s recent Threat Catalogue, which is designed to assist healthcare organizations improve their information security posture and improve organizational visibility into threats.
“The HITRUST Threat Catalogue enhances the underlying risk analyses used to develop the HITRUST CSF and helps ensure the HITRUST CSF and CSF Assurance Program continue to remain current and relevant risk-based solutions—critical elements given today’s ever-dynamic threat environment,” HITRUST explained in a statement. “The HITRUST Threat Catalogue
The Threat Catalogue will also help organizations use the HITRUST CSF to face risks that may affect organizational, system, and regulatory factors.
Conducting a thorough risk assessment is a HIPAA Security Rule requirement, and a way for healthcare organizations to see potential ePHI vulnerabilities. The likelihood of potential risks must be evaluated and then appropriate security measure to address those risk areas must be put in place. The security measures must also be properly documented.
“Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI,” HHS states on its website.
The following four factors are what HHS uses to determine the likelihood that PHI was inappropriately used or disclosed:
- What is the nature of the information involved?
- Who is the authorized person responsible?
- Was PHI actually acquired or viewed?
- To what extent has the risk to PHI been mitigated?
The HITRUST Threat Catalogue can assist organizations in the HIPAA risk analysis and also help entities facilitate other risk analyses. For example, organizations can create a control baseline unique to its needs. A more targeted risk analysis for evaluating alternate or compensating controls can also be a benefit, according to HITRUST.
The Catalogue is being developed and maintained in conjunction with a new HITRUST Working Group, which will ensure the Catalogue stay focused on several key tasks.
First, the Catalogue will identify and leverage an existing threat taxonomy for common adversarial and non-adversarial threats to ePHI.
The Working Group will also ensure the new tool enumerates all reasonably anticipated ePHI threats for a general healthcare organization.
All HITRUST CSF control requirements will be properly mapped to the enumerated threats.
Finally, the Threat Catalogue will identify any additional information in future Catalogue iterations to help meet its objectives.
“Most organizations do not possess the skill sets necessary to truly identify ever changing cybersecurity threats and associate these threats with the operational impact, tactical response and strategic planning required,” Roy Mellinger, vice president IT and chief information security officer, Anthem and a governing chair of the Working Group, said in a statement. “The HITRUST Cyber Threat Catalogue takes the guess work out of the process. It articulates the threats, maps these to the necessary HITRUST CSF controls, and provides organizations with a workable blueprint to define the protection mechanisms and strategies that are required.”
Properly monitoring cybersecurity risk is an area of data security that healthcare organizations cannot ignore. Utilizing various frameworks, in addition to HIPAA regulations, can help ensure that sensitive data does not fall into the wrong hands.
The National Institute of Standards and Technology (NIST) recently released an updated draft version of its own Cybersecurity Framework.
Healthcare is one of many industries that have adopted the Framework to create stronger cybersecurity measures.
The updated version is meant “to refine and enhance the original document and to make it easier to use,” Matt Barrett, NIST’s program manager for the Cybersecurity Framework said in a statement. “This update is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”