- The Health Information Trust Alliance (HITRUST) has released its threat catalogue that provides healthcare organizations and other firms with visibility into cyber risks to their information, assets, and operations.
The HITRUST threat catalogue identifies technical, physical, and administrative controls to address these risks and improve an organization’s ability to manage threats and prioritize security resources.
HITRUST explained that identifying threats is an important part of a comprehensive risk analysis process to protect sensitive data, such as PHI.
The threat identification process determines what cyber events must be controlled by the organization. For example, the increased frequency of ransomware attacks requires organizations to re-examine their controls around data backup and restoration and ensure they could successfully recover their data if such an attack occurred.
“Unfortunately, a comprehensive threat list that could support risk analysis and help organizations better understand and mitigate threats to sensitive information was essentially unavailable,” said HITRUST VP of Standards and Analytics Bryan Cline. “Given its significance to the risk management process, we invested years identifying a complete set of threats at a level consistent with the controls used to address them.”
HITRUST said the catalogue is designed to align cyberthreats with the HITRUST CSF control requirements. HITRUST CSF provides organizations with a structured, comprehensive approach to regulatory compliance and risk framework.
The alignment of threats to the HITRUST CSF simplifies the risk analysis process for organizations and reduces some of the burden and costs associated with this level of analysis, HITRUST explained.
The threat catalogue also maps to other cyberthreat lists, such as NIST Special Publication 800-30, Guide to Conducting Risk Assessments, and the European Union Agency for Network and Information Security’s Threat Taxonomy.
In fact, the HITRUST CSF was selected by the Provider Third Party Risk Management Council as its security standard. The council was recently launched by a group of healthcare CISOs to improve the security of the healthcare supply chain.
CISOs from Allegheny Health Network, Cleveland Clinic, University of Rochester Medical Center, University of Pittsburgh Medical Center, Vanderbilt University Medical Center, and Wellforce/Tufts University got together to form the council.
“Our patients expect us to not only deliver robust healthcare to keep them healthy, but also to preserve the trust they have in us by safeguarding their sensitive data,” said Allegheny Health Network and Highmark Health VP and CISO Omar Khawaja.
“When our patients’ sensitive data is shared with our third parties, it’s important that we have adequate controls in place. By aligning our third parties’ controls to HITRUST CSF, a leading industry framework that evolves with the changing cyber landscape, our customers feel more confident their sensitive data is in good hands,” he added.
The council decided to use the HITRUST CSF because it is the “best” for safeguarding sensitive information and managing information risk throughout the third-party supply chain, related Wellforce CISO Taylor Lehmann.
Earlier this year, HITRUST launched a certification program for the NIST Cybersecurity Framework. The program is designed to make it easier for security teams to report framework implementation to upper management, business partners, and regulators.
The certification program has two parts. First, HITRUST has developed a scorecard for describing how an organization’s security program maps to the NIST CSF’s core subcategories.
Second, HITRUST is offering an assurance certification that verifies that an organization is meeting the NIST CSF requirements and controls, explained HITRUST CEO Daniel Nutkis.
Nutkis related that 80 percent of hospitals and insurance companies employ the HITRUST CSF.
Using the HITRUST CSF, organizations can view their information privacy and security program against the HIPAA Security and Privacy Rules, NIST Cybersecurity Framework, the EU’s General Data Protection Regulation, ISO 27001, PCI DSS, AICPA Trust Services Criteria, and SOC 2, HITRUST explained.