By enumerating common threats and, when available, common vulnerabilities, an organization will have additional information to support a risk analysis consistent with NIST and HHS recommendations, which requires an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of [ePHI]” (HIPAA § 164.308(a)(1)(ii)(A)) and “protect[ion] against any reasonably anticipated threats or hazards to the security or integrity of [such information]” (HIPAA § 164.306(a)(2)). Today, HITRUST does this by tailoring an industry-level overlay of the NIST SP 800-53 moderate-impact minimum security baseline and leveraging the risk assessments used to develop the HITRUST CSF’s underlying frameworks. The HITRUST Threat Catalogue will help provide an additional level of granularity by showing the relationship between the control requirements specified in the HITRUST CSF with a list of ‘reasonably anticipated threats.’
- HIPAA Administrative Simplification Regulation Text, available at https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf.
- NIST SP 800-30 r1, available at http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
- HHS Guidance on Risk Analysis Requirements under the HIPAA Security Rule, available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf