HITRUST has championed programs to help organizations across the globe protect sensitive information and manage risks since 2007. Organizations, small to large, depend on HITRUST to demonstrate trust and gain reliable assurances from third-party vendors.
But what is it that makes HITRUST unique?
HITRUST differentiators
The core foundation of HITRUST assessments and programs is its framework, the HITRUST CSF. The CSF harmonizes over 50 standards and frameworks, offering transparency and consistency. Eligible organizations can download the CSF for free from the HITRUST website.
HITRUST has innovated to enhance its offerings and keep up with the evolving landscape, over the years. It began with just one assessment type in the past but now offers three assessment options (e1, i1, and r2). These assessments have nested controls within the CSF that allow organizations to move from one assessment to the other without losing their previous work. It leads organizations on a path to achieve more comprehensive certifications.
There are many other innovative HITRUST offerings such as the HITRUST Shared Responsibility and Inheritance Program. Organizations can save time and effort by inheriting controls from their own past assessments or those of their vendors, such as cloud service providers.
But there’s more that makes the HITRUST CSF unique. The CSF is cyber threat adaptive, unlike other compliance frameworks. What does that mean and how does HITRUST achieve that?
Cyber threat-adaptive HITRUST framework
The threat landscape keeps evolving. The advent of new technologies introduces new threats. Organizations need to be on a constant lookout to identify and address emerging threats. It becomes challenging for them to deploy their resources to do this constantly due to competing priorities and business targets.
That’s why the HITRUST team uses real-time threat intelligence data to monitor threats and understand associated mitigations from the industry standard, MITRE ATT&CK Framework. The HITRUST team understands the severity of new, emerging threats and updates applicable controls accordingly. It immediately updates and releases a new version of the CSF when the threat is high risk. The next scheduled release of the CSF, which is usually less than a year, accommodates lower risks and informational techniques of note.
More comprehensive assessments like the i1 and r2 offer threat-adaptive coverages. The HITRUST team checks the controls for the i1 assessment. It ensures that the r2 assessment also offers coverage for new threats as it covers all 182 controls of the i1.
Leveraging MITRE ATT&CK
The MITRE ATT&CK Framework is a knowledge base used worldwide across multiple industries and disciplines as a standard way to categorize adversary and defense behavior. MITRE associates defense mitigations with identified attack techniques to protect against adversary activity. HITRUST maps these mitigations to the CSF control base and uses live adversarial data to stay on the cutting edge of protection.
HITRUST maps MITRE’s mitigations to the i1 assessment requirements to ensure appropriate coverage exists when implemented. There has never been a significant technique missed out from the HITRUST controls. The CSF versions 11.2 and 11.3 cover 100% of addressable Techniques, Tactics, and Procedures (TTPs) included in the MITRE ATT&CK Framework.
Collaboration with Microsoft
HITRUST uses Microsoft's threat intelligence data and generative AI technology to identify and analyze the latest threats instantly. Microsoft Defender Threat Intelligence helps HITRUST expose and eliminate modern cyber threats. It tracks over 65 million signals every day, automates detections, and investigates emerging threats.
HITRUST also integrated the Microsoft Azure OpenAI Service for advanced AI and accelerated analytical capabilities. This collaboration enables HITRUST to enhance the accuracy and timeliness of its framework updates while addressing upcoming cyber threats.
Constant updates to the HITRUST framework
The HITRUST CSF is a living framework. Most compliance frameworks are updated in three to four years as those organizations react after a threat becomes prominent. But HITRUST is agile and stays ahead of the game. It stays proactive by being cyber threat adaptive. The HITRUST framework is updated constantly and published regularly. HITRUST releases new versions of its framework around twice every year. It may release newer versions sooner if indicated by the threat data.
To stay ahead of emerging threats, download the latest version of the HITRUST framework.