HITRUST Threat Catalogue FAQs
How often will the HITRUST Threat Catalogue be updated?
We anticipate updates to occur annually, shortly after each HITRUST CSF release, or when significant changes in the threat environment would warrant an interim release.
What would prompt HITRUST to issue additional HITRUST CSF implementation guidance?
A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements can be published in the next scheduled release of the HITRUST CSF.
How will HITRUST use threat intelligence to update the control specifications in the HITRUST CSF?
The threat landscape is constantly changing, as are the technologies and tools that organizations rely upon to support their business missions. Consequently, an organization’s information protection program must change and adapt. Threat intelligence is one of several mechanisms by which HITRUST ensures the continued sufficiency of the HITRUST CSF.
How does threat intelligence linked to the HITRUST CSF help me better protect sensitive information?
By linking granular threats identified in active threat intelligence to higher-level threats contained in the HITRUST Threat Catalogue and related HITRUST CSF control specifications, organizations will gain greater insight into how well they are addressing extant and emerging threats by evaluating how well they’ve implemented related HITRUST CSF controls in their environment. More so, leveraging threat intelligence that can be correlated via the HITRUST Threat Catalogue’s mappings to the control specifications will allow organizations to determine likelihood and impact in order to further tailor their information protection program and manage their risk.
Will the HITRUST Threat Catalogue help me with HIPAA compliance?
By enumerating common threats and, when available, common vulnerabilities, an organization will have additional information to support a risk analysis consistent with NIST and HHS recommendations, which requires an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of [ePHI]” (HIPAA § 164.308(a)(1)(ii)(A)) and “protect[ion] against any reasonably anticipated threats or hazards to the security or integrity of [such information]” (HIPAA § 164.306(a)(2)). Today, HITRUST does this by tailoring an industry-level overlay of the NIST SP 800-53 moderate-impact minimum security baseline and leveraging the risk assessments used to develop the HITRUST CSF’s underlying frameworks. The HITRUST Threat Catalogue will help provide an additional level of granularity by showing the relationship between the control requirements specified in the HITRUST CSF with a list of ‘reasonably anticipated threats.’
- HIPAA Administrative Simplification Regulation Text, available at https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf
- NIST SP 800-30 r1, available at https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf
- HHS Guidance on Risk Analysis Requirements under the HIPAA Security Rule, available at https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf
How does the HITRUST Threat Catalogue help me perform a risk analysis?
By understanding how HITRUST CSF controls address specific threats to personal data and other sensitive information, an organization can demonstrate the results of the risk analyses used by the underlying control frameworks in the HITRUST CSF, e.g., ISO 27002, NIST SP 800-53, and PCI-DSS, as well as support other types of risk analyses. For example, organizations will be able to support further tailoring of the HITRUST CSF control baseline generated from its organizational, system and regulatory risk factors by (1) addressing any additional or unique threats or vulnerabilities it may have, which may not be addressed by a HITRUST CSF control requirement in the HITRUST Threat Catalogue, (2) supporting the appropriate and allowable selection of alternative or compensating controls that are not contained in the HITRUST CSF, and/or (3) the removal or relaxation of specific control requirements in its baseline to help ensure the most cost-effective, risk-based application of the HITRUST CSF to its business and clinical environment.
ISO/IEC 27002:2013, available at http://www.iso.org/iso/catalogue_detail?csnumber=54533
NIST SP 800-53 r4, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
How will the HITRUST Threat Catalogue evolve over time?
HITRUST anticipates the HITRUST Threat Catalogue will be a “living document” due to the constantly changing threat environment, including planned improvements to better facilitate risk analyses and the consumption of threat intelligence. Changes will likely include modifying the threat list, enumerating common vulnerabilities, relating Indicators of Compromise (IOCs), and of course updating control requirements as they change with each HITRUST CSF release.
Will all the threats to personal data be listed in the HITRUST Threat Catalogue?
The HITRUST Threat Catalogue’s initial release is focused on providing as comprehensive a list as possible. However, users of the HITRUST Threat Catalogue should keep in mind that the threats are enumerated at a level consistent with the control specification in the HITRUST CSF. Intelligence generally specifies threats at a much more granular level.
When will cyber threat intelligence be linked to the threats in the catalogue?
Once the mappings between threats and HITRUST CSF controls is completed, HITRUST will begin exploring ways to relate these mappings to the more granular threats identified in active threat intelligence. HITRUST anticipates this work will begin in Q2CY2019.
Can I get involved in the working group and, if so, how?
The HITRUST Threat Catalogue is currently overseen by the HITRUST CSF Advisory Council and is supported by a dedicated Working Group (WG) to help continue the development and maintenance of the HITRUST Threat Catalogue. Although the WG is not currently accepting new members, professionals with experience in risk analysis, including threat analysis, and the implementation of control-based risk management frameworks in support of information security and privacy programs may volunteer and be put on a waiting list by signing up on the Working Group Sign-Up page. HITRUST is also establishing a process to allow individuals to contribute threat information and associated metadata, which may be considered for inclusion in the Catalogue.
How does the HITRUST Threat Catalogue make the HITRUST CSF better or improve its ability to help manage risk?
Taken together, the HITRUST Threat Catalogue and HITRUST CSF allow security and privacy practitioners to confidently provide their senior executives, boards, trading partners, customers, and other third-parties the necessary assurances that the organization is adequately and appropriately managing its risk exposure, with an appropriate breadth and depth, to an appropriate level of rigor, and in an appropriate order.
Additionally, the HITRUST Threat Catalogue enables organizations to identify common threats which are associated with multiple control requirement deficiencies, giving priority to those which provide them the greatest benefit in terms of risk reduction/threat coverage for a single investment.
Why did HITRUST map the threats to HITRUST CSF v10 and not the CSF v9.x?
HITRUST is developing the Threat Catalogue as part of the upcoming HITRUST CSF v10 release anticipated in Q1/Q2 2019. The Nov 2018 early release is being provided to the user community as part of a concerted effort to elicit feedback from the public and further facilitate the development effort. However, mappings from the CSF v10 controls to CSF v9.x are also provided in the Threat Catalogue to ensure users can take immediate advantage of the threat list and associated threat-to-control mappings in their current information security and privacy protection programs.
How do I explain the HITRUST Threat Catalogue™ to my executives?
The HITRUST Threat Catalogue is a comprehensive list of threats, including events, sources, actions, or inactions that could potentially lead to harm to your organization’s information assets. HITRUST’s Threat Catalogue allows organizations to pursue their program development, assessment, and/or validation approach based on the threats to which they are exposed and provides a mapping to the HITRUST CSF® control specifications intended to provide risk mitigation. This is particularly useful for organizations that already have a program in place and seek to enhance their maturity or posture in targeted areas.