We anticipate updates to occur annually, shortly after each HITRUST CSF release, or when significant changes in the threat environment would warrant an interim release.

A HITRUST Implementation Advisory would be issued if there is additional clarification around how HITRUST CSF requirements should be implemented to effectively address one or more threats—or as an interim measure until more stringent or enhanced control requirements can be published in the next scheduled release of the HITRUST CSF.

The threat landscape is constantly changing, as are the technologies and tools that organizations rely upon to support their business missions. Consequently, an organization’s information protection program must change and adapt. Threat intelligence is one of several mechanisms by which HITRUST ensures the continued sufficiency of the HITRUST CSF.

By linking granular threats identified in active threat intelligence to higher-level threats contained in the HITRUST Threat Catalogue and related HITRUST CSF control specifications, organizations will gain greater insight into how well they are addressing extant and emerging threats by evaluating how well they’ve implemented related HITRUST CSF controls in their environment. More so, leveraging threat intelligence that can be correlated via the HITRUST Threat Catalogue’s mappings to the control specifications will allow organizations to determine likelihood and impact in order to further tailor their information protection program and manage their risk.

By enumerating common threats and, when available, common vulnerabilities, an organization will have additional information to support a risk analysis consistent with NIST and HHS recommendations, which requires an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of [ePHI]” (HIPAA § 164.308(a)(1)(ii)(A)) and “protect[ion] against any reasonably anticipated threats or hazards to the security or integrity of [such information]” (HIPAA § 164.306(a)(2)). Today, HITRUST does this by tailoring an industry-level overlay of the NIST SP 800-53 moderate-impact minimum security baseline and leveraging the risk assessments used to develop the HITRUST CSF’s underlying frameworks. The HITRUST Threat Catalogue will help provide an additional level of granularity by showing the relationship between the control requirements specified in the HITRUST CSF with a list of ‘reasonably anticipated threats.’

1. HIPAA Administrative Simplification Regulation Text, available at https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf
2. NIST SP 800-30 r1, available at https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf
3. HHS Guidance on Risk Analysis Requirements under the HIPAA Security Rule, available at https://www.hhs.gov/sites/default/files/hipaa-simplification-201303.pdf

By understanding how HITRUST CSF controls address specific threats to personal data and other sensitive information, an organization can demonstrate the results of the risk analyses used by the underlying control frameworks in the HITRUST CSF, e.g., ISO 27002, NIST SP 800-53, and PCI-DSS, as well as support other types of risk analyses. For example, organizations will be able to support further tailoring of the HITRUST CSF control baseline generated from its organizational, system and regulatory risk factors by (1) addressing any additional or unique threats or vulnerabilities it may have, which may not be addressed by a HITRUST CSF control requirement in the HITRUST Threat Catalogue, (2) supporting the appropriate and allowable selection of alternative or compensating controls that are not contained in the HITRUST CSF, and/or (3) the removal or relaxation of specific control requirements in its baseline to help ensure the most cost-effective, risk-based application of the HITRUST CSF to its business and clinical environment.

ISO/IEC 27002:2013, available at http://www.iso.org/iso/catalogue_detail?csnumber=54533

NIST SP 800-53 r4, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss

HITRUST anticipates the HITRUST Threat Catalogue will be a “living document” due to the constantly changing threat environment, including planned improvements to better facilitate risk analyses and the consumption of threat intelligence. Changes will likely include modifying the threat list, enumerating common vulnerabilities, relating Indicators of Compromise (IOCs), and of course updating control requirements as they change with each HITRUST CSF release.

The HITRUST Threat Catalogue’s initial release is focused on providing as comprehensive a list as possible. However, users of the HITRUST Threat Catalogue should keep in mind that the threats are enumerated at a level consistent with the control specification in the HITRUST CSF. Intelligence generally specifies threats at a much more granular level.

Taken together, the HITRUST Threat Catalogue and HITRUST CSF allow security and privacy practitioners to confidently provide their senior executives, boards, trading partners, customers, and other third-parties the necessary assurances that the organization is adequately and appropriately managing its risk exposure, with an appropriate breadth and depth, to an appropriate level of rigor, and in an appropriate order.

Additionally, the HITRUST Threat Catalogue enables organizations to identify common threats which are associated with multiple control requirement deficiencies, giving priority to those which provide them the greatest benefit in terms of risk reduction/threat coverage for a single investment.

The HITRUST Threat Catalogue is a comprehensive list of threats, including events, sources, actions, or inactions that could potentially lead to harm to your organization’s information assets. HITRUST’s Threat Catalogue allows organizations to pursue their program development, assessment, and/or validation approach based on the threats to which they are exposed and provides a mapping to the HITRUST CSF^® control specifications intended to provide risk mitigation. This is particularly useful for organizations that already have a program in place and seek to enhance their maturity or posture in targeted areas.

Building on content and concepts in the current Threat Catalogue, HITRUST has an important Risk Catalogue initiative underway that will significantly change how threat information can be leveraged by HITRUST Organizations. If you would like to participate in an active industry working group to contribute your thoughts and expertise to the upcoming HITRUST Risk Catalogue, please submit your candidacy via our Working Group Sign-up page.