HITRUST has announced the creation of a Threat Catalogue that will aid healthcare organizations in improving their information security posture by better aligning cyber threats with HITRUST CSF risk factors and controls. The HITRUST Threat Catalogue will provide greater visibility into areas representing the greatest risk exposure and enhance the underlying risk analyses used to develop the HITRUST CSF.

The related press release can be viewed here.

The explicit alignment of threats to the HITRUST CSF produces a combination not found in other frameworks. It simplifies the risk analysis process for healthcare organizations and reduces some of the burden, costs, and confusion otherwise experienced when attempting to achieve this level of risk management.

The HIPAA Security Rule requires organizations to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).” HITRUST helped the healthcare industry address this requirement by developing a simple-to-use framework based on risk analyses performed by representative healthcare organizations and the underlying risk analyses used to produce ISO 27001 control recommendations, NIST SP 800-53 control baselines and other control-based frameworks. By integrating these analyses with relevant regulatory requirements and best practices, the HITRUST CSF provides an industry-driven standard of due care and due diligence for healthcare information that has become the most widely used in healthcare.

HITRUST actively solicits industry input on potential changes and updates to the HITRUST CSF and, unlike other frameworks, updates the CSF no less than annually. HITRUST is now taking this level of responsiveness one step further with the new Threat Catalogue.

The HITRUST Threat Catalogue helps ensure the HITRUST CSF and CSF Assurance Program continue to remain current and relevant risk-based solutions—critical elements given today’s ever-dynamic threat environment. It also affords enhanced visibility into how the HITRUST CSF addresses extant and emerging threats and helps ensure CSF control baselines continue to address risk commensurate with selected organizational, system and regulatory risk factors.

Most organizations do not possess the skill sets necessary to truly identify ever-changing cybersecurity threats and associate these threats with the operational impact, tactical response and strategic planning required.  The HITRUST Threat Catalogue takes the guess work out of the process by articulating the threats, mapping them to the necessary HITRUST CSF controls, and providing organizations with a workable blueprint to define the required protection mechanisms and strategies.

In addition to the HIPAA-required risk analysis used for control selection, the Threat Catalogue can also facilitate many other types of risk analysis. Examples include the supplemental risk analyses used to tailor a control baseline to the unique needs of an individual organization or the more targeted risk analyses used to evaluate alternate or compensating controls, as well as formal risk acceptance.

The HITRUST Threat Catalogue will mature over time. It is being developed and maintained in conjunction with the formation of a new HITRUST Threat Catalogue Working Group that will focus their initial efforts on four principle tasks:

  • Identify and leverage an existing threat taxonomy for common adversarial and non-adversarial threats to ePHI
  • Enumerate all reasonably anticipated threats to ePHI for a general healthcare organization
  • Map HITRUST CSF control requirements to the enumerated threats
  • Identify any additional information needed in future iterations of the HITRUST Threat Catalogue to help meet its objectives

To further aid in threat management, HITRUST will issue threat advisories in the near future based on the actual threats addressed by each control in the HITRUST CSF. Enabled by the HITRUST CTX—the healthcare industry’s leading cyber information sharing and analysis organization—healthcare organizations will receive the intelligence they need to better understand these threats, prioritize responses, and ultimately improve the overall effectiveness of their operational controls.

The initial version of the HITRUST Threat Catalogue will be available in March. For more information on the HITRUST Threat Catalogue, or how to be notified when available, please visit this page.

More information on the HITRUST CSF can be found at: https://hitrustalliance.net/hitrust-csf/.