HITRUST undertook the initiative to create the HITRUST Threat Catalogue to aid organizations in improving their information security posture by better aligning cyber threats with HITRUST CSF risk factors and controls. The HITRUST Threat Catalogue provides greater visibility into areas representing the greatest risk exposure and enhances the underlying risk analyses used to develop the HITRUST CSF.

The explicit alignment of threats to the HITRUST CSF produces a combination not found in other frameworks. It simplifies the risk analysis process for organizations and reduces some of the burden, costs, and confusion otherwise experienced when attempting to achieve this level of risk management.

The threat catalogue will be continuously developed and maintained by the HITRUST Threat Catalogue Working Group, which will focus its initial efforts on four principle tasks:

  • Identifying and leveraging an existing threat taxonomy for common adversarial and non-adversarial threats to ePHI
  • Enumerating all reasonably anticipated threats to covered information for an organization
  • Mapping HITRUST CSF control requirements to the enumerated threats
  • Identifying additional information needed in future iterations of the HITRUST Threat Catalogue to help meet its objectives

If you would like to participate in the HITRUST Threat Catalogue Working Group, complete the form located here.

If you would like to be notified when the HITRUST Threat Catalogue is available, fill out the form on the Threat Catalogue Notification Sign-Up page.

The related press release can be viewed here.

Additionally, enabled by the HITRUST CTX, HITRUST will issue threat advisories based on the actual threats addressed by each control in the HITRUST CSF.

By fully leveraging the HITRUST CSF and HITRUST Threat Catalogue, organizations will be better able to safeguard information and maintain the trust of their customers and the members they serve.

If you need more information, a list of frequently asked questions can be found here.