Active Working Groups (click to expand)
The HITRUST Shared Responsibility Working Group Develops a Matrix for Control Responsibility and Inheritance for Cloud Service Providers
The HITRUST Shared Responsibility Working Group develops content for the Shared Responsibility Matrix. This matrix of HITRUST CSF Controls will list out the common set of sharable and inheritable controls based on a specific third-party service provider’s CSF Certification. This vendor/service-specific matrix will be used as a tool to ensure alignment between customers and service providers to identify which party is responsible and where shared responsibility occurs for controls. Matrix will include:
- Recommendations for assigning responsibility for controls and specific requirements for shared controls, and help ensure all aspects of control responsibility are understood when outsourcing systems and services to third-parties. This allows organizations to determine those controls that are—or should be—a third-party’s full responsibility and understand their own specific duties for those that are a shared responsibility.
- Assessment Guidance on how evidence can be obtained and validated. A completed matrix would then be used by the CSF Assessor as part of the CSF Assessment to ensure compliance.
Protecting sensitive information is a challenge for any organization and even more so for organizations that retain third-party service providers, such as a cloud hosting company, platform-as-a-service, or business process outsourcer. There is added complexity and time-consuming effort that comes with determining who is responsible for the operation of security controls and gaining assurance that these controls are operating effectively by both parties.
The HITRUST Shared Responsibility Program will help remove the guesswork, ambiguity and confusion that comes with defining control responsibility between customer and service provider by outlining data governance, information risk management and regulatory compliance requirements in clear, concise language. The program will ensure organizations and their third-party cloud providers appropriately identify and assess information security controls. This will allow for the complete and accurate sharing of assurances between and amongst organizations, third-party service providers and other relying parties.
HITRUST Threat Catalogue Working Group Develops Catalog of PHI Threats for Healthcare Industry
The HITRUST Threat Catalogue Working Group develops a catalog of threats to protected health information (PHI). By tying these threats to the CSF controls that are intended to address them, the catalog will support two very important goals.
First, the catalog will be used by the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) to help healthcare organizations react to threat intelligence by reviewing their implementation and monitoring of CSF controls that address the threats identified in the reports. Cyber threat intelligence and lessons learned from incident response will also be used to provide real-time and near real-time guidance on how organizations can address these threats, as well as provide interim guidance on modifications necessary for existing CSF control requirements as well as recommendations for new requirements when necessary. By issuing interim guidance and formally incorporating this guidance into the CSF at least annually, HITRUST will provide a healthcare information protection framework that is better and able to keep up the pace with a constantly evolving cyber threat environment.
Second, the catalog will be used to help healthcare organizations satisfy their obligations under the HIPAA Security Rule to identify all reasonably anticipated threats to ePHI as well as support the risk analyses required to (1) further tailor their selected CSF controls based on any unique threats to the organization’s PHI, which is consistent with the overlays addressed in NIST SP 800-53 r4; (2) evaluate the suitability of alternate (compensating) controls, which provide additional flexibility for organizations in the tailoring of the CSF to their specific needs; and (3) support an organization’s decision to accept the risk associated with not implementing or only partially implementing one or more CSF control requirements.
Industry Advisory Panel Supports CSF Alignment with AICPA’s SOC 2 Reporting
This industry Advisory Panel works closely with a working group formed by the AICPA. The AICPA working group, consisting of AICPA members knowledgeable in healthcare and third-party reporting, develop and publish a set of recommendations to streamline and simplify the process of leveraging the HITRUST CSF and CSF Assurance as additional suitable criteria for SOC 2 reporting. The AICPA developed SOC 2 for reporting on controls relevant to security, availability, processing integrity, confidentiality and/or privacy. The work product developed will provide healthcare organizations that must comply with HIPAA or other regulatory requirements a comprehensive and standardized control framework to support their SOC 2 reporting requirements.
Completed Working Groups
- CSF Risk Factors Working Group (2014-2015)
- Cybersecurity Working Group (2013-2014)
- Content Definition Development Working Group (2011)
- Mobile Devices Working Group (2011)
- Cloud Security Working Group (2011)
- Health Information Exchange Working Group (2011)
If you are interested in Working Group participation, please fill out the form on the Working Group Sign-Up page.