Active Working Groups (click to expand)

The HITRUST Information Security Continuous Monitoring (ISCM) Working Group (WG) will help develop the HITRUST CSF Ongoing Certification (OC) Program in an effort to fully define the ISCM-based approach.

The HITRUST ISCM WG includes organizations with mature ISCM programs to help develop the ISCM-based approach. As we move forward with cultivating the HITRUST CSF OC Program, we intend to develop control requirements for organizations’ internal ISCM and ongoing authorization programs, define reporting requirements between organizations and HITRUST Authorized External Assessors to support continuous assessment of the security controls, define reporting requirements between the External Assessors and HITRUST, and develop OC criteria for maintaining certification or requiring the recertification or decertification of an assessed organization.

Members of the HITRUST ISCM WG will assist in the definitions of these requirements and help develop criteria for future maintenance of certification and future requirements of recertification or decertification, as appropriate for assessed organizations.

The HITRUST Shared Responsibility Working Group Develops a Matrix for Control Responsibility and Inheritance for Cloud Service Providers

The HITRUST Shared Responsibility Working Group develops content for the Shared Responsibility Matrix. This matrix of HITRUST CSF Controls will list out the common set of sharable and inheritable controls based on a specific third-party service provider’s CSF Certification. This vendor/service-specific matrix will be used as a tool to ensure alignment between customers and service providers to identify which party is responsible and where shared responsibility occurs for controls. Matrix will include:

  1. Recommendations for assigning responsibility for controls and specific requirements for shared controls, and help ensure all aspects of control responsibility are understood when outsourcing systems and services to third-parties. This allows organizations to determine those controls that are—or should be—a third-party’s full responsibility and understand their own specific duties for those that are a shared responsibility.
  2. Assessment Guidance on how evidence can be obtained and validated. A completed matrix would then be used by the External Assessor as part of the CSF Assessment to ensure compliance.

Protecting sensitive information is a challenge for any organization and even more so for organizations that retain third-party service providers, such as a cloud hosting company, platform-as-a-service, or business process outsourcer. There is added complexity and time-consuming effort that comes with determining who is responsible for the operation of security controls and gaining assurance that these controls are operating effectively by both parties.

The HITRUST Shared Responsibility Program will help remove the guesswork, ambiguity and confusion that comes with defining control responsibility between customer and service provider by outlining data governance, information risk management and regulatory compliance requirements in clear, concise language. The program will ensure organizations and their third-party cloud providers appropriately identify and assess information security controls. This will allow for the complete and accurate sharing of assurances between and amongst organizations, third-party service providers and other relying parties.

HITRUST Threat Catalogue Working Group Develops Catalog of PHI Threats for Healthcare Industry

The HITRUST Threat Catalogue Working Group develops a catalog of threats to protected health information (PHI). By tying these threats to the CSF controls that are intended to address them, the catalog will support two very important goals.
First, the catalog will be used by the HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) to help healthcare organizations react to threat intelligence by reviewing their implementation and monitoring of CSF controls that address the threats identified in the reports. Cyber threat intelligence and lessons learned from incident response will also be used to provide real-time and near real-time guidance on how organizations can address these threats, as well as provide interim guidance on modifications necessary for existing CSF control requirements as well as recommendations for new requirements when necessary. By issuing interim guidance and formally incorporating this guidance into the CSF at least annually, HITRUST will provide a healthcare information protection framework that is better and able to keep up the pace with a constantly evolving cyber threat environment.

Second, the catalog will be used to help healthcare organizations satisfy their obligations under the HIPAA Security Rule to identify all reasonably anticipated threats to ePHI as well as support the risk analyses required to (1) further tailor their selected CSF controls based on any unique threats to the organization’s PHI, which is consistent with the overlays addressed in NIST SP 800-53 r4; (2) evaluate the suitability of alternate (compensating) controls, which provide additional flexibility for organizations in the tailoring of the CSF to their specific needs; and (3) support an organization’s decision to accept the risk associated with not implementing or only partially implementing one or more CSF control requirements.

Completed Working Groups

  • Industry Advisory Panel; AICPA SOC2 Working Group (2014-2019)
  • CSF Risk Factors Working Group (2014-2015)
  • Cybersecurity Working Group (2013-2014)
  • Content Definition Development Working Group (2011)
  • Mobile Devices Working Group (2011)
  • Cloud Security Working Group (2011)
  • Health Information Exchange Working Group (2011)

If you are interested in Working Group participation, please fill out the form on the Working Group Sign-Up page.

Interested in joining the ISCM Working Group? Please complete the attached questionnaire and send to