HITRUST Threat Catalogue Helps Healthcare Industry Prioritize Cybersecurity Threats

The HITRUST Alliance has announced that the organization will be releasing the HITRUST Threat Catalogue in March: A new resource to help healthcare organizations improve security by aligning the wide range of current cybersecurity threats and risk factors with its Common Security Framework.

The Health Insurance Portability and Accountability Act (HIPAA) requires all covered entities to conduct a risk assessment to identify the potential threats to the confidentiality, integrity, and availability of electronic protected health information. The risk assessment is a fundamental element of HIPAA and healthcare data security. If a risk assessment is not performed, a healthcare organization will be unaware of the risks to ePHI and will therefore not be able to take appropriate action to reduce those risks to acceptable levels. However, many healthcare organizations struggle with the risk assessment.

To make the process easier, HITRUST developed an easy-to-use framework: The HITRUST Common Security Framework (CSF). The CSF was developed using a wide range of risk analyses performed by representative healthcare organizations throughout the United States along with those used to produce the ISO 27001 control recommendations, NIST SP 800-53 control baselines, and a number of other control-based cybersecurity frameworks.

While the HITRUST Common Security Framework is an excellent tool, the San Francisco-based non-profit is taking its framework a step further by creating the HITRUST Threat Catalogue. The purpose of the HITRUST Threat Catalogue is to give healthcare organizations better visibility into the current cybersecurity risks and emerging threats and map them to specific CSF controls. The HITRUST Threat Catalogue will help to ensure the CSF stays current and relevant.

Roy Mellinger, a governing chair of the HITRUST Working Group, and information security officer at Anthem, says “Most organizations do not possess the skill-sets necessary to truly identify ever changing cybersecurity threats and associate these threats with the operational impact, tactical response and strategic planning required.”

The Threat Catalogue will help organizations prioritize those threats and map them to the appropriate CSF controls. Organizations will be given a workable blueprint to define and develop the strategies that are required to deal with those threats – Essentially allowing healthcare organizations take the guesswork out of the process.

The Threat Catalogue will be regularly updated, although initially it will focus on four areas:

  • Identify and leverage an existing threat taxonomy for common adversarial and non-adversarial threats to ePHI
  • Enumerate all reasonably anticipated threats to ePHI for a general healthcare organization
  • Map HITRUST CSF control requirements to the enumerated threats
  • Identify any additional information needed in future iterations of the HITRUST Threat Catalogue to help meet its objectives

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news