By Christine Kern, contributing writer
Catalogue aligns threats to HITRUST CSF Controls to boost effectiveness of risk analyses.
The HITRUST Alliance has developed a Threat Catalogue to help healthcare organizations identify and rate the seriousness of cyber threats, as well as prioritize responses accordingly. The catalogue is designed to aid organizations in boosting their information security posture by better aligning cyber threats with HITRUST CSF controls.
Under the HIPAA Security Rule, organizations must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).” HITRUST has helped healthcare address this requirement through its HITRUST CSF framework, which provides an industry-driven standard of due care and due diligence for healthcare information.
The catalogue, available later this month, aims to increase visibility surrounding the greatest HIPAA threat risks and draws from risk factors and controls of HITRUST’s Common. It can also help facilitate supplemental risk analyses and more targeted risk analyses.
“HITRUST actively solicits industry input on potential changes and updates to the HITRUST CSF and, unlike other frameworks, updates the CSF no less than annually,” says Dr. Bryan Cline, vice president, standards and analytics, HITRUST and a governing chair of the Working Group. “HITRUST is now taking this level of responsiveness one step further with the new Threat Catalogue.”
The HITRUST Threat Catalogue is being developed and maintained in conjunction with the formation of a new HITRUST Working Group. “The HITRUST Threat Catalogue is a significant step forward in helping organizations better manage risk, especially cyber risk,” said John Riggi, current Head of Cybersecurity and Financial Crimes, BDO Consulting and a governing chair of the Working Group. “This is why BDO Consulting has taken an active role in its development and adoption.”
Led by the Working Group, the HITRUST Threat Catalogue will focus its initial efforts on four principle tasks:
- identify and leverage an existing threat taxonomy for common adversarial and non-adversarial threats to ePHI
- enumerate all reasonably anticipated threats to ePHI for a general healthcare organization
- map HITRUST CSF control requirements to the enumerated threats
- identify any additional information needed in future iterations of the HITRUST Threat Catalogue to help meet its objectives
“Most organizations do not possess the skill sets necessary to truly identify ever changing cybersecurity threats and associate these threats with the operational impact, tactical response and strategic planning required,” said Roy Mellinger, vice president IT and chief information security officer, Anthem and a governing chair of the Working Group. “The HITRUST Cyber Threat Catalogue takes the guess work out of the process. It articulates the threats, maps these to the necessary HITRUST CSF controls, and provides organizations with a workable blueprint to define the protection mechanisms and strategies that are required.”