In an effort to improve visibility into data security threats and help healthcare organizations manage security strategies with that knowledge, HITRUST has put together what it calls a Threat Catalogue, based on risk factors and controls of its Common Security Framework.
HITRUST helps healthcare groups meet the HIPAA requirement to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities" to its patient data. Its CSF framework is based on risk analyses performed by representative healthcare organizations and the underlying risk analyses used to produce ISO 27001 control recommendations, NIST SP 800-53 control baselines and other control-based frameworks.
"HITRUST actively solicits industry input on potential changes and updates to the HITRUST CSF and, unlike other frameworks, updates the CSF no less than annually," said Bryan Cline, vice president, Standards and Analytics at HITRUST.
The new threat catalogue takes the aim of the CSF "one step further," he said, enhancing the underlying risk analyses used to develop it and helping ensure the CSF and the CSF Assurance Program remain current and relevant. The catalogue aims to give better visibility to emerging threats and help CSF continue to address risk commensurate with various organizational, system and regulatory risk factors, officials said.
"Most organizations do not possess the skill-sets necessary to truly identify ever changing cybersecurity threats and associate these threats with the operational impact, tactical response and strategic planning required," said Roy Mellinger, chief information security officer at Anthem and a governing chair of the HITRUST Working Group.
The threat catalogue, he said, "takes the guess work out of the process. It articulates the threats, maps these to the necessary HITRUST CSF controls and provides organizations with a workable blueprint to define the protection mechanisms and strategies that are required."
In addition to HIPAA risk analysis, the catalogue can also help with other types of analyses, according to HITRUST, such as the supplemental risk analyses used to tailor a control baseline to the unique needs of an individual organization, or more targeted risk assessments to evaluate alternate or compensating controls as well as formal risk acceptance.
While the HITRUST Threat Catalogue will mature over time, officials said it will focus first on four areas:
- Identifying and leveraging an existing threat taxonomy for common adversarial and non-adversarial threats to electronic protected health information;
- Enumerating reasonably anticipated threats to ePHI for a general healthcare organization;
- Mapping HITRUST CSF control requirements to those enumerated threats;
- Identifying additional information needed in future iterations of the catalogue to help meet its objectives.
A proliferation of threat and intelligence feeds and services, while valuable, has led to "information overload," said Kevin Charest, divisional senior vice president and CISO, at Health Care Service Corporation and a governing chair of the Working Group.
"What I see in the HITRUST Threat Catalogue is the linkage and practical application that will lead organizations to take tactical actions that will enhance the overall security posture in response to the current threat environment."
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com