HITRUST launches Threat Catalogue to help healthcare firms with information security


HITRUST launches Threat Catalogue to help healthcare firms with information security

LeoWolfert / Shutterstock

HITRUST has created a so-called Threat Catalogue to aid healthcare organizations in improving their information security posture by better aligning cyber threats with HITRUST CSF risk factors and controls.

HITRUST said it undertook this initiative to improve organizational visibility into threats posed against health information and to afford organizations the ability to prioritize their security program’s activities based on a greater understanding of their risks.

The HIPAA Security Rule requires organizations to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).”

HITRUST helped the healthcare industry address this requirement by developing a framework based on risk analyses performed by representative healthcare organizations and the underlying risk analyses used to produce ISO 27001 control recommendations, NIST SP 800-53 control baselines and other control-based frameworks.

“HITRUST actively solicits industry input on potential changes and updates to the HITRUST CSF and, unlike other frameworks, updates the CSF no less than annually,” said Dr. Bryan Cline, vice president, standards and analytics, HITRUST and a governing chair of the Working Group. “HITRUST is now taking this level of responsiveness one step further with the new Threat Catalogue.”

The HITRUST Threat Catalogue enhances the underlying risk analyses used to develop the HITRUST CSF and helps ensure the HITRUST CSF and CSF Assurance Program continue to remain current and relevant risk-based solutions—critical elements given today’s ever-dynamic threat environment. The HITRUST Threat Catalogue affords better visibility into how the HITRUST CSF addresses extant and emerging threats and helps ensure CSF control baselines continue to address risk commensurate with selected organizational, system and regulatory risk factors.

“Most organizations do not possess the skill sets necessary to truly identify ever changing cybersecurity threats and associate these threats with the operational impact, tactical response and strategic planning required,” said Roy Mellinger, vice president IT and chief information security officer, Anthem and a governing chair of the Working Group.

“The HITRUST Cyber Threat Catalogue takes the guess work out of the process. It articulates the threats, maps these to the necessary HITRUST CSF controls, and provides organizations with a workable blueprint to define the protection mechanisms and strategies that are required.”

HITRUST, Threat Catalogue, Healthcare, Risk, US