Since its founding in 2007, HITRUST has worked to establish programs and frameworks for safeguarding sensitive information, managing risk, compliance, and related assessment and assurance methodologies. Since then, the HITRUST Common Security Framework (CSF) has become the de facto standard for healthcare information security.Although it’s been widely adopted, with 83% of healthcare companies embracing the framework, the model was originally designed for infrastructure that you own end-to-end. For example, one control requires a company to implement fingerprint access controls so unauthorized people cannot gain access to physical servers.
As cloud adoption swept the nation over the past ten years, interpreting the HITRUST framework proved to be a confusing process for cloud-forward companies. How does one implement fingerprint-based access controls on infrastructure that one doesn’t own?
Industry leaders soon realized that we needed to update HITRUST in order to address the cloud and remove the guesswork regarding the security responsibilities of Cloud Service Providers (CSPs) and their customers.
A New Playbook for a New Era
That’s why my team and I were excited to be invited to spend this past year on the HITRUST Shared Responsibility Working Group alongside several other technology leaders. We dedicated ourselves to the cause of evolving HITRUST CSF to make it more relevant, useful and comprehensive for cloud-forward companies.
The result is the new HITRUST Shared Responsibility Matrix Version 1.0, announced on March 4th. This document goes through 1,886 specific controls—ranging from access control to privilege management to segregation in networks—and assigns full, partial, or no responsibility for each control to CSPs and their customers based on the delivery model: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or Colocation (Colo).
Understanding Inheritable Controls
To understand what inheritable controls are and why they’re important, I’ll share an example:
As mentioned previously, one HITRUST control requires companies to implement fingerprint access control on their data centers. So for cloud customers, this control can be inherited from the CSP, since it maintains physical control of the actual data center and the customer usually has no access.
That means that before the HITRUST assessment even starts, a cloud-based company would be able to check this box off from their HITRUST control list and, hence, be able to achieve HITRUST compliance more quickly.
Why Should We Care? The Benefits of the HITRUST Matrix
The main benefit of the Matrix is that it removes the guesswork from interpreting compliance and provides organizations with clear marching orders for their responsibilities. Having this clarity not only makes compliance easier to manage, but also leads to stronger security and greater efficiency.
The Bigger Picture: Cloud Goes Mainstream
Back in 2017 when we first did HITRUST, we were the first completely virtual company to obtain the certification. I remember our assessor asking us for the address of our data center, insisting on doing a site visit. “Amazon doesn’t share its address,” I remember saying. “It’s us-east-1.” It was just as comical as it was confusing.
Today, the HITRUST Shared Responsibility Matrix signifies a historic shift towards a compliance ecosystem that embraces the cloud. Our hope is that HITRUST can set an example for other regulatory bodies and can inspire a new era where compliance is designed with cloud top of mind.