Cybersecurity data overload!
That’s the situation facing many healthcare IT professionals, whether in hospitals, doctors’ offices, service providers like labs, or even medical device manufacturers. The world is awash in cyberattacks, threats and risks — and every CEO, line-of-business manager, chief information security officer and IT manager has two options.
First, subscribe to a metric ton of threat advisory services and try to figure out what’s real and what’s relevant.
Second, ignore the threats and wait for the inevitable breach or regulatory compliance crackdown.
HITRUST has just created a third, and very compelling resource: the HITRUST Threat Catalogue, geared specifically for the healthcare community, and with relevant threats mapped directly to its industry-standard compliance framework.
HITRUST, founded in 2007 as the Health Industry Trust Alliance, is an industry consortium that offers a common risk and compliance management framework (CSF), an assessment and assurance methodology, and educational and career development for its members. According to the organization, more than 84% of hospitals and health plans use the HITRUST CSF to manage risk and ensure security and privacy compliance from their third-party service providers.
The new HITRUST Threat Catalogue provides a complete list of security and privacy threats, with associated metadata (such as threat classification) mapped closely to the HITRUST CSF – along with reverse mapping from CSF control requirement to the threats they address. In addition, threats in the catalogue will be mapped to the publicly available threat catalogues, including the NIST SP 800-30 Risk Management Guide, European Union Agency for Network and Information Security (ENISA) Threat Taxonomy, ISO 27005 Risk Management Standard, and the Bundesamt für Sicherheit in der Informatiionstechnik (BSI) IT-Grundschut-Katalog.
The HITRUST Threat Catalogue “offers sound guidance based on norms and analysis of extremes so they can be brought in to the norms of the healthcare organization’s Infosec program,” explained Dan Nutkis, founder and Chief Executive Officer for HITRUST, in a conversation prior to the catalogue’s release. “With the HITRUST Threat Catalogue, organizations can determine what your InfoSec requirements are based on threats mapped to vulnerabilities. This makes your response better and more tailored to the threat.”
Mr. Nutkis showed a roadmap for the progression of the HITRUST Threat Catalogue, which will be updated at least annually in sync with the annual release cycle for updates to the CSF itself (currently on version 8). The second release of the catalogue will include a list of common vulnerabilities created based on industry feedback, along with enhanced supporting guidance on how to leverage the catalogue with supplemental risk analysis and targeted risk analysis with risk acceptance criteria and alternative controls.
Right of out the gate, the HITRUST Threat Catalogue contains comprehensive threat and risk information geared to any organization that touches ePHI – that is, electronic protected health information covered by HIPAA regulations. Because the information in the catalogue is mapped toward the HITRUST CSF framework, organizations can immediately use that information to manage InfoSec risk. No more wading through those metric tons of raw risk information that may or may not be relevant – and when something appears relevant, no more wasting considerable time and resources trying to figure out how to respond to that risk in a healthcare context and HIPAA and other compliance rules.
The healthcare industry was directly involved in the creation of the HITRUST Threat Catalogue, said Dr. Bryan Cline, vice president, standards and analytics, HITRUST and a governing chair of the Working Group that created the catalogue. “HITRUST actively solicits industry input on potential changes and updates to the HITRUST CSF and, unlike other frameworks, updates the CSF no less than annually. HITRUST is now taking this level of responsiveness one step further with the new HITRUST Threat Catalogue.”
“Most organizations do not possess the skill sets necessary to truly identify ever changing cybersecurity threats and associate these threats with the operational impact, tactical response and strategic planning required,” added Roy Mellinger, vice president IT and chief information security officer, Anthem and also a governing chair of the Working Group. “The HITRUST Threat Catalogue takes the guess work out of the process. It articulates the threats, maps these to the necessary HITRUST CSF controls, and provides organizations with a workable blueprint to define the protection mechanisms and strategies that are required.”
There’s no doubt that every industry and every organization is under constant threat of a cybersecurity breach, whether caused by cybercriminals, insiders or carelessness. The solution to managing those risks, especially in an industry that’s governed by strict security and privacy rules, isn’t more raw data. There’s too much raw data available – too much. The answer is threat intelligence that maps directly to the industry, and helps CEOs, CISOs and others figure out what’s real, what’s relevant, and what to do about it. For the healthcare industry, HITRUST has made a real contribution to solving that problem with the HITRUST Threat Catalogue.
About Alan Zeichick
Alan Zeichick is Principal Analyst at Camden Associates. A former mainframe systems analyst, Alan has been in the technology industry since the early 1980s, and focuses on software development, networking, communications and security.