Your CSP is Not the Final Answer Regarding your HITRUST Compliance
Since your cloud provider is certified to comply with major regulations like HITRUST for protecting data in the cloud, your organization must also be certified…right?
Well, not necessarily. While it may be possible to leverage what your CSP is doing, you need to know how and where the lines of responsibility are drawn.
Some security controls you need to apply, and others are shared with your cloud service provider. Only then can you have confidence in your data in the cloud – as well as data you handle for customers and partners is fully protected from cyberattacks and complies with regulations and standards pertaining to protecting sensitive data within your locale and industry.
The challenge in analyzing the security controls applied by your CSP and comparing them to your controls is that the line that defines where your responsibilities and your CSP’s responsibilities begin and end for each control can be unclear.
HITRUST is helping organizations and CSPs take on this challenge with its Shared Responsibility Program, which is expected to go live in 2020. The program was the topic of discussion at the HITRUST 2019 Conference in May.
Members of a panel titled Shared Responsibility-Understanding How to Share Control Responsibility in the Cloud are participating in a cross-industry group that is helping build the HITRUST Shared Responsibility Program, which will enable organizations and CSPs to work together to protect data by defining security controls within a Share Responsibility Matrix. This Matrix can be used to designate who is responsible for each control and which controls are shared between CSPs and customers. The program also provides a tool to automate the process to track control responsibility, control testing, risk identification and risk mitigation.
The HITRUST Shared Responsibility Working Group has been enhancing the content of the Shared Responsibility Matrix. Major cloud providers like Microsoft Azure are also contributing to the success of the program.
The Matrix of HITRUST CSF controls lists the common set of shareable and inheritable controls based on a specific third-party service providers CSP certification. Matrix elements include recommendations for assigning responsibility for controls. There are also specific requirements for shared controls to help ensure all aspects of control responsibility are understood when outsourcing systems and services to third parties.
There are a lot of regulations for organizations in the healthcare industry to follow, especially if or when they operate internationally The HITRUST CSF makes it easy for you to stay in compliance wherever you conduct business. Join forces with 2W Tech to help protect your clients’ sensitive healthcare data. We have a Security Compliance Consulting Program that is designed to support our clients’ compliance obligations. Call us today to get started on your HITRUST journey.