HITRUST threat catalogue helps organizations identify salient risks
Providers and payers now have access to a “threat catalogue” to help them identify adverse events that they’ll likely need to control.
The project was developed by HITRUST, a coalition of industry stakeholders collaborating to better secure protected health information. The initiative aims to help organizations identify the adverse events that are most relevant to them particularly and how they can be be controlled.
The catalogue gives stakeholders greater visibility into the threats and risks targeting information, assets and operations, and identifies specific technical, physical and administrative controls to address the risks.
For example, the threat of ransomware requires all organizations to re-examine controls for data backup and restoration to ensure successful recovery of data should a ransom attack occur.
HITRUST built the catalogue after finding that a comprehensive threat list that could support risk analaysis and assist in understanding and mitigating threats was unavailable, says Bryan Cline, vice president of standards and analytics at the firm and a former chief information security officer at Catholic Health East and The Children’s Hospital of Philadelphia.
The HITRUST threat catalogue also offers mappings to less comprehensive threat lists from respected sources that include the National Institutes of Standards and Technology (NIST) and the European Network and Information Security Agency.
The catalogue is free and becomes an integral part of HITRUST’s risk management and compliance suite, helping organizations ease the burden of analyzing and managing risks by mapping threats directly to the controls in the HITRUST CSF framework.
HITRUST CSF is a common information protection framework that provides cross references to authoritative sources that include international standards such as ISO, NIST, PCI and HIPAA, as well as COBIT, a set of best practices baseline security controls.
The catalogue further gives an overlay of NIST controls, a subset of requirements that helps an organization determine how different its requirements are, compared with other similar organizations facing the same issues, Cline explains.
Another feature takes advantage of a partnership between security vendor Trend Micro and HITRUST to enable organizations to map active threats identified by Trend Micro.
“We update the catalogue annually and more often if warranted,” Cline adds. A link to download the threat catalogue is available here. Registration for a free web seminar on the catalogue on November 29 is available here.