New service helps identify and mitigate cyber threats
The Department of Health and Human Services requires that HIPAA-covered entities such as providers and payers conduct a privacy and security risk assessment and, based on the findings, implement appropriate safeguards for protected health information.
There is just one problem: “HIPAA doesn’t offer prescriptive information on how to do the assessment,” says Roy Mellinger, chief information security officer at insurer Anthem Inc.
Unlike the finance and energy industries where certain protections are set in stone, among others, healthcare has a wide level of security maturation—some safeguards will be different among healthcare entities.
However, many health care entities, particularly smaller organizations, may not have the expertise to understand the controls they need to implement.
That’s why HITRUST, a consortium of stakeholders collaborating to better secure protected health information, has created the HITRUST Threat Catalogue to collect the cyber threats out in the industry and pull them together into a catalogue that can be shared across providers and payers.
The idea, Mellinger explains, is to identify the threats and tie them to prescriptive actions on how to mitigate the threats. Different sectors in the Threat Catalogue cover unintentional actions and intentional actions such as fraud, sabotage, hacking and denial of service attacks. The catalogue, he adds, “is almost a packaged program.”
The catalogue lists the threats and risks by category and types of risk, along with a description of each risk.
These risks then are cross-referenced and mapped to specific controls, or mitigation recommendations, within HITRUST’s Common Security Framework, also known as CSF, a network platform that supports numerous HITRUST programs.
The initial Threat Catalogue, coming out in March, is available for free; stakeholders do not have to be HITRUST members to use it. More information is available here.