HITRUST has launched its new HITRUST Shared Responsibility Program and Matrix Version 1.0, which it touts as the first common model for managing and communication privacy and security responsibilities between cloud service providers and their customers.
WHY IT MATTERS
The new Matrix approach aims to clarify the roles and responsibilities regarding ownership and operation of security controls, according to HITRUST – automating and streamlining the assurance process when privacy and security controls are shared or inherited.
It’s part of HITRUST’s Shared Responsibility Program, which was launched to address the growing misunderstandings, risks and complexities when working with service providers.
The program is supported by a working group comprising representatives from Armor, AWS, Google, Microsoft Azure and Salesforce, as well as enterprise cloud customers, cloud-professional-services firms and solution providers.
HITRUST says healthcare organizations will benefit from streamlined communication processes as well as reduced inefficiencies and burdens of compliance when leveraging services from cloud providers.
“With the continued adoption of cloud services, being able to understand and accurately inherit controls from service providers in an automated manner will be key to an organization’s information risk management and assurance process,” explained Becky Swain, Director of Standards Development at HITRUST.
THE LARGER TREND
HITRUST points to IDC research that found 48% of organizations have applications in one public cloud that communicate regularly with applications in a different public cloud.
It says the Matrix will help healthcare organizations such as those more easily reach agreements with their cloud service providers about which party is responsible for individual security and privacy controls – helping ensure that all applicable controls are properly addressed.
Among its benefits, according to HITRUST:
- A standard set of core principles and common language for all cloud service model types (e.g. SaaS, PaaS, IaaS and Colo).
- Helping organizations navigate an agreed-upon shared security and privacy responsibility in a way that is transparent, traceable and accountable.
- The ability to be tailored by CSPs in a completely customizable template to support their proprietary products and services.
- Supporting an Assess Once, Inherit Many approach.
ON THE RECORD
“The continued growth and strategic reliance on cloud computing, coupled with the ever-growing risk and compliance landscape, make communicating control responsibility and assurances more complex and intricate,” said David Houlding, director of healthcare experiences at Microsoft Azure and a Healthcare Cloud and Shared Responsibility Working Group member, in a statement.
“The HITRUST Shared Responsibility Program addresses the need for a common language around security risks and responsibilities between the customer and cloud service provider, and to have confidence that nothing will fall through the cracks,” he said.
“When control responsibility is shared, organizations must have these discussions with their cloud service providers to ensure everyone is on the same page,” said Bob Smith, senior manager of Security Compliance at Salesforce and a working group member. “The HITRUST Shared Responsibility Matrix will make those conversations much easier and serve as a guide to ensure every party knows what is required of them as well as that all reasonable steps are taken to protect information entrusted to their cloud service providers.”