HITRUST announced the release of publicly available
resources that clearly define security and privacy responsibilities
between cloud service providers and their customers, thereby
streamlining processes for risk management programs. Developed with
Amazon Web Services (AWS) and Microsoft Azure, each new HITRUST Shared
Responsibility Matrix aligns with the cloud service provider's unique
solution offering.
Leading
cloud service providers have long supported shared responsibility
models, whereby the provider assumes some security responsibility for
hosting applications and systems, while the organization deploying its
solutions in the cloud assumes partial or shared responsibility for
others. The challenge, however, is that many shared responsibility
models are loosely defined and vary based on the solution.
For
businesses deploying solutions in the cloud, this ambiguity creates an
added layer of complexity related to achieving broader risk management
objectives.
"Scaling
cost-effectively to meet customer demand requires us to leverage the
cloud, which introduces additional and unique challenges as it relates
to data privacy and security," said Lee Penn, Chief Financial Officer
and Chief Compliance Officer, PDHI. "Specifically understanding who is
responsible or partially responsible for securing cloud services is a
challenge that is addressed by the HITRUST Shared Responsibility
Matrix."
In
2019, HITRUST engaged AWS and Microsoft Azure to begin developing joint
Shared Responsibility Matrices. The initiative was added to the larger
HITRUST Shared Responsibility and Inheritance Program,
which was introduced in 2018 to address the many misunderstandings,
risks, and complexities involved when organizations leverage cloud
service providers.
"HITRUST
launched this Program with the goal of providing greater clarity
regarding the ownership and operation of security controls between
organizations and their cloud service providers," said Becky Swain,
Director of Standards and Shared Responsibility Program Lead, HITRUST.
"The introduction of the Shared Responsibility Matrix is another HITRUST
resource that underscores our ongoing commitment to simplifying and
enhancing offerings to address our customers' most pressing risk
management challenges."
The
HITRUST CSF, a certifiable framework that integrates and harmonizes
more than 40 authoritative sources, serves as the foundation for the
HITRUST Shared Responsibility Matrix. With more than 2,000 controls
available in the HITRUST CSF (with "control" generally defined as an
activity to mitigate risk), the HITRUST Shared Responsibility Matrix
documents which HITRUST CSF controls are full, partial, or shared
responsibility between cloud service providers and their customers.
"With
Microsoft's extensive worldwide presence and partner ecosystem, it is
essential to streamline security collaboration. Providing comprehensive
coverage for applicable controls across industries and use cases helps
ensure that high levels of privacy, security, and compliance are
achieved, and nothing falls through the cracks," said David Houlding,
Director of Healthcare Experiences, Microsoft Azure. "This was not an
easy feat for the teams at HITRUST and Microsoft, but we know our
partners and customers will benefit, which makes it worth it."
The
HITRUST MyCSF SaaS platform used for managing assessments now includes
the ability to inherit controls from AWS and Microsoft Azure. The
ability to automatically inherit controls saves time, money, and
resources as organizations pursue their risk management and compliance
objectives.
The HITRUST Shared Responsibility Matrix for AWS and the HITRUST Shared Responsibility Matrix for Microsoft Azure are now available online.