This article is an overview of the Risk Threat Matrix and other forward-looking HITRUST topics from the 2019 HITRUST® conference.

The HITRUST 2019 conference was one of the best yet! New learning tracks helped attendees grow their knowledge of new HITRUST offerings, upcoming changes, and a variety of topics in security and privacy. The vendor sponsors were also doing what they do best—showcasing their best HITRUST services.

There were many new ideas and key themes that stood out to me, including:

  • Deeper implementation of third-party risk management
  • Promotion of the shared-responsibility for controls matrix
  • Improved sharing of risk assessments
  • Continuous monitoring
  • Better threat management
  • Improved quality to increase reliability throughout the entire HITRUST process

To support and complement these new themes and services, HITRUST hired quite a few new faces that bring deep experience with the program and a healthy respect from their peers. This blend of “new” and “fresh” shows us that HITRUST is still working hard to provide the risk and compliance community with the tools needed to demonstrate good compliance procedure execution. 

Forward-Looking Processes

HITRUST presented its forward-looking process related to Third Party Assurance (TPA) Risk Triage Methodology. While HITRUST has provided the ability to assess third-party risk within the CSF, this next evolution of “risk triage” seems to start the risk evaluation process earlier in the life cycle of vendor management. To provide a basis for determining the assessment type, a “triage approach” is set to evaluate the inherent risk posed by the third party.

This approach allows an organization to assess risk of the vendor based on a set of “knowns” and risk to the organization before outsourcing the process, and before any other risk of the individual vendor is taken into account. This risk score, when consolidated among all third parties applicable to an organization, allows the organization to evaluate its inherent vendor risk overall.

Based on the February 2019 whitepaper, HITRUST TPA Risk Triage Methodology, the risk triage method improves an organization’s ability to prioritize its vendors through the vendor risk assessment process. It also allows the organization to prioritize the identified risk in the individual relationships. Participants were urged to download the whitepaper to learn more.

Shared Responsibility and Joint Responsibility Assessment Models

Equally fascinating, and continuing on the theme of managing vendor risk, was the presentation of a business case for greater use of the shared responsibility and joint responsibility assessment models. Coming along with the changes expected in the HITRUST CSF v.10.0, there may be an ability to “share” responsibility for controls between a service provider/vendor and another organization. Exactly how this will be incorporated into MyCSF is yet to be seen; however, the forward-looking concept of shared controls is exciting.

It will be interesting to follow these developments of the Shared Responsibility Working Group as they develop and balance the requirements of HIPAA with those who are more directly responsible for execution of a control.

Improvements to the HITRUST Assessment XChange™ Manager

Need a way to share those risk assessments to multiple business partners? Want to see how your vendor’s risk is stacking up?

HITRUST demonstrated improvements to the Assessment XChange portal. The portal allows organizations to share their assessment with those they grant permission. One of the key benefits is the XChange’s ability to interface with current vendor risk tools such as RSAM and RSA Archer.  The report is able to be consumed into these tools, or can remain in the HITRUST portal for evaluation.

Potential Changes to the Annual Certification Timeline

In keeping with a current trend toward more continuous monitoring, HITRUST is evaluating changes to the annual certification timeline as well. The annual assessment seems to be aligning with a need to continuously evaluate controls based on criteria such as overall risk, threat changes, and maturity of the organization beyond an annual assessment need. This will be an important development to monitor for those organizations that have already matured beyond the need for the annual HITRUST risk assessment and desire more from their risk monitoring activities.

Threat Risk Matrix

The focus on risk was completed with HITRUST’s presentation of their Threat Risk Matrix. The threat catalog is free to all, and available through a download on the HITRUST website. If you are evaluating your risk, you know that identifying your assets and documenting the key threats to those assets are the basis for evaluating your risk.

Increased Assessor Responsibility

And, finally, as a member of HITRUST’s Quality Sub-Committee, I can appreciate that there was an increased emphasis at the conference on the work that assessors perform to support the validation and certification process. Assessors now have an increased responsibility to more fully describe the scope of the environment they are testing, provide detailed test plans and supporting evidence of the tests they perform, and demonstrate the standards being upheld throughout the testing process through management oversight. While it does take more time and effort to perform these additional steps, consumers of the report should be pleased with the results in HITRUST reports going forward.

If you would like more information on HITRUST and how it can help your organization, contact LBMC Information Security to schedule a consultation.

Learn More About HITRUST