HITRUST recently released its Shared Responsibility Program—just in time for HITRUST’s Annual Conference—to address security risks and inefficiencies of leveraging cloud service providers. Learn more about the program’s benefits, and how OnRamp’s Head of Info Security Nikola Todev is participating.
Leveraging a cloud service provider can add so much value to your organization. However, outsourcing services brings about new security and compliance risks and requires you to take extra precautions. Protecting critical information is a challenge for all organizations, especially those using service providers such as cloud hosting, platform-as-a-service and business process outsourcing.
Organizations often find it difficult to understand their responsibilities, mixed with the ins and outs of assessing security effectiveness in a shared [security] responsibility model. However, HITRUST, an organization focused on delivering programs that safeguard sensitive information, is helping organizations with this challenge with their Shared Responsibility Program.
OnRamp is pleased to announce that our own Nikola Todev, Head of Information Security, was selected to participate in the program as part of their working group, assisting HITRUST by mapping the control operation responsibilities of customers and third-party service providers to ensure accountability. Other individuals such as Matt Rathbun, Chief Security Office of Azure Global and Susan Mercurio of SAP are also involved.
OnRamp is honored that Nikola was asked to be a part of this progressive program. This security challenge directly affects our customers and partners. We help our clients conquer compliance challenges every single day. We’re transparent in the role we play in our customers’ security and compliance and take our responsibilities very seriously. Communication is key; we strive to define who is responsible for what from the get-go.
To Nikola, the issue of shared responsibility is of utmost importance:
“Most compliance guidelines, like HIPAA, are written as though one party is responsible for compliance and security. In reality, most organizations are engaging cloud service providers, which means the burden of security is shared. This causes a lot of confusion around control responsibility and can lead to a lack of data governance and difficult in achieving data protection and compliance. I am pleased to be addressing this important issues with HITRUST and other leaders,” says Todev.
Nikola is speaking on the matter at the HITRUST conference on September 12.
What Is the HITRUST Shared Responsibility Program?
The HITRUST Shared Responsibility Program’s mission is to “clarify the roles and responsibility regarding ownership and operation of security controls while automating and streamlining the assurance process when security controls are shared or inherited.”
According to HITRUST, the program will “remove the guesswork, ambiguity and confusion in understanding the roles and responsibilities between the customer and their service provider relating to shared and inherited controls by outlining data governance, information risk management and regulatory compliance requirements in clear, concise language.”
We and HITRUST understand the complexity when attempting to determine who is responsible for the operation of security controls. In fact, there are numerous scenarios HITRUST outlines including organizations inheriting or sharing control responsibility, service provider is responsible for the entire operation of the control, the customer retains responsibility for a portion of the control while the remaining implementation is inherited by the service provider or the customer retains all responsibility for the operation of the control.
The HITRUST program will work to eliminate the complications of these scenarios, simplifying the way third parties and organizations work together.
The Components of the HITRUST Shared Responsibility Program
There are four components within the HITRUST program that address these responsibilities and the streamlining of the process.
- HITRUST CSF: This component reviews the updates to the HITRUST CSF to define accountability in outsourcing arrangements. This will help delegate responsibilities and ensure requirements are clearly defined between all parties.
- Share Responsibility Matrix: This matrix is the HITRUST CSF controls that list the common set of shareable and inheritable controls based on specific third-party service provider’s CSF certification. This includes recommendations for defining responsibility, helping organizations understand their own specific duties when entering shared responsibilities. This matrix is used by the CSF Assessor for the CSF Assessment.
- Shared Assurance Program: Ensures controls with shared responsibility are operating as they should with guidance.
- MyCSF Assessment Automation: This includes updates to the MyCSF tool that allows organizations to pre-populate their assessments with inherited or shared responsibility control results from designated HITRUST CSF Certified service providers. The tool will streamline the process for customers using CSF Certified service providers to complete their assessment and reduce the effort required during the assessment review process.
HITRUST hopes that the full program will be available by the first quarter of 2019. To discuss the topic in detail, HITRUST will have a discussion at HITRUST 2018, which happens on September 11 through the 13. There will also be a webinar to discuss the program that is scheduled for September 26, 2018. To register for the webinar, visit the website here.
OnRamp is looking forward to the program’s outset and we can’t wait to see where this program takes the world of security. For more information about OnRamp’s security and compliance services, please contact our experts today.