HITRUST Unveils Model for Assigning Security, Privacy Responsibility Among Cloud Service Providers

March 4, 2020
Shared Responsibility Program and Matrix seeks to clarify roles and responsibilities regarding ownership and operation of security controls

HITRUST, a cybersecurity standards development and certification organization, has unveiled a common model for communicating and assigning security and privacy responsibility between cloud service providers and their tenants or customers.

Called the Shared Responsibility Program and Matrix Version 1.0, it is part of HITRUST’s Shared Responsibility Program, which was established to address what it calls the growing misunderstandings, risks, and complexities when leveraging service providers.

 IDC has reported that 48 percent of organizations have applications in one public cloud that communicate regularly with applications in a different public cloud. The Matrix will help organizations more easily come to agreements with their cloud service providers as to which party is responsible for individual security and privacy controls, in turn ensuring that all applicable controls are properly addressed.

 The Shared Responsibility Program clarifies the roles and responsibilities regarding ownership and operation of security controls while automating and streamlining the assurance process when privacy and security controls are shared or inherited.

 HITRUST said organizations will benefit from streamlined communication processes as well as reduced inefficiencies and burdens of compliance when leveraging services from cloud providers.

 The Shared Responsibility Program is led by Becky Swain, director of standards development at HITRUST, and supported by a Working Group comprised of representatives of several cloud service providers, including Armor, AWS, Google, Microsoft Azure and Salesforce, as well as enterprise cloud customers, cloud professional services firms, and solution providers.

 “With the continued adoption of cloud services, being able to understand and accurately inherit controls from service providers in an automated manner will be key to an organization’s information risk management and assurance process,” said Swain, in a release. “The next milestone will be HITRUST continuing to work with leading CSPs to ensure they provide the Matrix to their customers.”

Sponsored Recommendations

The Race to Replace POTS Lines: Keeping Your People and Facilities Safe

Don't wait until it's too late—join our webinar to learn how healthcare organizations are racing to replace obsolete POTS lines, ensuring compliance, reducing liability, and maintaining...

Transform Care Team Operations & Enhance Patient Care

Discover how to overcome key challenges and enhance patient care in our upcoming webinar on September 26. Learn how innovative technologies and strategies can transform care team...

Prior Authorization in Healthcare: Why Now?

Prepare your organization for the CMS 2027 mandate on prior authorization via API. Join our webinar to explore investment insights, real-time data exchange, and the benefits of...

Securing Remote Radiology with the Zero Trust Exchange

Discover how the Zero Trust Exchange is transforming remote radiology security. This video delves into innovative solutions that protect sensitive patient data, ensuring robust...