HITRUST Shared Responsibility: Assigning privacy and responsibility on the cloud

HITRUST, a leading data protection, standards development, and certification organization, announces the general availability of the HITRUST Shared Responsibility Program and Matrix Version 1.0.

The Matrix is the first ever common model for communicating and assigning security and privacy responsibility between cloud service providers (CSPs) and their tenants or customers.

The Matrix is part of the HITRUST Shared Responsibility Program, which was established to address the growing misunderstandings, risks, and complexities when leveraging service providers.

The Shared Responsibility Program clarifies the roles and responsibilities regarding ownership and operation of security controls while automating and streamlining the assurance process when privacy and security controls are shared or inherited.

Organizations will benefit from streamlined communication processes as well as reduced inefficiencies and burdens of compliance when leveraging services from cloud providers.

The Shared Responsibility Program is led by Becky Swain, Director of Standards Development at HITRUST, and supported by a Working Group comprised of representatives of leading cloud service providers, including Armor, AWS, Google, Microsoft Azure and Salesforce, as well as enterprise cloud customers, cloud professional services firms, and solution providers.

“With the continued adoption of cloud services, being able to understand and accurately inherit controls from service providers in an automated manner will be key to an organization’s information risk management and assurance process,” said Swain.

“The next milestone will be HITRUST continuing to work with leading CSPs to ensure they provide the Matrix to their customers.”

“As PDHI collaborates with cloud service providers, we will leverage the HITRUST Shared Responsibility Matrix in understanding, documenting, and inheriting privacy and security control responsibility,” explains Lee Penn, the Chief Financial Officer and Chief Compliance Officer for PDHI and Shared Responsibility Working Group Member.

“The Matrix simplifies providing evidence to our auditors and other interested parties that what we deliver, together with services we contract from Microsoft Azure cloud, meets the HITRUST guidelines and certification requirements—from end-to-end.”

HITRUST will continue to collaborate with leading CSPs as they provide the Matrix to their customers to further streamline security control ownership and responsibility. The Matrix offers many benefits, including:

  • A standard set of core principles and common language for all cloud service model types (e.g., SaaS, PaaS, IaaS, and Colo).
  • Helping organizations navigate an agreed-upon shared security and privacy responsibility in a way that is transparent, traceable, and accountable.
  • The ability to be tailored by CSPs in a completely customizable template to support their proprietary products and services.
  • Supporting an Assess Once, Inherit Many approach.

Businesses around the globe spent $107 billion in 2019 for cloud computing infrastructure services, fueled by 37% growth in Q4. With the proliferation of enterprise cloud computing, HITRUST continues its commitment to provide industry-leading risk management and vendor risk solutions for global organizations across all industries.

David Houlding, Director of Healthcare Experiences, Microsoft Azure: Healthcare Cloud and Shared Responsibility Working Group Member said, “The continued growth and strategic reliance on cloud computing, coupled with the ever-growing risk and compliance landscape, make communicating control responsibility and assurances more complex and intricate.

“The HITRUST Shared Responsibility Program addresses the need for a common language around security risks and responsibilities between the customer and cloud service provider, and to have confidence that nothing will fall through the cracks.”

“When control responsibility is shared, organizations must have these discussions with their cloud service providers to ensure everyone is on the same page,” says HITRUST Shared Responsibility Working Group Member Bob Smith, Senior Manager of Security Compliance at Salesforce.

“The HITRUST Shared Responsibility Matrix will make those conversations much easier and serve as a guide to ensure every party knows what is required of them as well as that all reasonable steps are taken to protect information entrusted to their cloud service providers.”

IDC reported that 48% of organizations have applications in one public cloud that communicate regularly with applications in a different public cloud.

The Matrix will help organizations more easily come to agreements with their CSPs as to which party is responsible for individual security and privacy controls, in turn ensuring that all applicable controls are properly addressed.

More about

Don't miss