HITRUST, AWS and Microsoft Azure publish Shared Responsibility Matrices for cloud security

HITRUST announced the release of publicly available resources that clearly define security and privacy responsibilities between cloud service providers and their customers, thereby streamlining processes for risk management programs.

Developed with Amazon Web Services (AWS) and Microsoft Azure, each new HITRUST Shared Responsibility Matrix aligns with the cloud service provider’s unique solution offering.

Leading cloud service providers have long supported shared responsibility models, whereby the provider assumes some security responsibility for hosting applications and systems, while the organization deploying its solutions in the cloud assumes partial or shared responsibility for others. The challenge, however, is that many shared responsibility models are loosely defined and vary based on the solution.

For businesses deploying solutions in the cloud, this ambiguity creates an added layer of complexity related to achieving broader risk management objectives.

“Scaling cost-effectively to meet customer demand requires us to leverage the cloud, which introduces additional and unique challenges as it relates to data privacy and security,” said Lee Penn, Chief Financial Officer and Chief Compliance Officer, PDHI.

“Specifically understanding who is responsible or partially responsible for securing cloud services is a challenge that is addressed by the HITRUST Shared Responsibility Matrix.”

In 2019, HITRUST engaged AWS and Microsoft Azure to begin developing joint Shared Responsibility Matrices. The initiative was added to the larger HITRUST Shared Responsibility and Inheritance Program, which was introduced in 2018 to address the many misunderstandings, risks, and complexities involved when organizations leverage cloud service providers.

“HITRUST launched this Program with the goal of providing greater clarity regarding the ownership and operation of security controls between organizations and their cloud service providers,” said Becky Swain, Director of Standards and Shared Responsibility Program Lead, HITRUST.

“The introduction of the Shared Responsibility Matrix is another HITRUST resource that underscores our ongoing commitment to simplifying and enhancing offerings to address our customers’ most pressing risk management challenges.”

The HITRUST CSF, a certifiable framework that integrates and harmonizes more than 40 authoritative sources, serves as the foundation for the HITRUST Shared Responsibility Matrix.

With more than 2,000 controls available in the HITRUST CSF (with “control” generally defined as an activity to mitigate risk), the HITRUST Shared Responsibility Matrix documents which HITRUST CSF controls are full, partial, or shared responsibility between cloud service providers and their customers.

“With Microsoft’s extensive worldwide presence and partner ecosystem, it is essential to streamline security collaboration. Providing comprehensive coverage for applicable controls across industries and use cases helps ensure that high levels of privacy, security, and compliance are achieved, and nothing falls through the cracks,” said David Houlding, Director of Healthcare Experiences, Microsoft Azure.

“This was not an easy feat for the teams at HITRUST and Microsoft, but we know our partners and customers will benefit, which makes it worth it.”

The HITRUST MyCSF SaaS platform used for managing assessments now includes the ability to inherit controls from AWS and Microsoft Azure. The ability to automatically inherit controls saves time, money, and resources as organizations pursue their risk management and compliance objectives.

The HITRUST Shared Responsibility Matrix for AWS and the HITRUST Shared Responsibility Matrix for Microsoft Azure are now available online.