4 Mar 2020

HITRUST, a data protection, standards development, and certification organisation, announces the general availability of the HITRUST Shared Responsibility Program and Matrix™ Version 1.0. The Matrix is the first ever common model for communicating and assigning security and privacy responsibility between cloud service providers (CSPs) and their tenants or customers.

The Matrix is part of the HITRUST Shared Responsibility Program, which was established to address the growing misunderstandings, risks, and complexities when leveraging service providers.

Streamlined communication processes

The Shared Responsibility Program clarifies the roles and responsibilities regarding ownership and operation of security controls while automating and streamlining the assurance process when privacy and security controls are shared or inherited. Organisations will benefit from streamlined communication processes as well as reduced inefficiencies and burdens of compliance when leveraging services from cloud providers.

The Shared Responsibility Program clarifies the roles and responsibilities regarding ownership

The Shared Responsibility Program is led by Becky Swain, Director of Standards Development at HITRUST, and supported by a Working Group comprised of representatives of cloud service providers, including Armor, AWS, Google, Microsoft Azure, and Salesforce, as well as enterprise cloud customers, cloud professional services firms, and solution providers.

Cloud service providers

With the continued adoption of cloud services, being able to understand and accurately inherit controls from service providers in an automated manner will be key to an organisation’s information risk management and assurance process,” said Swain. “The next milestone will be HITRUST continuing to work with leading CSPs to ensure they provide the Matrix to their customers.”

As PDHI collaborates with cloud service providers, we will leverage the HITRUST Shared Responsibility Matrix in understanding, documenting, and inheriting privacy and security control responsibility,” explains Lee Penn, the Chief Financial Officer and Chief Compliance Officer for PDHI and Shared Responsibility Working Group Member. “The Matrix simplifies providing evidence to our auditors and other interested parties that what we deliver, together with services we contract from Microsoft Azure cloud, meets the HITRUST guidelines and certification requirements—from end-to-end.”

Providing risk management

HITRUST will continue to collaborate with CSPs as they provide the Matrix to their customers

HITRUST will continue to collaborate with CSPs as they provide the Matrix to their customers to further streamline security control ownership and responsibility. The Matrix offers many benefits, including:

A standard set of core principles and common language for all cloud service model types (e.g., SaaS, PaaS, IaaS, and Colo). Helping organisations navigate an agreed-upon shared security and privacy responsibility in a way that is transparent, traceable, and accountable. The ability to be tailored by CSPs in a completely customisable template to support their proprietary products and services. Businesses around the globe spent $107 billion in 2019 for cloud computing infrastructure services, fuelled by 37% growth in Q4. With the proliferation of enterprise cloud computing, HITRUST continues its commitment to provide risk management and vendor risk solutions for global organisations across all industries.

Ever-growing risk

David Houlding, Director of Healthcare Experiences, Microsoft Azure: Healthcare Cloud and Shared Responsibility Working Group Member said, “The continued growth and strategic reliance on cloud computing, coupled with the ever-growing risk and compliance landscape, make communicating control responsibility and assurances more complex and intricate."

The HITRUST Shared Responsibility Program addresses the need for a common language around security risks"

"The HITRUST Shared Responsibility Program addresses the need for a common language around security risks and responsibilities between the customer and cloud service provider, and to have confidence that nothing will fall through the cracks. When control responsibility is shared, organisations must have these discussions with their cloud service providers to ensure everyone is on the same page,” says HITRUST Shared Responsibility Working Group Member Bob Smith, Senior Manager of Security Compliance at Salesforce.

Different public cloud

The HITRUST Shared Responsibility Matrix will make those conversations much easier and serve as a guide to ensure every party knows what is required of them as well as that all reasonable steps are taken to protect information entrusted to their cloud service providers.”

IDC reported that 48% of organisations have applications in one public cloud that communicate regularly with applications in a different public cloud. The Matrix will help organisations more easily come to agreements with their CSPs as to which party is responsible for individual security and privacy controls, in turn ensuring that all applicable controls are properly addressed.