HITRUST Developing ‘Threat Catalog’ to Enhance Healthcare Cybersecurity | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

HITRUST Developing ‘Threat Catalog’ to Enhance Healthcare Cybersecurity

February 2, 2017
by Heather Landi
| Reprints

The non-profit HITRUST Alliance has announced it is developing a risk-based framework, called the Threat Catalogue, to aid healthcare organizations in improving their information security posture by better aligning cyber threats with HITRUST CSF risk factors and controls.

The Frisco, Texas-based organization said it undertook this initiative to improve organizational visibility into threats posed against health information and to afford organizations the ability to prioritize their security program’s activities based on a greater understanding of their risks. The initial version of the HITRUST Threat Catalogue will be available in March.

The HIPAA Security Rule requires organizations to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).” HITRUST helped the healthcare industry address this requirement by developing a simple-to-use framework based on risk analyses performed by representative healthcare organizations and the underlying risk analyses used to produce ISO 27001 control recommendations, NIST SP 800-53 control baselines and other control-based frameworks, the organization said. By integrating these analyses with relevant regulatory requirements and best practices, the HITRUST CSF provides an industry-driven standard of due care and due diligence for healthcare information that has become the most widely used in healthcare.

“HITRUST actively solicits industry input on potential changes and updates to the HITRUST CSF and, unlike other frameworks, updates the CSF no less than annually,” Bryan Cline, Ph.D., vice president, standards and analytics, HITRUST and a governing chair of the Working Group. “HITRUST is now taking this level of responsiveness one step further with the new Threat Catalogue.”

According to the organization, the HITRUST Threat Catalogue enhances the underlying risk analyses used to develop the HITRUST CSF and helps ensure the HITRUST CSF and CSF Assurance Program continue to remain current and relevant risk-based solutions. The HITRUST Threat Catalogue affords better visibility into how the HITRUST CSF addresses extant and emerging threats and helps ensure CSF control baselines continue to address risk commensurate with selected organizational, system and regulatory risk factors.

“Most organizations do not possess the skill sets necessary to truly identify ever changing cybersecurity threats and associate these threats with the operational impact, tactical response and strategic planning required,” Roy Mellinger, vice president IT and chief information security officer, Anthem and a governing chair of the Working Group. “The HITRUST Cyber Threat Catalogue takes the guess work out of the process. It articulates the threats, maps these to the necessary HITRUST CSF controls, and provides organizations with a workable blueprint to define the protection mechanisms and strategies that are required.”

The HITRUST Threat Catalogue is being developed and maintained in conjunction with the formation of a new HITRUST Working Group.

Under the guidance of the Working Group, the HITRUST Threat Catalogue will mature over time and will subsequently focus its initial efforts on four principle tasks:

  • Identify and leverage an existing threat taxonomy for common adversarial and non-adversarial threats to ePHI
  • Enumerate all reasonably anticipated threats to ePHI for a general healthcare organization
  • Map HITRUST CSF control requirements to the enumerated threats
  • Identify any additional information needed in future iterations of the HITRUST Threat Catalogue to help meet its objectives

“The proliferation of intel feeds and services, whether provided separately, or integrated into specific security tool platforms, has added to the information overload problem. What I see in the HITRUST Threat Catalogue is the linkage and practical application that will lead organizations to take tactical actions that will enhance the overall security posture in response to the current threat environment,” Kevin Charest, Ph.D., divisional senior vice president and CISO, Health Care Service Corporation and a governing chair of the Working Group.

More information on the HITRUST Threat Catalogue can be found here, and a HITRUST Threat Catalog Sign-up notification form can be found here.



Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Analysis: Healthcare Ransomware Attacks Decline in First Half of 2018

In the first half of 2018, ransomware events in major healthcare data breaches diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a new report form cybersecurity firm Cryptonite.

Dignity Health, UCSF Health Partner to Improve the Digital Patient Experience

Dignity Health and UCSF Health are collaborating to develop a digital engagement platform that officials believe will provide information and access to patients when and where they need it as they navigate primary and preventive care, as well as more acute or specialty care.

Report: Digital Health VC Funding Surges to Record $4.9 Billion in 2018

Global venture capital funding for digital health companies in the first half of 2018 was 22 percent higher year-over-year (YoY) with a record $4.9 billion raised in 383 deals compared to the $4 billion in 359 deals in the same time period last year, according to Mercom Capital Group’s latest report.

ONC Roundup: Senior Leadership Changes Spark Questions

The Office of the National Coordinator for Health IT (ONC) has continued to experience changes within its upper leadership, leading some folks to again ponder what the health IT agency’s role will be moving forward.

Media Report: Walmart Hires Former Humana Executive to Run Health Unit

Reigniting speculation that Walmart and insurer Humana are exploring ways to forge a closer partnership, Walmart Inc. has hired a Humana veteran to run its health care business, according to a report from Bloomberg.

Value-Based Care Shift Has Halted, Study Finds

A new study of 451 physicians and health plan executives suggests that progress toward value-based care has stalled. In fact, it may have even taken a step backward over the past year, the research revealed.