Cloud

IBM Cloud Expands HITRUST Certification Across Cloud Services

Regulated industries face stringent security, privacy, and governance requirements that are designed to safeguard organizational and client data. Today, meeting these requirements is growing even more important for organizations as they guard against rising incidents of data breaches and ransomware attacks. In fact, the Cost of a Data Breach Report 2024 conducted independently by Ponemon Institute and sponsored, analyzed and published by IBM details that the average cost of a data breach jumped to USD 4.88 million, a 10% spike over last year driven by costs of lost business, operational downtime, post-breach responses, and higher regulatory fines.

For healthcare and life sciences organizations and their business partners, reducing vulnerabilities and defending unauthorized release of proprietary and protected health information is paramount. Advancements and innovations in Artificial Intelligence (AI), electronic medical records, and cloud computing are enabling best practices in digital record management and data encryption, but the volume and severity of data breaches and record disclosures have never been higher. Understanding evolving cybersecurity threats, maintaining a strong security stance, and data loss prevention are mission critical not only to maintain regulatory compliance, but also to reduce operational costs while enhancing quality patient care and client experiences. Keeping apace of new and evolving data protection standards and compliance regulations is key.

HITRUST overview 

The HITRUST CSF® integrates security control sets from over 50 international standards, regulations, and authoritative frameworks across all industries, including ISO/IEC 27001, National Institute of Standards and Technology (NIST) 800-53, the U.S. Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), the EU’s General Data Protection Regulation (GDPR), and more. The HITRUST assessment and certification process is designed to provide assurance for cloud service providers (CSPs) and other entities seeking to demonstrate compliance adherence to regulators and clients.

HITRUST® assessments aim to evaluate information security and risk based on six core principles: transparency, scalability, consistency, accuracy, integrity and efficiency. 

• Transparency: The HITRUST certification process sets clear expectations of cybersecurity threat controls, detailing control sources, reasoning for selection, and scoring methodology.
• Scalability: HITRUST adapts to keep pace with emerging threats to address needs and risks for organizations of all sizes
• Consistency: HITRUST’s assessment process yields standardized results from authorized external assessors
• Accuracy: The HITRUST scoring rubric assesses control effectivity and security practices using methods that gauge control maturity based on the National Institute of Standards and Technology (NIST) Program Review for Information Security Assistance (PRISMA) scoring model.
• Integrity: Control examination by third-party, independent assessors produces verifiable, accurate, and consistent results, with HITRUST’s Assurance Intelligence Engine (AIE) for quality check automation as well as a detailed quality assurance review.
• Efficiency: Assessments are streamlined using the MyCSF tool, efficient workflows, and automated tools to speed results.

The HITRUST Assurance Program® offers three types of certification to accommodate varying organization sizes and needs: e1 assessments are for organizations with limited risk; i1 assessments for organizations with established security programs; and r2 assessments for organizations that must comply with HIPAA or the NIST Cybersecurity Framework. r2 is the most comprehensive HITRUST threat-adaptive assessment, with full assessments every two years and interim surveillance assessments a year after initial certification. Organizations can streamline their efforts and reuse their work to move from one assessment to the other.

Why HITRUST matters to clients

The HITRUST certification helps organizations protect client, consumer, and citizen data by adhering to high standards for managing security, privacy, and threat protection risks while demonstrating control effectivity, establishing trust, increasing operational efficiency, and reducing compliance and regulatory complexity. Entities may leverage the HITRUST certification process to assess not only their own security stance, but also that of business partners. And by continuing adherence as HITRUST controls evolve, organizations can rely on partner certifications while focusing on enhancing client care and experiences.

How IBM can help

IBM Cloud® continues to partner with enterprises to support evolving, complex regulatory compliance requirements while delivering innovation in business processes. IBM Cloud aligns with key industry standards to assist regulated industry clients as they accelerate workload deployments. 

IBM Cloud Platform Infrastructure, Virtual Private Cloud (VPC), and Platform as a Service (PaaS) products maintain the HITRUST r2 certification as of this blog post. These services help organizations reduce and mitigate risks and speed cloud deployments for regulated workloads and protected information. With built-in security and controls for automation, IBM Cloud helps you adapt to evolving compliance requirements while meeting regulatory obligations.

Clients with HITRUST workloads may leverage IBM Cloud services such as:

• IBM Cloud Identity and Access Management (IAM): IBM Cloud Identity and Access Management service securely authenticates users and controls access to all resources consistently in the IBM Cloud Platform.]
• IBM Cloud Secrets Manager: Create secrets dynamically and lease them to applications while you control access from a single location. Built on open source HashiCorp® Vault.
• IBM Cloud Security and Compliance Center: An integrated solutions suite to define policy as code, implement controls for secure data and workload deployments, and assess security and compliance posture.
  
  
• IBM Cloud Security and Compliance Center - Workload Protection: Find and prioritize software vulnerabilities, detect and respond to threats, and manage configurations, permissions, and compliance from source to run.
  
  
• IBM Key Protect for IBM Cloud: The IBM Key Protect for IBM Cloud service helps you provision and store encrypted keys for apps across IBM Cloud services, so you can see and manage data encryption and the entire key lifecycle from one central location.

Overall, IBM’s enterprise-grade cloud platform is optimized to help clients manage mission critical workloads while prioritizing resilience, performance, security, and compliance. IBM remains committed to serving the needs of highly regulated industries—including clients across healthcare—around the globe and keeping the security of our client’s data at the heart of everything we do.

Learn more about HITRUST and IBM Cloud by visiting https://www.ibm.com/cloud/compliance/hitrust.

Authors:

• Vivek Kinra, Director of Product Management for IBM Cloud Platform, Security and Compliance
• Tina Belani, Program Director for IBM Cloud Compliance Product Management
• Michele Kersey, Senior Product Manager for IBM Cloud Compliance

Disclaimer:

The client is responsible for ensuring compliance with all applicable laws and regulations. IBM does not provide legal advice nor represent or warrant that its services or products will ensure that the client is compliant with any law or regulation.