No industry is more acutely aware of the threat of cybercrime than healthcare, which continues to be a prime target for hackers’ fraudulent activities and schemes. The healthcare sector suffers the highest data breach costs of all industry verticals, at an average of more than $10m per incident, according to the 2023 Cost of a Data Breach Report.

Criminal interest isn’t a surprise to the healthcare industry, which has long recognized the attraction of its patient record trove and viewed the protection of personal health information as of utmost importance. This concern is reflected in strict standards for protecting patient data: HITRUST certification requirements.

What is HITRUST Certification?

Established in 2007, the HITRUST Common Security Framework (CSF) is a framework that was originally developed by the Health Information Trust Alliance to help protect sensitive personal data. It is intended to be used by organizations in any industry but is primarily aimed at the US healthcare sector. It aids compliance with Health Insurance Portability & Accountability Act (HIPAA) requirements concerning how patient health information (PHI) is handled. Although it doesn’t replace or prove HIPAA compliance, it does provide a widely accepted mechanism for achieving it.

HITRUST certification involves an independent assessment over several weeks followed by a certification process, which takes an additional six weeks. While the majority of healthcare providers have adopted the HITRUST framework for their systems (upwards of 80 percent of U.S. hospitals and 85 percent of U.S. health insurers use the HITRUST approach to help with HIPAA compliance), public cloud use in healthcare – which is growing by leaps and bounds – is another area to be addressed.

HITRUST Compliance in the Public Cloud – A Guide for AWS Users

At Connectria, we’ve created an informational tool, “The Healthcare Leaders Guide to Architecting for HITRUST CSF in AWS,” to help healthcare organizations that may be unsure how to meet HITRUST requirements in the cloud. The guide focuses on deployments hosted on Amazon Web Services (AWS) and runs through the most important considerations before embarking upon a HITRUST compliance journey.

AWS uses a shared responsibility model to help customers understand individual party obligations. It does so by distilling the responsibility information down into two basic concepts:

1. Security of the cloud: Those aspects of compliance and security for which AWS is accountable, including the company’s host operating system and hypervisor, the physical security of its facilities, and the integrity of the tools it makes available to customers.
   
2. Security in the cloud: Your responsibilities as the customer. These depend on the AWS services you use. But, in terms of infrastructure-as-a-service (IaaS) offerings, they would include any applications you host on the platform, the security of your guest operating systems, and the configuration of your network and other IaaS components.

The model is a brilliantly simple approach to explaining how to ensure full compliance and security coverage for your cloud-based workloads. But it doesn’t give you the granular detail you need to meet the specific requirements of compliance frameworks such as the HITRUST CSF. However, HITRUST has published an AWS Shared Responsibility Matrix (SRM), available as a free download, to help clarify HITRUST requirements in AWS deployments.

Why is the Shared Responsibility Matrix Important?

HITRUST launched the SRM program in 2021 to provide greater clarity regarding the ownership and operation of security controls between organizations and their cloud service providers.

Before that time, shared responsibility models existed and were supported by leading cloud service providers. However, the challenge was a lack of uniformity among the SRMs, with some being loosely defined or varying based on the solution. This ambiguity created an added layer of complexity for cloud solution users in achieving broader risk management objectives.

HITRUST set out to remedy that situation in 2019 and engaged the two largest cloud service providers, including AWS,  in the world, to begin developing joint Shared Responsibility Matrices. In 2021, HITRUST announced the publicly available resources. Each new HITRUST SRM aligns with the cloud service provider’s unique solution offering.

The HITRUST CSF®, a certifiable framework that integrates and harmonizes more than 40 authoritative sources, serves as the foundation for the HITRUST SRM.

Connectria Can Help You Accelerate Your HITRUST Certification in AWS

With 150+ control requirements, meeting and maintaining HITRUST compliance is a complex, time-consuming, and ongoing commitment. This is why many organizations call upon the expertise and support of an AWS managed service provider (MSP), such as Connectria, an AWS Premier Tier Services Partner — a sought-after designation held by less than 1% of AWS partners.

AWS MSPs are trusted partners with a deep understanding of data protection regulations and standards. But they also have highly detailed knowledge of AWS infrastructure and tooling. This means they know exactly how to align your AWS setup with compliance requirements.

They can help you ensure full compliance and security coverage with no gaps in requisite controls. AWS MSPs will also minimize the risk of exploitations by taking care of software updates and vulnerability patches for you. Additionally, they have the people resources to stay on top of the latest threats and monitor your deployments 24x7x365. This means they can respond to compliance and security issues before they escalate into more serious problems.

But, above all, AWS MSPs like Connectria won’t let the complexities of compliance hold you back and will guide you through every stage of your HITRUST journey. In Connectria’s case, we’re also now a part of LightEdge, which has a long history of HITRUST compliance and certifications. Together, the combined company is one of the only secure and compliant infrastructure providers in the country offering both hybrid colocation and tailored multi-cloud solutions.

To learn more about how Connectria can help you manage your AWS HITRUST compliance journey, download our guide or contact one of our experts below.

Contact us here to learn more!