Azure and HITRUST publish shared responsibility matrix

Posted on January 14, 2021

Vice President, Microsoft Azure

Healthcare solutions offered in the cloud are drawing unprecedented attention today with the ongoing global pandemic and the accompanying need for social distancing. Microsoft has been on the forefront of empowering health organizations to leverage the power of the cloud. 

Protecting health information and complying with health regulations are critical components of any healthcare solution in the cloud, and Azure has long had a rich set of healthcare compliance offerings, including HDS, HIPAA, MARS-E, NEN 7510, and the increasingly important HITRUST CSF—a certifiable framework that provides organizations with a comprehensive and efficient approach to regulatory compliance and risk management.

Today we're announcing with HITRUST the availability to our customers of the HITRUST Shared Responsibility Matrix, which provides clarity on roles and responsibilities for implementing solutions in Azure that meet the rigorous HITRUST standard for protecting sensitive health data.

In collaboration with privacy, information security, and risk management leaders from the public and private sectors, HITRUST develops, maintains, and provides broad access to its widely adopted common risk and compliance management frameworks, related assessment, and assurance methodologies.

The HITRUST CSF provides the structure, transparency, guidance, and cross-references to authoritative sources organizations globally need to be certain of their data protection compliance. The initial development of the HITRUST CSF leveraged nationally and internationally accepted security and privacy-related regulations, standards, and frameworks—including the International Organization for Standardization (ISO), National Institute for Standards and Technology (NIST), Payment Card Industry (PCI), Health Insurance Portability and Accountability Act (HIPAA), and Control Objects for Information Technologies (COBIT)—to ensure a comprehensive set of security and privacy controls, and continually incorporates additional authoritative sources. The HITRUST CSF standardizes these requirements, providing clarity and consistency, and reducing the burden of compliance. The HITRUST CSF has become a widely adopted security and privacy framework across industries globally.

The HITRUST CSF integrates and harmonizes more than 40 authoritative sources and includes more than 2,000 controls. HITRUST certifies IT offerings against these controls. HITRUST CSF Certified status demonstrates that an organization has met key regulations, achieved industry-defined requirements, and is appropriately managing risk. When customers leverage only on-premises IT infrastructure, they have complete responsibility for implementing HITRUST CSF controls. Customers using a cloud service such as Azure can lessen their burden because the cloud represents a shared responsibility between the customer and the cloud service provider.

The Shared Responsibility Matrix eases the task of understanding which of the many HITRUST controls that can apply to an Azure customer are the responsibility of the customer, which are shared, and which are already fully covered by Azure.  For example, domain one of the CSF, Information Protection Program, is largely the responsibility of the customer as it mostly involves policy, training, and documentation. Domain 18, Physical and Environmental Security, is entirely the responsibility of Azure because all physical infrastructure is controlled by Microsoft. Other domains, such domain eight, Network Protection, involve shared responsibility for the security and configuration of network security.

HITRUST helps organizations ensure that the highest standards of information protection requirements are met when sensitive data is accessed or stored, and the adoption by Microsoft of the Shared Responsibility Matrix for Azure helps ensure that necessary controls are implemented, and shared responsibilities are understood and met. Microsoft is an organization that can be counted on for keeping information safe.”—Becky Swain, Director of Standards Development, HITRUST

An additional benefit to Azure customers for using the Shared Responsibility Matrix is the HITRUST inheritance capability, which allows for Azure customers to inherit controls from Azure’s HITRUST assessment and apply it to their own assessments easily, saving time and resources. When a customer is completing their HITRUST CSF Assessment, they can select “Request Inheritance” through the HITRUST MyCSF SaaS platform for any requirements you plan to inherit from Azure. Microsoft will then approve all the relevant controls from the request and notify the customer.

Another way Azure customers can accelerate their HITRUST deployment is through the use of the Azure HITRUST Blueprint sample. The free Azure Blueprints service helps enable cloud architects and information technology groups to define a repeatable set of Azure resources that implements and adheres to an organization’s standards, patterns, and requirements. The HITRUST Blueprint sample provides governance guard-rails using Azure Policy that helps customers assess specific HITRUST controls, and deploy a core set of policies for any Azure-deployed architecture that must implement HITRUST controls.

In a new webinar Nidhi Sanghavi, principal program manager for Azure, discuss implementing HITRUST on Azure, along with Guillermo Gomez, senior product marketing manager, who demonstrates applying an Azure Blueprint for HITRUST.

HITRUST is an organization governed by representatives from the healthcare industry and maintains the common security framework (CSF) to help healthcare organizations demonstrate their security and compliance.

The Shared Responsibility Matrix and Azure Blueprints exemplify Azure’s leadership in compliance.  Azure offers more than 90 compliance offerings, including over 50 specific to global regions and countries, and more than 40 compliance offerings specific to the needs of key industries including health, government, finance, education, manufacturing, and media.

Microsoft continues to be on the forefront of empowering healthcare organizations to leverage the power of the cloud. Microsoft Cloud for Healthcare, an end-to-end, industry-specific cloud solution includes released and new healthcare capabilities that unlock the power of Microsoft 365, Azure, Dynamics 365, and Power Platform. It makes it faster and easier to provide more efficient care and helps customers support end-to-end security, compliance, and interoperability of health data, and harnesses the power of the Microsoft cloud to transform the healthcare journey and help:

  • Enable personalized care that enhances patient engagement by allowing patients to access their health organization on their terms with personalized experiences.
  • Empower health organizations through access to tools that enable collaborative workflows. 
  • Improve clinical and operational insights to predict risk and help improve quality care.
  • Reimagine healthcare with innovative new technologies like HoloLens in operating theaters, enabling surgeons to see up-to-date information on patients and better visualize procedures.
  • Protect health information and comply with healthcare regulations.

To get started leveraging Azure compliance and healthcare offerings: