The Health Information Trust Alliance Common Security Framework (HITRUST CSF) incorporates nationally and internationally accepted security frameworks such as ISO27001 and NIST 800-53 to create a comprehensive set of baseline security and privacy controls tailorable to your specific data flows and architectures.
HITRUST has developed the HITRUST CSF Assurance Program, which incorporates the common requirements, methodology, and tools which enable an organization and its business partners to take a consistent and incremental approach to managing compliance. Moreover, it allows business partners and vendors to assess and report against multiple sets of requirements to satisfy third-party risk assessment and assurance needs.
AWS customers can design and implement an AWS environment suitable to their needs, and use HITRUST-certified AWS services in a manner which supports the requirements of HITRUST CSF. Customers can also inherit the AWS certification for controls pertinent to their cloud architectures established under the HITRUST Shared Responsibility Matrix (SRM).
Is AWS HITRUST certified?
Specific AWS services have been assessed under the HITRUST CSF Assurance Program by an approved HITRUST CSF Assessor as meeting the HITRUST CSF v11 Certification Criteria. The full list of AWS services which were assessed by a third-party auditor and certified under HITRUST CSF requirements is available on the AWS Services in Scope by Compliance Program page.
How can customers leverage AWS in their own HITRUST CSF Compliance?
HITRUST certification allows AWS customers to tailor their security control baselines specific to their architecture and assessment scope, and inherit certification for those controls so they don’t have to be tested as a component of the customer’s HITRUST assessment. Because cloud-based controls do not have to be retested, AWS customers enjoy the savings in both time and cost for their own HITRUST assessment certification needs. The HITRUST CSF is widely adopted by leading organizations in a variety of industries in their approach to security and privacy. Visit the HITRUST website for more information.
Can AWS customers inherit AWS HITRUST Certification?
Yes, AWS customers can inherit AWS HITRUST CSF certification provided that customers use only HITRUST-certified services and apply the controls detailed in the HITRUST Shared Responsibility Matrix. Customers should download the custom AWS HITRUST Shared Responsibility Matrix to determine which HITRUST controls AWS customers can inherit as part of the shared responsibility model. Customers should refer to the HITRUST webpage for guidance on how to initiate an inheritance request.