Microsoft Azure achieves HITRUST CSF v11 certification

October 9, 2023

The healthcare industry is undergoing a rapid transformation, driven by the increasing need for cloud computing to improve patient outcomes, capture cost efficiencies, and make it easier to coordinate care, especially for patients in remote areas. Cloud computing enables healthcare organizations to leverage advanced technologies such as artificial intelligence, machine learning, big data analytics, and Internet of Things to enhance their services and operations. However, cloud computing also brings new challenges and risks for securing and protecting sensitive healthcare data, such as electronic health records, medical images, genomic data, and personal health information. Healthcare organizations need to ensure that their cloud service providers meet the highest standards of security and compliance, as well as adhere to the complex and evolving regulations and frameworks that govern the healthcare industry.

Microsoft Azure committed to security and compliance in the healthcare industry

One of the most widely adopted and recognized frameworks for information protection in the healthcare industry is the HITRUST Common Security Framework (CSF). The HITRUST CSF is a comprehensive and scalable framework that integrates multiple authoritative sources, such as HIPAA, NIST, ISO, PCI, and COBIT, into a single set of harmonized controls. The HITRUST CSF provides a prescriptive and flexible approach for assessing and certifying the security and compliance posture of cloud service providers and their customers. Achieving HITRUST CSF certification demonstrates that a cloud service provider has implemented the best practices and controls to safeguard sensitive healthcare data in the cloud.

As healthcare organizations converge on the Dallas area for the HITRUST Collaborate 2023 event, providing secure and compliant cloud services for the healthcare industry is more important than ever. Microsoft Azure is committed to being a trusted partner for healthcare organizations in their digital transformation journey. Azure provides a comprehensive portfolio of cloud services that enable healthcare organizations to build innovative solutions that improve the entire healthcare experience. Azure also offers a range of capabilities that make it easier for healthcare organizations to achieve and maintain security and compliance in the cloud.

We are therefore proud to announce that Microsoft Azure has achieved HITRUST CSF v11.0.1 certification across 162 Azure services and 115 Azure Government services. All GA Azure regions across Azure and Azure Government clouds are included within this certification. This achievement reflects the continuous efforts by Azure to enhance its security and compliance offerings for customers in the healthcare industry.

HITRUST CSF v11.0.1 is the latest version of the framework that incorporates new requirements and updates from various authoritative sources, such as NIST SP 800-53 Rev 5, NIST Cybersecurity Framework v1.1, PCI DSS v3.2.1, FedRAMP High Baseline Rev 5, CSA CCM v3.0.1, GDPR, CCPA, and others. HITRUST CSF v11.0.1 also introduces new features and enhancements, such as maturity scoring model, risk factor analysis, inheritance program expansion, assessment scoping tool improvement, and more. Achieving HITRUST CSF v11.0.1 certification demonstrates the increasing commitment Azure has to providing secure and compliant cloud services for customers in the healthcare industry.

The HITRUST CSF v11.0.1 r2 Validated Assessment for Azure was performed by an independent third-party audit firm licensed under the HITRUST External Assessor program. The audit firm evaluated Azure for security policies, procedures, processes, and controls against the HITRUST CSF requirements applicable to cloud service providers. The audit firm also verified that security controls for Azure are implemented effectively and operate as intended. Azure customers can obtain the HITRUST CSF Letter of Certification, which contains the full scope of certified Azure offerings and regions, at the Service Trust Portal.

Microsoft Azure partners with HITRUST Alliance

In addition to today’s certification, Azure has also partnered in the past with HITRUST Alliance to release the HITRUST Shared Responsibility Matrix for Azure, which provides clarity around security and privacy responsibilities between Azure and its customers, making it easier for organizations to achieve their own HITRUST CSF certification. The matrix outlines which HITRUST CSF controls are fully managed by Azure, which are shared between Azure and customers, and which are solely the customers’ responsibility. The matrix also provides guidance on how customers can leverage the capabilities in Azure to meet their own security and compliance obligations.

Azure also supports the HITRUST Inheritance Program which empowers organizations to achieve more by significantly reducing the compliance cost and burden by enabling customers to externally inherit requirements from the Azure HITRUST CSF certification. The program allows customers to inherit up to 75 percent of applicable HITRUST CSF controls from the Azure certification scope without additional testing or validation by an external assessor. This reduces the time, effort, and resources required for customers to obtain their own HITRUST CSF certification or report on their compliance status using other frameworks or standards based on the HITRUST CSF. Azure has reviewed over 23,450 inheritance requests from customers since the program’s inception.

Azure has maintained the HITRUST CSF certification since November 2016. Azure was one of the first cloud service providers to achieve HITRUST CSF certification and has been continuously expanding its scope of certified services and regions. Azure is also one of the few cloud service providers that offer HITRUST CSF certified services in both public and government clouds. The Azure HITRUST CSF v11.0.1 certification is backward compatible with HITRUST CSF v9.1, v9.2, v9.3, v9.4, v9.5, and v9.6 certifications, offering support to a wide range of customers.

Learn more about the Azure HITRUST CSF certification

Azure is dedicated to helping healthcare organizations accelerate their digital transformation while ensuring security and compliance in the cloud. Azure provides a secure and compliant cloud platform that enables healthcare organizations to build innovative solutions that improve patient care, operational efficiency, and business agility. Azure also offers a variety of tools and resources that make it easier for healthcare organizations to achieve and maintain security and compliance in the cloud. The Azure HITRUST CSF certification is a testament to the commitment Azure has to be a trusted partner for healthcare organizations in their cloud journey.

The post Microsoft Azure achieves HITRUST CSF v11 certification appeared first on Azure Blog.