Salesforce is now part of the HITRUST Shared Responsibility and Inheritance program
In today’s digital world, consumers and businesses alike are constantly creating and utilizing a myriad of personal data — from fitness trackers and telehealth to online finance and education. To protect this data, governments across the globe are instituting regulatory requirements that, while critical to protecting data privacy, can create costly and time-consuming challenges as businesses scramble to keep up with the latest digital trends.
That’s why we are pleased to announce that Salesforce is now part of the HITRUST Shared Responsibility and Inheritance program.
HITRUST and the shared responsibility of protecting customer data
At Salesforce, nothing is more important than building and maintaining trusted relationships with our customers and everyone in the Salesforce ecosystem. We earn that trust through transparency, security, privacy, and compliance and are committed to supporting our customers on their own compliance journeys.
The HITRUST organization created the HITRUST Common Security Framework (CSF) as a way to consolidate multiple control/compliance frameworks, like HIPAA, ISO 27001, SOC 2 and NIST Cybersecurity Framework, into a single framework. HITRUST assessors review customer’s systems and environments and assess their maturity levels. While HITRUST was originally focused on the healthcare industry, the CSF has expanded with more companies from the life sciences, financial, insurance, technology, and hospitality sectors.
The HITRUST Shared Responsibility and Inheritance Program enables Salesforce customers completing their own HITRUST assessment to rely on shared information protection controls that are available from internal shared IT services and third-party or downstream organizations.
In simpler terms, this program enables customers to take the internal controls that Salesforce uses and pull them into their own audits and assessments, without the need to review the Salesforce audit reports individually. This allows an assessor to rely on Salesforce’s validation of those controls via an understanding that Salesforce has met the testing requirements for the control and that it was assessed by Salesforce’s HITRUST assessor.
Customers can utilize inheritance when they are building applications on the Salesforce platform or when they are utilizing Salesforce as part of their business processes. Inheritance will help Salesforce customers reduce the time and cost associated with an external HITRUST assessment as the auditors can use Salesforce’s already validated controls and pull them into their assessment through the MyCSF portal.
How does HITRUST inheritance work?
- You create the inheritance request in the HITRUST MyCSF tool.
- You submit the request to Salesforce.
- Salesforce will either approve or reject the inheritance request based on the Salesforce HITRUST Shared Responsibility Matrix.
- Finally, you can import all approved inheritance requests to your assessment for your assessors to review.
Without inheritance, customers would need to use Salesforce’s publicly available compliance reports, like our SOC2 type 2, and add those controls to their audit report. Depending on the assessor working on the engagement, they might not approve those controls because they haven’t been specifically tested by the assessor.
Ultimately, the HITRUST Shared Responsibility and Inheritance Program can provide time, effort, and cost savings while also helping customers better manage their cyber risk and preserve data privacy. Explore the HITRUST program resources or contact your Salesforce Account Executive for more information.