Key Takeaways

1. The HITRUST 2025 Trust Report reinforces HITRUST’s position as a leading security framework, proving its effectiveness in reducing cyber risks. 

2. The report highlights a greater emphasis on automation, third-party risk management, and control maturity. 

3. IS Partners helps simplify the HITRUST process with nearly 30 years of experience. We provide HITRUST readiness, certification, and improvement services that help you meet compliance. 

Key Updates and Insights From the HITRUST 2025 Trust Report

The report highlights several key trends and insights. This includes the reduction in cyber risks for HITRUST-certified organizations and the launch of two new AI assurance programs.

Below, we list some of the highlights of the HITRUST 2025 trust report.

Key Takeaways of Trust Report

    Only HITRUST Is Proven to Effectively Reduce Cyber Risks 

    Organizations with HITRUST certifications experienced a 0.59% incident rate in 2024, meaning 99.41% remained breach-free. This shows that HITRUST provides measurable proof that its security framework works.

    Companies that continuously undergo HITRUST assessments show steady improvements in their security posture. In 2024:

    • Organizations taking the r2 assessment saw 32% fewer corrective actions needed in their next review.
    • Those completing the i1 assessment had 54% fewer corrective actions in their subsequent evaluation.

    HITRUST Addresses 100% of the Known Tactics, Techniques, and Procedures (TTPs) 

    The HITRUST framework covers all known cyberattack methods that can be mitigated, ensuring organizations stay protected. 

    It continuously adapts to emerging threats using the latest threat intelligence, making it effective against modern cybersecurity challenges. 

    HITRUST is designed to help companies defend against risks while maintaining strong industry standards.

    Background

    Dive Deeper!

    Read more about the healthcare cybersecurity climate.

    Read Article

    Two New AI Assurances Released

    As AI becomes more integrated into business operations, the need for strong security and risk management has never been greater. HITRUST has launched two AI assurance security programs to help organizations stay ahead of these challenges:

    • AI Security Certification. For companies deploying AI models, this AI certification provides proof that their AI platforms meet security standards.
    • AI Risk Management Assessment. Designed for organizations that use, develop, or integrate AI. This assessment process helps identify and manage AI-related risks, ensuring businesses stay compliant and secure.

    Note – HITRUST will track the impact of these assessments and share insights in next year’s Trust Report.

    HITRUST’s Automated Quality Checks

    To maintain the highest standards of the HITRUST assurance program, HITRUST runs over 250 automated quality checks on every assessment and report.

    These checks are powered by the Assurance Intelligence Engine (AIE). It is a sophisticated system designed to detect inconsistencies, ensure compliance, and enhance the reliability of assessments.

    HITRUST’s Inheritance Functionality

    Managing regulatory compliance across multiple service providers can be complex, but HITRUST’s Inheritance functionality simplifies the process.

    This feature allows organizations to incorporate the security controls of their third-party service providers directly into their own HITRUST assessments. Thus, it reduces the duplication of efforts and improves efficiency.

    In 2024, a significant number of organizations leveraged this capability:

    • 69% of r2 validated assessments utilized inherited controls.
    • 67% of i1 validated assessments incorporated controls from service providers.
    • 60% of e1 validated assessments benefited from this streamlined approach.

    HITRUST’s MyCSF Framework

    Organizations must take a critical look at their current assurance strategies to determine whether they effectively address their unique risks. Simply having an assurance framework in place is not enough. Instead, it must be relevant, adaptable, and reliable.

    HITRUST has designed the MyCSF framework to provide a more comprehensive and adaptable assurance approach, incorporating key elements such as:

    • Cyber Threat Adaptability. Ensures assessments evolve with emerging cybersecurity threats.
    • Risk Assessment Tailoring. Customizes assessments based on an organization’s specific risk profile.
    • Assessment Type Options. Offers flexibility in assessment depth and complexity based on business needs.
    • Authoritative Source Mappings. Aligns security requirements with globally recognized frameworks like NIST, ISO, HIPAA, and GDPR.

    Reliability Through a Six-Principle Quality Assurance Model

    For an assurance framework to be truly trustworthy, it must go through a rigorous quality assurance process before an organization receives its final certification. HITRUST has built its approach around six core principles:

    1. Accuracy. Ensures results reflect an organization’s true security posture.
    2. Consistency. Standardized assessments to maintain reliability across industries.
    3. Scalability. Adapts to organizations of all sizes, from startups to enterprises.
    4. Transparency. Provides clear visibility into how assessments are conducted and scored.
    5. Integrity. Upholds the credibility of the certification process through rigorous validation.
    6. Efficiency. Streamlines assessments to reduce the burden on healthcare organizations while maintaining high-security standards.

    In the 2024 Trust Report, HITRUST highlighted how these principles shape its compliance program.

    In this year’s report, HITRUST continues to track key metrics and emerging trends to show how its assessments are evolving to meet the challenges of cybersecurity.

    Compliance questions? Get answers!

    Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.

    SPEAK TO AN EXPERT

    Key Security Risks for HITRUST-Certified Organizations

    Analyzing breach data from the past three years, HITRUST found that system vulnerabilities were the most common cause of security breaches among HITRUST-certified organizations. 

    More than 50% of breaches resulted from vulnerability exploits which highlights the need for proactive risk management and continuous security updates.

    The top causes of data breaches include vulnerability exploits, compromised credentials, and phishing attacks.

    .

    HITRUST Integrates Real-Time Threat Intelligence From Leading Security Providers

    HITRUST stays proactive by integrating real-time threat intelligence, mapping risk factors to the MITRE ATT&CK framework, and updating its CSF to address emerging vulnerabilities.

    Many HITRUST-certified companies improve their security posture by remediating weaknesses identified in assessments. When gaps exist, a Corrective Action Plan (CAP) is issued to guide organizations on necessary improvements.

    • CAPs track security gaps and required fixes while maintaining compliance.
    • HITRUST expects annual progress on CAPs to strengthen security.
    • Interim r2 assessments review CAP progress to ensure organizations are closing vulnerabilities.

    HITRUST’s Growing Role as a Trusted Security Framework

    Since 2007, HITRUST has been dedicated to helping organizations protect sensitive information and manage cybersecurity risks. HITRUST has made its assessments accessible and valuable to businesses of all sizes and industries through continuous improvements since then.

    In 2024, the demand for HITRUST certifications remained strong, with four key industries accounting for over 90% of all assessments:

    • Software and technology
    • Healthcare and medical
    • Business services
    • Financial services

    Inheritance Is Making HITRUST Certification Faster and More Cost-effective

    More organizations are leveraging inheritance in their HITRUST assessments, and the impact is clear: faster certification times and lower costs. In 2024, the use of External Inheritance continued to grow, with:

    • 69% of r2 validated assessments incorporating inherited controls.
    • 67% of i1 validated assessments utilizing inheritance.
    • 60% of e1 validated assessments benefit from this efficiency.

    While using inheritance, organizations can reuse validated security controls from third-party service providers instead of duplicating efforts. This significantly reduces the work required for certification.

    • r2 assessments: 14% fewer hours spent when inheritance was used.
    • i1 assessments: 23.4% fewer hours required.
    • e1 assessments: 9.1% reduction in assessment hours.

    HITRUST CSF Expands to 60 Authoritative Sources

    HITRUST continues to strengthen its CSF to help companies meet growing security and compliance demands. In December 2024, HITRUST released CSF version 11.4, expanding to 60 authoritative sources, a 36% increase from the previous year.

    This broader coverage is to make sure that the framework remains relevant and adaptable for businesses of all sizes and industries. 

    HITRUST’s PRISMA-Based Maturity Model Sets a Higher Standard

    HITRUST stands out as the only assessment framework in the industry that evaluates control maturity using a PRISMA-based scoring model. This approach ensures a level of accuracy and reliability that traditional assessments cannot achieve.

    It follows a five-point maturity model. Here’s how it works:

    1. Policy. This step checks if management’s expectations are clearly written down in policies and if these policies are properly shared and approved.
    2. Procedure. Next, it looks at whether the daily tasks and operations are defined in written procedures that have been communicated and approved.
    3. Implemented. At this stage, the focus is on ensuring that each control is in place, is being carried out, and works as intended.
    4. Measured. This level asks if there’s a way to monitor the controls and get alerts when something isn’t running smoothly.
    5. Managed. Finally, it considers whether the organization is actively responding to risks and addressing issues as they come up.

    Quality Assurance Process Ensures Reliable Certifications

    HITRUST takes a different approach by implementing a rigorous, centralized QA process. This includes both manual oversight and automated validation to ensure the accuracy, integrity, and consistency of every assessment report.

    Once an assessment is submitted, it undergoes:

    • Over 190 automated quality checks to catch errors, inconsistencies, and omissions.
    • A detailed review by HITRUST to determine whether the submission meets its standards.
    • If issues are found, the assessment is sent back to the External Assessor for corrections.

    HITRUST CSF Version 12 

    HITRUST CSF Version 12 is set to be a major step forward in the journey toward Continuous Assurance. It will integrate HITRUST Cyber Threat Analysis into the MyCSF portal and update the factor questions used to tailor a HITRUST r2 assessment.

    This means the control references will also be aligned with the new questions and AI controls. 

    Also, in this regard, privacy will be restructured based on ISO 29151, with further enhancements added as needed to support the overall Continuous Assurance approach.

    Achieve HITRUST Certification with Confidence

    The HITRUST 2025 Trust Report confirms HITRUST’s effectiveness in reducing cyber risks, emphasizing automation, AI-driven security, and third-party risk management. As compliance expectations tighten, organizations must proactively adapt to these evolving cybersecurity challenges.

    At IS Partners, we simplify HITRUST certification. With nearly 30 years of experience, our certified assessors provide readiness assessments, certification guidance, and continuous improvement strategies to keep you compliant and secure.

    What Should You Do Next?

    1. Evaluate Your Readiness. Assess your current security posture against HITRUST’s updated requirements.

    2. Develop a HITRUST Roadmap. Work with experts to streamline certification and improve efficiency through control inheritance and automation.

    3. Collaborate with IS Partners. Leverage our expertise to navigate the HITRUST process with ease and confidence.

    Ready to simplify your HITRUST certification? Contact us today for a consultation!

    Get a Quote Try our Compliance Checker

    About The Author

    Author - Robert Goddard, IS Partners
    Robert is a Principal with IS Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

    Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

    Prior to joining IS Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

    Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.

    Related Content

    Gain Deeper Insights

    Get started

    Get a quote today!

    Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

    Benefit from:

    Analysis of your compliance needs
    Timeline, cost, and pricing breakdown
    A strategy to keep pace with evolving regulations

    Want to speak to us now?

    Call us at (866) 642-2230

    or

    Start a live chat

    Great companies think alike.

    Join hundreds of other companies that trust IS Partners for their compliance, attestation and security needs.

    presort logopaymedia-logo-1zenginesnolan logovrs-veraclaim-logoaffinity logo
    GET A QUOTE
    GET A QUOTE
    Scroll to Top