HITRUST: Navigating a Path to Cyber Resilience

Ryan Patrick, Vice President of Adoption, HITRUSTRyan Patrick, Vice President of Adoption
Information security challenges linked to mounting cyber risks continue to vex teams responsible for data protection, compliance, and third-party risk management. Organizations across all industries need reliable assurances that data risk associated with third-party supply chains is adequately managed. But what considerations are important when choosing a framework or methodology to appropriately evaluate vendor risk for cybersecurity and data protection?

“The scary truth is that cybersecurity threats are evolving faster than the security standards and security frameworks intended to protect valuable assets and provide peace of mind to organizational leaders and their stakeholders,” said Ryan Patrick, Vice President of Adoption, HITRUST. “Most frameworks and standards are not regularly updated, required controls are not always relevant, and newer cybersecurity risks are not always addressed.”

Since 2007, HITRUST has championed programs that safeguard sensitive information and manage information risk. HITRUST is well known for its widely adopted risk and compliance framework, assessments, and assurance methodologies. Earlier this year, HITRUST introduced a new cybersecurity assessment – the HITRUST Implemented, 1-Year (i1) Validated Assessment – with an innovative control selection that considers recent threat intelligence along with tactics and techniques identified in the MITRE ATT&CK Framework, which helps ensure that mitigations are in place to address both current and the latest emerging threats.

“Cybersecurity and cyber preparedness are foundational to both cyber resilience and information security risk management. The introduction of cyber threat adaptive assessments that evolve over time to effectively evaluate cybersecurity risk is a game changer,” Patrick said. “The threat landscape is continually evolving, and so should frameworks and standards that evaluate whether adequate security controls and data protections are implemented.
CISOs need to know their vendors have the right controls implemented to mitigate real-world threats. Organizations need reliable assurances of protection against today’s most pressing cybersecurity risks, like ransomware and phishing, as well as any other threats lurking around the corner.”

HITRUST offers a variety of assurance mechanisms that incorporate varying levels of security control requirements (high, moderate, and low) to address critical and emerging threats and allows for seamless movement up and down the assurance continuum as risk management programs mature, or as assurance requirements change.

Some organizations may never require the evaluative depth and thoroughness of the HITRUST Risk-based, 2-year (r2) Assessment that can be tailored from 2000 control requirements (360 for the average assessment) to meet risk and compliance goals. They may only need a moderate level of assurance (HITRUST i1) that focuses more intently on pre-set security controls that ensure cybersecurity best practices. Or they may be early in the development of their cyber risk program and need a quick, reliable assurance that demonstrates essential cybersecurity hygiene so that they can do business with specific customers. (To satisfy the need for this type of basic assurance, HITRUST is releasing a new validated assessment early in 2023.)

The scary truth is that cybersecurity threats are evolving faster than the security standards and security frameworks intended to protect valuable assets and provide peace of mind to organizational leaders and their stakeholders

HITRUST solutions are flexible and scalable. They meet organizations at any point of their journey from a security, privacy, and compliance perspective to help mature their information risk management programs. Relying parties can bypass potentially inaccurate self-assessments and eliminate proprietary questionnaires to effectively manage vendor risk through validated assessments, and third-party suppliers can provide efficient, reliable assurances appropriate for their level of risk.

In 2023, HITRUST will continue to roll out innovations that address widespread inefficiencies in third-party risk management and help organizations navigate the path to cyber resilience related to information security.
Share this Article:


Frisco, TX

Ryan Patrick, Vice President of Adoption

HITRUST offers programs to safeguard sensitive information and manage information risk. In collaboration with privacy, information security and risk management leaders, the company develops and maintains widely-adopted common risk and compliance management frameworks, related assessment, and assurance methodologies