HITRUST Announces Continuous Assurance through the Proven HITRUST Ecosystem

HITRUST releases 2025 vision to increase security sustainability and outcomes through continuous control monitoring

FRISCO, Texas, October 1, 2024

HITRUST, the leading provider of information risk management, security, and compliance assurance, today announces HITRUST Continuous Assurance — the latest strategic evolution based on the proven HITRUST ecosystem. As organizations continue to balance the cost and complexity of security and compliance monitoring with the need to achieve security outcomes, a systematic and efficient approach for continuous assurance is essential. Security threats are not static and the need to efficiently reduce evidence decay and continually ensure that security requirements remain relevant and reliable is vital given the evolving threat landscape.

“The traditional overhead and a growing number of new, proprietary, and inefficient approaches trying to speed up outdated practices must fall to the side to improve cybersecurity outcomes without burdening vital services across multiple industries,” said Robert Booker, Chief Strategy Officer, HITRUST during his keynote at HITRUST Collaborate conference. “Approaches that prioritize compliance over security are understandable in highly regulated industries but are unfortunately short-sighted and part of the problem and not the solution.”

Legacy approaches do not build on a proven foundation of relevant controls, do not keep up with cyber threats, do not enable cybersecurity insurance risk underwriting as they lack provable security outcomes and validation, or assurance based on quality, transparency, and integrity. The advent of transformative technologies such as generative AI make this an even more challenging problem with new threats and vulnerabilities to overcome.

Evidence decay has always been a problem for governance systems based solely on auditing and HITRUST has largely mitigated that risk through its comprehensive and centralized quality system, rapid-recertification requirements, and the validation of policies and procedures that underpin security outcomes. In addition, the HITRUST system is built on a maturity model that encourages organizations to seek higher levels of security maturity including measurement and management of security requirements.

Continuous Assurance is possible on top of the proven HITRUST ecosystem that has successfully validated and certified thousands of systems serving multiple industries. After 15 years, HITRUST continues to demonstrate high levels of success as show by the 2024 HITRUST Trust Report where 99.4% of current HITRUST certifications, including organizations of varying sizes in many industries, did not report a breach over the past two-year period (2022 and 2023) while operating in one of the most aggressive cyberattack environments in history. This success is enabled by the combination of the HITRUST CSF alongside a required methodology that assesses control maturity using an innovative PRISMA-based control scoring model and backed by thousands of qualified and independent assessors globally — all monitored by the centralized HITRUST quality assurance system.

“HITRUST certification at the r2 level requires a solid foundation of policy, procedures, and controls implementation, which provides a higher level of assurance based upon direct rather than circumstantial evidence”, said Bimal Sheth, EVP of Standards Development and Assurance Operations, HITRUST. “HITRUST is building on this proven framework as the foundation for Continuous Assurance.”

Continuous Assurance Elements:

Continuous Assurance goes the last mile — enabling integration with technologies that provide security control measurement and management. The result is unprecedented levels of assurance by minimizing evidence decay through monitoring of key assurance evidence and security telemetry on a continuous basis — all designed to detect or avoid drift in an organization’s control posture. Multiple existing and planned capabilities make Continuous Assurance possible:

1. Continuous Monitoring Taxonomy through the Next Generation HITRUST CSF: Control requirements require different approaches to continuous assurance to ensure relevancy and reliability of security maturity oversight. The identification of control requirements categories suitable for continuous assurance will be supported in the Next Generation of the HITRUST CSF, rolling out in phases beginning in 2025, starting with HITRUST CSF v12.
2. Continuous Monitoring Workflow Enhancements: The HITRUST MyCSF will contain new workflow capabilities that allow assessed entities to publish evidence updates and seek validation of evidence of continued control sustainability. Inspection and approval will vary by control category and the system will support the relationships and workflow needed to analyze submitted evidence and confirm that it is both suitable for the control requirement and the underlying scope of the certification. Depending on the rigor and importance of different control requirements, External Assessors will be needed to examine and validate security outcomes and will be vital contributors to Continuous Assurance outcomes.
3. Automated Evidence Collection: HITRUST’s existing Automated Evidence Collection capability supports integration with assessed entities' existing technology and compliance frameworks. These services provide an important foundation by providing the baseline of evidence used for security and compliance assurance while reducing cost and complexity.
4. Continuous Outcome Inspection: New HITRUST services will be available beginning in late 2025 that allow qualified service providers and technology suppliers to demonstrate proven fidelity, integrity, and sufficient integration capabilities to HITRUST that inform security maturity scores and prove that security requirements remain achieved through their systems. Selected, qualified, and leading cloud service providers and security technology providers will provide these services all delivered on top of the robust and existing shared responsibility and inheritance capabilities provided by HITRUST.
5. Results Distribution System: HITRUST’s existing digital platform enables the seamless distribution and integration of assessment and certification results, corrective action plans (CAPs), and status updates — eliminating reliance on PDF reports and allowing for electronic examination of security outcomes plus analysis of individual maturity metrics, and monitoring of remediation commitments on demand and with higher fidelity.
6. Governance, Risk, and Compliance Integration: HITRUST assessment results and assurance outcomes may now be integrated directly into supporting third-party risk management and GRC systems, ensuring faster and more accurate analysis, quicker remediation, and increased transparency, including vital Third-Party Risk Management, workflow support with improvements in efficiency, and clear and traceable documentation.

The HITRUST Continuous Assurance system, by design, will support both systemic control monitoring through Continuous Outcome Inspection and the collection of security artifacts with validation workflows that prove conformance with required policies and procedures. Mature and complex systems will likely require a combination of automated and artifact-oriented forms of security monitoring to ensure that policies and procedures remain relevant.

Building on a Proven Ecosystem:

Continuous assurance is only achievable when delivered on top of a proven ecosystem. Over the past 15 years, HITRUST has built the ecosystem ready to deliver Continuous Assurance including:

1. Broad Assessment Portfolio: HITRUST offers a comprehensive range of assessment options that cover varying levels of assurance. This allows organizations and relying parties to align their risk management efforts with Threat-Adaptive Control Selection that is continuously updated as threats evolve.
2. Cyber Threat-Adaptive Controls: The HITRUST CSF is continuously updated as new cyber threats are identified and in response to active threats. This ensures organizations are continually considering the changes needed to manage their risks and sustain the required protections from the security system. Assurances only remain valid if they are implementing the correct security requirements to address present threats.
3. Assurance Quality Management: A centralized, proven, and transparent approach to quality assurance that includes examination, testing, and validation of security evidence by trained and qualified external assessors. Quality standards are published and are appropriately measured, tested, and validated first by external assessors and then by HITRUST. This ensures that the security outcomes and the resulting certification are transparent, scalable, consistent, and accurate and demonstrate the integrity required by relying parties, including regulators.
4. Inheritance and Shared Responsibility: In many cases, security controls may be inherited from service providers such as Cloud Service Providers and now AI Service Providers. This capability allows assessed entities to rely on those service providers to provide components of the security fabric based upon the validation and certification of their services or to share responsibility for controls. Continuous Assurance will support the inheritance and shared responsibility of controls in appropriate use cases.

Powered by Platform Integrations:

HITRUST Continuous Assurance is building on an expanding network of integration capabilities from recognized platform and service providers. These integrations will streamline the process of managing information and cybersecurity risks and allow customers of the HITRUST ecosystem to integrate Continuous Assurance capabilities from multiple suppliers as available.

Delivering Proven Outcomes:

HITRUST Continuous Assurance delivers on top of a rich and proven maturity model. However, breaches and disruptions to services from cyber events still occur and Continuous Assurance will provide even higher security outcomes and greater levels of assurance. “The information obtained from monitoring controls in a continuous manner can help organizations continually assess the state of their information security controls and subsequently the amount of additional residual risk the organization may be incurring. Introducing more continuous or ongoing approaches over point-in-time assessments and control gap analysis increases the fidelity of ongoing, risk-based decisions and improves cybersecurity outcomes”, said Dr. Bryan Cline, Chief Research Officer, HITRUST.