For years, the cybersecurity conversation has centered around whether organizations have the right controls in place. Do you have endpoint protection? Do you use multi-factor authentication (MFA)? Is there a security awareness training program in place? 

According to new research from Marsh McLennan’s Cyber Risk Intelligence Center (CRIC), those questions no longer go far enough. Today, the difference between resilience and risk is not about whether a control exists. It’s about whether it is implemented comprehensively, configured correctly, and tested continuously. 

This shift has profound implications for how organizations should approach cyber risk management, how insurers evaluate exposure, and how regulators and business partners assess security assurance. 

What the report found 

The CRIC report reveals a maturing cybersecurity landscape where effectiveness matters more than existence. 

• Controls are widespread, but uneven in execution. Most organizations now deploy basics like patching processes, privileged access management, and email security tools. The challenge is ensuring those controls are applied consistently across the enterprise. 

• Coverage and completeness matter. Endpoint detection and response (EDR) is a good example: every 25% increase in deployment reduces breach likelihood, but only full coverage delivers meaningful protection. A partial rollout leaves critical blind spots. 

• MFA must evolve. MFA has become table stakes. Insurers and security leaders now look deeper, asking: Are phishing-resistant methods in use? Is enforcement universal? Without those, MFA is just a façade of protection. 

• Quality beats quantity in training. Running employees through countless simulations doesn’t guarantee readiness. The research shows fewer, higher-quality exercises with realistic and evolving attack scenarios yield better outcomes. 

• Preparedness saves. Incident response planning consistently ranks among the most effective measures to reduce risk, particularly when bolstered by tabletop and red-team exercises that test readiness against real-world attack scenarios. 

Why this matters for HITRUST 

Assurance over existence 

At HITRUST, this has always been our philosophy. Our security assurance methodology doesn’t stop at verifying whether a control exists. It requires proof that it is operationalized, aligned with best practices, and auditable. Marsh’s findings validate what HITRUST has been delivering for years: assurance that controls are not just present, but effective in practice. 

A stronger market narrative 

Independent voices like Marsh strengthen HITRUST’s message to customers, regulators, and the market: Risk outcomes improve only when controls are deployed effectively. HITRUST certification provides that proof. 

This positions HITRUST as the bridge between governance frameworks, which define what should be done, and trusted assurance, which proves it has been done right. 

New leverage with insurers 

As a major global insurance broker, Marsh has significant influence over how insurers evaluate cyber risk. Its report underscores that superficial compliance is no longer enough. If HITRUST certification is seen as credible evidence of control maturity and completeness, insurers may reward organizations with certifications with better premiums, lower deductibles, and preferred underwriting status. That translates into real financial value alongside security assurance. 

Alignment with emerging risk differentiators 

The findings also align with HITRUST’s cyber threat-adaptive controls, which evolve to reflect emerging risks.  

• Phishing-resistant MFA is already an expectation in HITRUST assessments. 

• Enterprise-wide EDR coverage is reinforced within the HITRUST framework. 

• Incident response exercises, including tabletop simulations, are evaluated during assessment, providing measurable assurance of preparedness. 

HITRUST demonstrates that certification is not static. It evolves with the threat landscape and remains a reliable marker of resilience. 

The bottom line 

Marsh McLennan’s research should be a wake-up call for organizations still relying on governance checklists or partial implementations. Cybersecurity isn’t about having the right controls on paper; it’s about proving they work where it counts. 

This is where HITRUST delivers unmatched value. Our certification approach ensures that organizations are not just compliant but credible in the eyes of partners, regulators, and insurers. In an era where outcomes depend on security assurance, not assumptions, HITRUST stands as the trusted path forward. 

On July 31, 2025, the Centers for Medicare & Medicaid Services (CMS) published its new Interoperability Framework, part of the broader digital health ecosystem initiative. While voluntary, the framework sets a high bar. CMS set the bar at HITRUST-level assurance — requiring validation equivalent to HITRUST certification. The message is clear. Secure health data exchange requires more than intent. It requires demonstrable trust. 

Why HITRUST Matters 

Some may view HITRUST as just another compliance checkbox. It is far more. HITRUST is widely accepted and has become the gold standard for safeguarding healthcare data by combining prescriptive controls, a rigorous assessment process, and consistent certification. Its inclusion in the CMS framework accomplishes three things: 

• Affirms credibility and commitment: Certification signals that networks prioritize actionable, defensible security — not just policies on paper. Patients, providers, and regulators alike gain confidence that systems are truly hardened. 

• Enables a shared standard: With many healthcare organizations already aligned to HITRUST, it provides a common language for risk and security. That alignment lowers friction for interoperability networks trying to collaborate. 

• Elevates trust: By embedding HITRUST, CMS ensures that networks build not only technical connections but also trusted ones. 

It’s also important to note that HITRUST doesn’t replace HIPAA compliance. Rather, it offers a structured, auditable path to achieving and proving the safeguards the HIPAA Security Rule requires. 

HITRUST as a HIPAA Compliance Accelerator 

For organizations adopting the CMS Interoperability Framework, HITRUST offers a dual benefit: satisfying CMS requirements while accelerating HIPAA compliance. Here’s how the alignment plays out: 

• Administrative, physical, and technical safeguards: HIPAA requires covered entities and business associates to protect electronic protected health information (ePHI). HITRUST maps directly to these safeguards, offering detailed, actionable guidance across all three categories. 

• Risk analysis and management: A cornerstone of HIPAA, risk assessments and ongoing risk management are also embedded in the HITRUST certification process. This overlap reduces duplication and ensures discipline. 

• Audit trails and documentation: CMS requires verifiable logs and authentication records. HITRUST similarly emphasizes documentation, monitoring, and continuous updates — ensuring compliance efforts reinforce one another. 

The result? Organizations meet CMS expectations while simultaneously advancing HIPAA obligations. Instead of running two parallel compliance efforts, HITRUST helps consolidate and streamline. 

Building a Modern, Secure Health Data Exchange 

The CMS Interoperability Framework is about more than security. It lays a foundation for a patient-centered, digitally connected ecosystem. Key features include: 

• Patient-directed access: Individuals gain greater control over how their health data moves between systems. 

• FHIR API-based exchange: Modern, standards-driven APIs replace older, fragmented methods of data transfer. 

• Strong identity and trust protocols: HITRUST (or equivalent validation) underpins identity management, authentication, and data security. 

• Secure credentials and consent enforcement: Transparent consent processes, verifiable audit logs, and credentialing requirements ensure accountability. 

CMS has also partnered with more than 60 private-sector organizations spanning health information networks, EHR vendors, payers, and digital platforms to become CMS-Aligned Networks by early 2026. This momentum underscores the initiative’s transformational potential. 

Final Thoughts 

The CMS Interoperability Framework marks a significant step toward a healthcare system where data flows securely, patients are empowered, and trust is embedded by design. Its requirement for HITRUST certification is not a box-checking exercise but rather recognition that shared, high-assurance standards are essential to safe interoperability. 

For organizations, the benefits are clear. HITRUST helps streamline HIPAA compliance, reduces redundant audits, and demonstrates maturity in risk management. For the broader system, it builds resilience, fosters collaboration, and strengthens the foundation of trust patients expect. 

As CMS advances its digital health ecosystem, stakeholders that align early will not only meet requirements, but they will shape a connected, secure, and trusted future of healthcare. 

HITRUST has submitted a letter to the incoming administration and key Congressional Committees regarding proposed modifications to the HIPAA Security Rule. This comes in light of proposed legislative measures aimed at improving the cybersecurity posture of the healthcare industry.

Despite existing regulations and guidelines, the healthcare sector continues to face direct and opportunistic targeting, with ongoing attacks impacting vital patient care and trust. While HITRUST believes in and aligns with the Department of Health and Human Services and Congress on the shared objective that healthcare organizations must manage information risk effectively and guidelines must be established based on the healthcare organization’s overall risk posture and be proven through compliance systems, it is critical to revisit the outdated and incomplete approaches historically used to address cybersecurity risks in healthcare.

HITRUST’s letter emphasizes the need to rethink these approaches and recommends leveraging proven, scalable models that enhance security outcomes while avoiding inefficiencies or unnecessary complexity. We believe that substantial improvements in cybersecurity can be achieved through actionable strategies and tools, not just compliance.

A key recommendation from HITRUST is addressing a significant design flaw in the HIPAA Security Rule. Currently, the Rule fails to effectively reduce risk because it lacks relevant, clear, and prescriptive guidelines for controls and assurance. The result is inconsistent implementation and lack of objective measurement, preventing meaningful risk management.

HITRUST’s 17 years of experience, along with insights from our 2024 Trust Report, demonstrate the effectiveness of comprehensive risk management strategies. Only 0.64% of HITRUST-certified environments reported breaches over the past two years — proof that robust risk management can yield substantial security outcomes with the right strategies and tools.

We invite you to read our letter to learn more about how HITRUST is advocating for practical, impactful changes to safeguard the healthcare system.