Guest blog by Shreesh Bhattarai, Director of HITRUST at A-LIGN

In today’s world, where data security, risk management, and regulatory compliance are paramount, Welvie and Kinetik have demonstrated how adopting HITRUST certification can serve as a strategic enabler for business growth while establishing a strong culture of managing threats and efficiently addressing applicable regulations. These organizations have successfully streamlined their compliance processes, improved operational efficiency, and unlocked substantial market opportunities by leveraging the HITRUST framework and collaborating with a trusted external assessor, A-LIGN.

Addressing modern risk management and compliance challenges

Both Welvie and Kinetik operate in industries where robust risk management is critical for compliance, operational integrity, and market credibility. The HITRUST CSF was the ideal choice to help them navigate evolving threats, artificial intelligence, and changing regulations, due to its comprehensive and integrated framework specifically tailored to address diverse industry requirements and emerging risks. Welvie, a leading healthcare decision-support company, faced fragmented risk management processes that were resource-intensive and lacked cohesion.

“Before HITRUST, our approach to risk management was disjointed, leading to duplicated efforts and inconsistent mitigation strategies,” said Rudi Perkins, CTO at Welvie.

Kinetik, a technology innovator in healthcare solutions, encountered similar challenges. Without a unified risk management framework, it struggled to anticipate and address the security expectations of its clients.

“We realized that without a comprehensive risk management framework like HITRUST, we couldn’t effectively identify, mitigate, or communicate risks, making it difficult to compete for major contracts,” shared Michelle Moreno, VP of Security, Compliance & Project Management at Kinetik.

How Welvie and Kinetik mastered HITRUST with A-LIGN’s expertise

The HITRUST certification process required careful planning, collaboration, and execution. Both organizations partnered with A-LIGN, leveraging its expertise to navigate the complexities of the HITRUST framework.

Preparation and gap analysis 

HITRUST readiness assessments conducted by A-LIGN identified critical areas for improvement. This initial step provided a clear roadmap for aligning with HITRUST requirements as it emulated the desired validation assessment. The assessments revealed gaps in current practices, providing both Welvie and Kinetik with actionable insights into their compliance and information protection posture. A-LIGN’s deep expertise ensured that these gaps were not only identified but also addressed with a practical and strategic remediation plan tailored to the unique needs of each organization.

Policy overhaul 

Pivotal to an optimized information security program, Welvie centralized its compliance documentation. This step eliminated redundancies that had previously hindered efficiency and created inconsistencies across departments. By consolidating and streamlining its policies, Welvie not only ensured regulatory compliance but also built a solid foundation for its broader risk management strategy. This centralization became a critical element in responding quickly to audits and client requests.

Process realignment 

Similarly, Kinetik overhauled its evidence-gathering processes, which had previously been siloed and inefficient. By leveraging the HITRUST CSF’s comprehensive mapping to multiple regulatory frameworks, the organization created a unified and systematic approach that allowed evidence collected for one framework to be seamlessly applied across others. This significantly reduced redundant audits, saving substantial time, money, and effort. Additionally, it lowered the administrative burden on compliance teams, enabling them to concentrate on strategic priorities while maintaining a high standard of accuracy.

Leveraging HITRUST mappings 

HITRUST’s integration with over 60 frameworks, including AICPA’s Trust Principles, ISO, HIPAA, and NIST, provided Welvie and Kinetik with a comprehensive foundation for compliance. By mapping controls across these frameworks, both organizations were quickly able to assess other compliance needs with minimal duplication of effort. This approach highlighted the value of HITRUST’s structured framework in harmonizing diverse regulatory requirements and reducing the complexity associated with managing multiple compliance obligations simultaneously.

Collaboration with A-LIGN: A key to success

A-LIGN’s impact on achieving the “Measured and Managed” criteria stands as a testament to its expertise and commitment to excellence. This advanced compliance requirement is among HITRUST’s most demanding, requiring not just adherence to standards but clear, demonstrable evidence of continuous monitoring and ongoing improvement in security activities. Recognizing the complexity of this requirement, A-LIGN took a proactive approach by tailoring specific strategies and providing hands-on support to ensure both organizations exceeded expectations in this critical area.

For Welvie, A-LIGN introduced performance tracking mechanisms and customized dashboards that quantified compliance improvements over time. "A-LIGN's guidance enabled us to go beyond baseline compliance and establish ourselves as a leader in governance and oversight," noted Angela Merek, Vice President of Account Services at Welvie.

Kinetik, on the other hand, leveraged A-LIGN’s expertise to integrate automation and real-time monitoring processes into its compliance programs. These enhancements helped meet HITRUST’s criteria and elevated its internal risk management framework. "A-LIGN turned what initially seemed like a daunting requirement into an opportunity to strengthen our security posture and deliver greater value to our clients," added Michelle Moreno, VP of Security, Compliance & Project Management at Kinetik.

The collaborative efforts of A-LIGN with both organizations resulted in exceptional outcomes, with high scores during audits and the establishment of “Measured and Managed” practices as foundational elements of their compliance strategies.

Achieving results: Efficiency, growth, and market leadership

The benefits of HITRUST certification extended far beyond compliance. Both organizations experienced transformative outcomes that positioned them as leaders in their respective markets.

Operational efficiency

• Welvie streamlined its compliance workflows, saving time and resources while improving team productivity.
• Kinetik reduced the timelines for completing SOC 1 and SOC 2 audits, leveraging the evidence prepared for HITRUST to meet multiple requirements simultaneously.

Market credibility and business growth

• For Welvie, HITRUST certification became a key differentiator, enhancing trust among healthcare clients who increasingly view HITRUST as a gold standard.
• Kinetik secured a multi-million dollar health plan contract directly attributable to its HITRUST certification. “It’s more than a certificate; it’s a market enabler,” emphasized Michelle.

Resource savings

• HITRUST’s consolidated framework allowed both organizations to maximize the reuse of evidence across certifications, significantly reducing compliance costs.

Conclusion: A framework for success

For Welvie and Kinetik, HITRUST certification was more than a risk and compliance milestone; it was a transformative journey that improved their operational efficiency, enhanced client trust, and unlocked substantial business opportunities. By adopting HITRUST’s comprehensive framework and collaborating with A-LIGN, these organizations have set a strong foundation for sustained success in a highly regulated environment.

The recently released HITRUST Trust Report further underscores the efficacy of the HITRUST framework. The Report, offering detailed insights and performance metrics, highlighted a 0.59% breach rate among HITRUST-certified environments in 2024 — a testament to the program’s effectiveness in mitigating information risk. It also revealed that 100% of threat indicators in the MITRE ATT&CK framework are addressed by the HITRUST CSF, underscoring its comprehensive nature.

"We have spent 17+ years building a reliable and relevant model and ecosystem that delivers powerful results through measurement and accountability to fuel continuous improvement and risk reduction," stated Daniel Nutkis, Founder and CEO at HITRUST.

Organizations with HITRUST certifications, like Welvie and Kinetik, benefit from a proven system that combines relevance and reliability. By regularly updating control specifications based on emerging threats and ensuring rigorous third-party validation, HITRUST enables organizations to address evolving risks confidently. As highlighted in the Trust Report, organizations undergoing subsequent HITRUST assessments experience, on average, a 54% reduction in required Corrective Action Plans (CAPs) compared to their initial certification.

Most security programs follow a set of predefined controls. They look good on paper but often fall short in real life. Why? Because cyber threats change constantly. Attackers move quickly, using new tactics that bypass outdated defenses. If your security framework isn’t evolving, your organization is falling behind.

HITRUST doesn’t rely on a one-and-done approach. Our security assessments adapt to today’s threats — based on real data, not assumptions. We constantly update our control requirements to stay aligned with the latest risks. That’s what makes our security framework different. It's built to evolve with the threat landscape.

How HITRUST stays ahead

HITRUST uses a continuous, data-driven approach called the Cyber Threat Adaptive (CTA) program. It’s a constant cycle of collecting, analyzing, and responding to real-world threat intelligence.

In the last quarter of 2024, we

• Reviewed 22 real-world breaches
• Analyzed nearly 4,000 threat intelligence articles
• Evaluated around 129,000 threat indicators
• Mapped approximately 42,000 of those indicators to known attack techniques and mitigations using the MITRE ATT&CK framework

All these analyses feed directly into how we update and refine the HITRUST CSF and our core security assessments. The updates ensure that every requirement in the assessments reflects the current threat landscape. So, when you’re working with HITRUST, you’re working with security controls that are relevant today — not outdated guidance from last year.

What are the top threats right now?

Here are the top five techniques attackers are using.

1. Phishing

It is still the most common way attackers get in. AI-powered phishing campaigns are now more targeted and harder to detect.
What it leads to: Malware, ransomware, and stolen data.
What helps: Email security, anti-phishing training, and strong auditing.

2. Command and scripting abuse

Attackers run malicious code using tools like PowerShell.
What it leads to: System takeovers and deeper access.
What helps: Code signing, antivirus, and limiting what scripts can run.

3. Process injection

Malicious code is hidden inside trusted applications.
What it leads to: Evasion of detection tools.
What helps: Endpoint protection and managing privileged accounts.

4. Hiding in normal traffic

Attackers use common web protocols (like HTTP or DNS) to avoid detection.
What it leads to: Stealthy control over compromised systems.
What helps: Network filtering and advanced detection tools.

5. Ransomware

Attackers encrypt data and demand payment to unlock it.
What it leads to: Downtime, data loss, and high recovery costs.
What helps: Strong backups and fast recovery plans.

What should you do now?

Take the following steps to stay resilient against cyber threats.

• Train your people: Make anti-phishing education a priority and track how well it’s working.
• Test your backups: Make sure you can recover quickly if ransomware hits.
• Control your environment:
  • Block unused network protocols.
  • Keep a complete inventory of all systems.
  • Monitor endpoints for suspicious behavior.

• Use modern tools: Protect your environment with robust firewalls and an EDR (Endpoint Detection and Response) system.

The bottom line

Cyber threats don’t wait. Your security programs shouldn’t, either.

HITRUST assessments are designed to keep up with today’s threats. Backed by real intelligence and constant updates, they help organizations build trust and resilience in a fast-changing digital world.

Whether you’re just starting your security assessment process or need deeper protection, HITRUST helps you stay ready — not just compliant. Download the complete analysis to learn more.

Organizations need more than just checklists to stay protected against the evolving threat landscape. They need cyber assurance that’s proven to work. That’s where the HITRUST Trust Report comes in.

The 2025 Trust Report provides measurable proof that organizations with HITRUST certifications experience fewer breaches, improve their security posture over time, and are better prepared to face emerging threats — including those posed by AI. It offers a unique view into the power of reliable, data-backed cyber assurance.

What is the HITRUST Trust Report?

The HITRUST Trust Report is an annual publication that details how HITRUST certifications perform in the real world. It reveals insights backed by breach data, control maturity trends, and customer outcomes to show the effectiveness of HITRUST assessments.

The report serves one purpose: to demonstrate that when you invest in HITRUST, you’re not just achieving compliance — you’re reducing cyber risk.

Key features of the Trust Report

The Trust Report isn’t just a summary of numbers — it’s a strategic resource designed to validate, measure, and improve cybersecurity assurance. Here are the core features of the report.

Transparency into assurance performance

The report delivers objective, data-backed insights into how HITRUST certifications perform in the real world by sharing metrics on breach rates, assessment outcomes, and more.

Evidence of cyber risk mitigation

HITRUST tracks and reports on real security outcomes, unlike other frameworks. The 2025 report provides measurable proof that organizations with HITRUST certifications experience fewer breaches.

Insights into threat trends

By analyzing breach causes and assessment data, the report identifies which controls are most difficult to implement and which attack vectors are most commonly exploited. These insights help you prioritize resources and improve resilience where it matters most.

Accountability through centralized quality

Every HITRUST certification is backed by a rigorous, six-layer quality assurance process. The report details how this centralized approach ensures consistency, integrity, and reliability — so organizations and stakeholders can confidently rely on HITRUST results.

How the Trust Report supports cyber assurance

Comprehensive risk assessment

HITRUST assessments adapt to the evolving threat landscape. They leverage cyber threat intelligence and align to 100% of MITRE ATT&CK mitigations to ensure broad and relevant coverage.

Evaluating security controls

Organizations undergoing HITRUST assessments evaluate and strengthen their security controls based on best practices and relevant threat data.

AI assurance for emerging risks

HITRUST’s expanded assurance capabilities address AI-related risks. Organizations can evaluate and demonstrate control over data privacy, ethical use, and security threats tied to AI with the AI Security Certification and AI Risk Management Assessment.

Building stakeholder confidence

The Trust Report gives stakeholders confidence that your certification is more than a checkbox — it’s proof of cyber risk mitigation.

Cyber risk mitigation through the Trust Report

Identifying and addressing vulnerabilities

The most common breach vector is vulnerability exploits. HITRUST’s framework includes specific, tailored requirements that directly reduce exposure to these threats.

Demonstrating ongoing cybersecurity efforts

The Trust Report highlights how HITRUST customers continue improving and building stronger defenses. For example, repeat HITRUST customers had 54% fewer corrective actions in their consecutive i1 assessments.

Benefits of using the Trust Report for organizations

Enhanced trust with clients and partners

Customers and partners want proof, not promises. The Trust Report provides it, helping organizations build trust with their stakeholders.

Reduced risk of cyber threats and breaches

With only 0.59% of HITRUST-certified environments reporting a breach in 2024, the results speak for themselves. HITRUST is the only assurance mechanism that measures and provides proof of its effectiveness.

The role of the Trust Report in regulatory compliance

Aligning with industry standards and regulations

The HITRUST framework incorporates over 60 frameworks, regulations, and standards like HIPAA, NIST, and ISO. This comprehensive mapping helps you meet multiple requirements with a single assessment.

Meeting compliance requirements with HITRUST

HITRUST ensures your security program meets modern expectations and regulatory needs, whether it’s protecting healthcare data or deploying secure AI.

The future of cyber assurance with HITRUST

The 2025 Trust Report shows how AI assurance, continuous improvement, and a centralized quality process set HITRUST apart. With Continuous Assurance launching soon, organizations will gain ongoing visibility into their security posture — reducing evidence decay and reinforcing trust every step of the way.

Cyber risk management is complex. But your assurance strategy doesn’t have to be. Learn more about how the 2025 Trust Report can help your organization strengthen security, reduce risk, and demonstrate trust.