When it comes to Third-Party Risk Management (TPRM) in healthcare, one thing is abundantly clear: there is no single "gold standard" approach. Conversations with risk leaders across the industry consistently reveal that TPRM programs vary widely — not just in scope and sophistication, but in their very foundations. 

The fragmented reality of TPRM in healthcare 

The differences in TPRM programs are often driven by a mix of factors: organizational maturity, available budget, staffing levels, executive support, and overall risk culture. Some organizations have robust, tech-enabled TPRM programs leveraging tools like Governance, Risk, and Compliance (GRC) platforms or cyber risk scorecards. Others lean heavily on standardized validated assessments like HITRUST or SOC 2 to evaluate vendor security postures. Then, there are still many healthcare organizations where TPRM efforts are centered around manual questionnaires and internal audits, sometimes augmented or entirely handled by external managed service providers. 

This diversity in approach doesn’t end with process. It extends to the way organizations define and assess risk itself. 

Take inherent risk scoring, for example. Some healthcare TPRM teams define a vendor’s criticality based on factors like total spending or organizational size. Others take a more data-centric view, focusing on the volume and sensitivity of protected health information (PHI) a vendor manages. Many others may consider service impact, integration with clinical workflows, or regulatory exposure. The result? A vendor deemed “critical” by one organization might be considered low-risk by another, even when delivering the same services. 

The cost of inconsistency  

The lack of alignment creates several big problems. 

First, it complicates the landscape for vendors. With no consistent expectations across the industry, vendors are forced to navigate a maze of questionnaires, audits, and assessment frameworks — each tailored to a different customer’s priorities and definitions of risk. For vendors supporting multiple healthcare clients, this patchwork of requirements can be frustrating, time-consuming, and difficult to scale. 

Second, it limits the usefulness of risk reporting. Many TPRM programs struggle to deliver clear, actionable insights across their vendor portfolio. Risk reports are often siloed and overly technical, focusing on the audit results of individual vendors without providing a holistic view. This makes it harder for executive leadership and non-technical stakeholders to understand third-party risk at the enterprise level — let alone make informed decisions based on it. 

Fostering greater alignment 

So, what’s the path forward? 

The reality is that while a single “gold standard” may not exist (or even be realistic), healthcare organizations can benefit from working toward greater consistency in how they define, assess, and report third-party risk. Aligning with industry-accepted frameworks like HITRUST can help. TPRM leaders should also collaborate with peers to establish common risk definitions and reporting models that better support communication with vendors and internal stakeholders. 

In the absence of a universal standard, progress comes from transparency, collaboration, and an ongoing effort to close the gaps — both internally and across the healthcare ecosystem. 

Guest blog by Shreesh Bhattarai, Director of HITRUST at A-LIGN

In today’s world, where data security, risk management, and regulatory compliance are paramount, Welvie and Kinetik have demonstrated how adopting HITRUST certification can serve as a strategic enabler for business growth while establishing a strong culture of managing threats and efficiently addressing applicable regulations. These organizations have successfully streamlined their compliance processes, improved operational efficiency, and unlocked substantial market opportunities by leveraging the HITRUST framework and collaborating with a trusted external assessor, A-LIGN.

Addressing modern risk management and compliance challenges

Both Welvie and Kinetik operate in industries where robust risk management is critical for compliance, operational integrity, and market credibility. The HITRUST CSF was the ideal choice to help them navigate evolving threats, artificial intelligence, and changing regulations, due to its comprehensive and integrated framework specifically tailored to address diverse industry requirements and emerging risks. Welvie, a leading healthcare decision-support company, faced fragmented risk management processes that were resource-intensive and lacked cohesion.

“Before HITRUST, our approach to risk management was disjointed, leading to duplicated efforts and inconsistent mitigation strategies,” said Rudi Perkins, CTO at Welvie.

Kinetik, a technology innovator in healthcare solutions, encountered similar challenges. Without a unified risk management framework, it struggled to anticipate and address the security expectations of its clients.

“We realized that without a comprehensive risk management framework like HITRUST, we couldn’t effectively identify, mitigate, or communicate risks, making it difficult to compete for major contracts,” shared Michelle Moreno, VP of Security, Compliance & Project Management at Kinetik.

How Welvie and Kinetik mastered HITRUST with A-LIGN’s expertise

The HITRUST certification process required careful planning, collaboration, and execution. Both organizations partnered with A-LIGN, leveraging its expertise to navigate the complexities of the HITRUST framework.

Preparation and gap analysis 

HITRUST readiness assessments conducted by A-LIGN identified critical areas for improvement. This initial step provided a clear roadmap for aligning with HITRUST requirements as it emulated the desired validation assessment. The assessments revealed gaps in current practices, providing both Welvie and Kinetik with actionable insights into their compliance and information protection posture. A-LIGN’s deep expertise ensured that these gaps were not only identified but also addressed with a practical and strategic remediation plan tailored to the unique needs of each organization.

Policy overhaul 

Pivotal to an optimized information security program, Welvie centralized its compliance documentation. This step eliminated redundancies that had previously hindered efficiency and created inconsistencies across departments. By consolidating and streamlining its policies, Welvie not only ensured regulatory compliance but also built a solid foundation for its broader risk management strategy. This centralization became a critical element in responding quickly to audits and client requests.

Process realignment 

Similarly, Kinetik overhauled its evidence-gathering processes, which had previously been siloed and inefficient. By leveraging the HITRUST CSF’s comprehensive mapping to multiple regulatory frameworks, the organization created a unified and systematic approach that allowed evidence collected for one framework to be seamlessly applied across others. This significantly reduced redundant audits, saving substantial time, money, and effort. Additionally, it lowered the administrative burden on compliance teams, enabling them to concentrate on strategic priorities while maintaining a high standard of accuracy.

Leveraging HITRUST mappings 

HITRUST’s integration with over 60 frameworks, including AICPA’s Trust Principles, ISO, HIPAA, and NIST, provided Welvie and Kinetik with a comprehensive foundation for compliance. By mapping controls across these frameworks, both organizations were quickly able to assess other compliance needs with minimal duplication of effort. This approach highlighted the value of HITRUST’s structured framework in harmonizing diverse regulatory requirements and reducing the complexity associated with managing multiple compliance obligations simultaneously.

Collaboration with A-LIGN: A key to success

A-LIGN’s impact on achieving the “Measured and Managed” criteria stands as a testament to its expertise and commitment to excellence. This advanced compliance requirement is among HITRUST’s most demanding, requiring not just adherence to standards but clear, demonstrable evidence of continuous monitoring and ongoing improvement in security activities. Recognizing the complexity of this requirement, A-LIGN took a proactive approach by tailoring specific strategies and providing hands-on support to ensure both organizations exceeded expectations in this critical area.

For Welvie, A-LIGN introduced performance tracking mechanisms and customized dashboards that quantified compliance improvements over time. "A-LIGN's guidance enabled us to go beyond baseline compliance and establish ourselves as a leader in governance and oversight," noted Angela Merek, Vice President of Account Services at Welvie.

Kinetik, on the other hand, leveraged A-LIGN’s expertise to integrate automation and real-time monitoring processes into its compliance programs. These enhancements helped meet HITRUST’s criteria and elevated its internal risk management framework. "A-LIGN turned what initially seemed like a daunting requirement into an opportunity to strengthen our security posture and deliver greater value to our clients," added Michelle Moreno, VP of Security, Compliance & Project Management at Kinetik.

The collaborative efforts of A-LIGN with both organizations resulted in exceptional outcomes, with high scores during audits and the establishment of “Measured and Managed” practices as foundational elements of their compliance strategies.

Achieving results: Efficiency, growth, and market leadership

The benefits of HITRUST certification extended far beyond compliance. Both organizations experienced transformative outcomes that positioned them as leaders in their respective markets.

Operational efficiency

• Welvie streamlined its compliance workflows, saving time and resources while improving team productivity.
• Kinetik reduced the timelines for completing SOC 1 and SOC 2 audits, leveraging the evidence prepared for HITRUST to meet multiple requirements simultaneously.

Market credibility and business growth

• For Welvie, HITRUST certification became a key differentiator, enhancing trust among healthcare clients who increasingly view HITRUST as a gold standard.
• Kinetik secured a multi-million dollar health plan contract directly attributable to its HITRUST certification. “It’s more than a certificate; it’s a market enabler,” emphasized Michelle.

Resource savings

• HITRUST’s consolidated framework allowed both organizations to maximize the reuse of evidence across certifications, significantly reducing compliance costs.

Conclusion: A framework for success

For Welvie and Kinetik, HITRUST certification was more than a risk and compliance milestone; it was a transformative journey that improved their operational efficiency, enhanced client trust, and unlocked substantial business opportunities. By adopting HITRUST’s comprehensive framework and collaborating with A-LIGN, these organizations have set a strong foundation for sustained success in a highly regulated environment.

The recently released HITRUST Trust Report further underscores the efficacy of the HITRUST framework. The Report, offering detailed insights and performance metrics, highlighted a 0.59% breach rate among HITRUST-certified environments in 2024 — a testament to the program’s effectiveness in mitigating information risk. It also revealed that 100% of threat indicators in the MITRE ATT&CK framework are addressed by the HITRUST CSF, underscoring its comprehensive nature.

"We have spent 17+ years building a reliable and relevant model and ecosystem that delivers powerful results through measurement and accountability to fuel continuous improvement and risk reduction," stated Daniel Nutkis, Founder and CEO at HITRUST.

Organizations with HITRUST certifications, like Welvie and Kinetik, benefit from a proven system that combines relevance and reliability. By regularly updating control specifications based on emerging threats and ensuring rigorous third-party validation, HITRUST enables organizations to address evolving risks confidently. As highlighted in the Trust Report, organizations undergoing subsequent HITRUST assessments experience, on average, a 54% reduction in required Corrective Action Plans (CAPs) compared to their initial certification.

Most security programs follow a set of predefined controls. They look good on paper but often fall short in real life. Why? Because cyber threats change constantly. Attackers move quickly, using new tactics that bypass outdated defenses. If your security framework isn’t evolving, your organization is falling behind.

HITRUST doesn’t rely on a one-and-done approach. Our security assessments adapt to today’s threats — based on real data, not assumptions. We constantly update our control requirements to stay aligned with the latest risks. That’s what makes our security framework different. It's built to evolve with the threat landscape.

How HITRUST stays ahead

HITRUST uses a continuous, data-driven approach called the Cyber Threat Adaptive (CTA) program. It’s a constant cycle of collecting, analyzing, and responding to real-world threat intelligence.

In the last quarter of 2024, we

• Reviewed 22 real-world breaches
• Analyzed nearly 4,000 threat intelligence articles
• Evaluated around 129,000 threat indicators
• Mapped approximately 42,000 of those indicators to known attack techniques and mitigations using the MITRE ATT&CK framework

All these analyses feed directly into how we update and refine the HITRUST CSF and our core security assessments. The updates ensure that every requirement in the assessments reflects the current threat landscape. So, when you’re working with HITRUST, you’re working with security controls that are relevant today — not outdated guidance from last year.

What are the top threats right now?

Here are the top five techniques attackers are using.

1. Phishing

It is still the most common way attackers get in. AI-powered phishing campaigns are now more targeted and harder to detect.
What it leads to: Malware, ransomware, and stolen data.
What helps: Email security, anti-phishing training, and strong auditing.

2. Command and scripting abuse

Attackers run malicious code using tools like PowerShell.
What it leads to: System takeovers and deeper access.
What helps: Code signing, antivirus, and limiting what scripts can run.

3. Process injection

Malicious code is hidden inside trusted applications.
What it leads to: Evasion of detection tools.
What helps: Endpoint protection and managing privileged accounts.

4. Hiding in normal traffic

Attackers use common web protocols (like HTTP or DNS) to avoid detection.
What it leads to: Stealthy control over compromised systems.
What helps: Network filtering and advanced detection tools.

5. Ransomware

Attackers encrypt data and demand payment to unlock it.
What it leads to: Downtime, data loss, and high recovery costs.
What helps: Strong backups and fast recovery plans.

What should you do now?

Take the following steps to stay resilient against cyber threats.

• Train your people: Make anti-phishing education a priority and track how well it’s working.
• Test your backups: Make sure you can recover quickly if ransomware hits.
• Control your environment:
  • Block unused network protocols.
  • Keep a complete inventory of all systems.
  • Monitor endpoints for suspicious behavior.

• Use modern tools: Protect your environment with robust firewalls and an EDR (Endpoint Detection and Response) system.

The bottom line

Cyber threats don’t wait. Your security programs shouldn’t, either.

HITRUST assessments are designed to keep up with today’s threats. Backed by real intelligence and constant updates, they help organizations build trust and resilience in a fast-changing digital world.

Whether you’re just starting your security assessment process or need deeper protection, HITRUST helps you stay ready — not just compliant. Download the complete analysis to learn more.