Healthcare is under attack, but there are proven ways to obtain cyber assurance to break the ongoing reactive cycle against evolving cyber threats. Learn directly from HITRUST and Clearwater the insights to measurably and materially reduce cyber breaches. We'll review the analysis from HITRUST's inaugural Trust Report and the obstacles needed to protect patient care, healthcare businesses, and innovators by breaking down the compliance path and security objectives.
If you liked this webinar, you may also be interested in:
Jul 8, 2026
Governing Third-Party Information Risk
Organizations depend on third parties to operate and compete. Vendors, cloud providers, software platforms, processors, subcontractors, service organizations, and AI-enabled systems support critical business functions, process sensitive information, and shape operational resilience. This dependence has made third-party information risk a board-level governance issue.
Third-party information risk reaches beyond cybersecurity. A third-party failure can create operational disruption, privacy impact, regulatory exposure, contractual loss, business interruption, reputational harm, customer impact, uninsured financial loss, and continuity failure. The issue for boards and senior management is exposure: what risk the enterprise carries because information, systems, processes, and dependencies sit outside their control.
From Activity Metrics to Exposure-Based Governance
Most organizations have responded by building third-party risk management programs. These programs review vendors, collect assurance reports, request and analyze questionnaires, evaluate contracts, require insurance, manage remediation, and route exceptions for approval. These activities matter. Effective governance also requires a clear view of the exposure those vendors create.
Many organizations still govern third-party risk through activity reporting. Those metrics help track program execution. They rarely show the critical measurements of total residual information risk, total financial exposure, deviations from established norms, peer alignment, concentration risk, retained risk, transferred risk, or required action. A governance model should convert those inputs into a consistent view of residual exposure, confidence, tolerance alignment, concentration, financial impact, retained risk, and transferred risk.
That is the focus of the last installment in HITRUST's The Missing Measure in Information Risk series, Governing Third-Party Information Risk. The paper examines how organizations can move beyond vendor review activity and toward a governance model that measures residual exposure, validates coverage and confidence, compares exposure to defined appetite and tolerance, explains deviations, aggregates risk, benchmarks against peers, and evaluates treatment and transfer.
The paper also reinforces the need for clear accountability between management and the board or risk committee. Management operates the governance model by maintaining the measurement approach, applying thresholds, validating coverage, identifying concentrations, evaluating treatment and transfer, and reporting material exposure. The board or risk committee oversees whether the model is credible and aligned to appetite, while reviewing material exposure, deviations, retained and transferred risk, and confidence in the model.
Read Part 1: The Missing Measure in Third-Party Information Risk
Explore why organizations struggle to consistently measure residual third-party risk and why a common risk language is essential for governance, decision-making, and risk transfer.
Read Part 2: The Hidden Weakness in Third-Party Cyber Risk Transfer
Learn how traditional vendor cyber insurance can create blind spots in third-party risk programs and why risk transfer mechanisms must evolve alongside today's interconnected digital ecosystem.
Read Part 3: Governing Third-Party Information Risk
See what changes when third-party risk reporting shifts from activity metrics to exposure-based governance, giving leadership visibility into the exposure carried, confidence in the view, and action required.
Governing Third-Party Information Risk Governing Third-Party Information Risk
Jun 23, 2026
Last Call for Feedback on Proposed HITRUST Certification Requirement Updates
HITRUST is reminding assessors, MyCSF subscribers, and organizations with third-party risk management (TPRM) programs participating in the HITRUST certification program that the comment period for proposed updates to select HITRUST CSF certification requirements will close on July 1, 2026.
The proposed updates are intended to address the rapidly evolving vulnerability identification and exploitation landscape enabled by frontier AI models and help organizations address the "Defend" and "Thwart" focus areas reflected in the NIST Cyber AI Profile.
The changes affect requirements across Endpoint Protection, Configuration Management, Vulnerability Management, Audit Logging & Monitoring, Third Party Assurance, Incident Management, and Risk Management.
Stakeholders are encouraged to review the proposed changes and provide feedback directly in Manula, particularly regarding the clarity, feasibility, and implementation impact of the revised requirements.
Community input plays an important role in ensuring the HITRUST certification program remains effective, practical, and aligned with current risk realities.
Please submit all feedback by July 1, 2026.
Last Call: Request for Comment Last Call: Request for Comment
Jun 18, 2026
AI is Accelerating Threats. Assurance has to Keep Up.
Artificial intelligence is changing cybersecurity from both sides.
Organizations are using AI to improve productivity, automate workflows, accelerate development, and unlock new business opportunities. At the same time, threat actors are using AI to accelerate reconnaissance, identify vulnerabilities faster, refine social engineering attacks, and scale exploitation efforts.
The result is a threat landscape that’s evolving faster than ever.
For years, organizations could rely on security assessments and assurance activities that remained relevant for extended periods of time. Today, that assumption is hard to defend. As AI speeds up the pace of attacks, the discovery and exploitation of vulnerabilities, and breaches, assurance must evolve alongside the threats it is designed to address.
AI is changing the risk equation. Assurance has to keep up.
The pace of exploitation is increasing
Cybersecurity has always been a race between adversaries and defenders.
What has changed is the speed.
Threat actors are using AI to become more sophisticated, speed up attacks, and scale the attacks against more targets at lower cost. Activities that once took days or weeks can increasingly be performed in hours.
AI is helping attackers:
- Identify vulnerabilities faster across larger attack surfaces
- Refine phishing and social engineering campaigns at scale
- Automate reconnaissance and information gathering
- Reduce the effort required to identify and exploit weaknesses (both people and systems)
This creates a challenge for organizations that rely on static views of security.
An assessment may accurately reflect an environment at a specific point in time, but if the threat landscape changes rapidly, organizations must also ask a different question:
Are the controls being evaluated still aligned with the threats that matter today?
That concept is becoming increasingly important in an AI-driven threat environment. Security teams need confidence that assurance remains relevant as adversaries evolve their tactics and techniques. As HITRUST has noted, AI can speed up vulnerability discovery, which means weaknesses may be found and exploited faster than organizations have historically experienced. Assurance must stay tied to current threat conditions, not simply reflect a past review.
Threat-adaptive assurance matters more in the age of AI
Many cybersecurity frameworks were built around periodic updates and relatively stable control environments.
Today's threat landscape is different.
New attack techniques emerge constantly. Existing techniques evolve. AI introduces new dependencies, new operational risks, and new opportunities for misuse and abuse. Organizations need assurance mechanisms that can respond to those realities.
This is why HITRUST continues to invest in Cyber Threat Adaptive program.
Cyber Threat Adaptive uses threat intelligence, vulnerability research, and real-world attack data to help ensure assurance requirements remain aligned with how adversaries actually operate. Rather than relying solely on static control sets, HITRUST continuously evaluates emerging threats and incorporates those insights into the HITRUST CSF. Cyber Threat Adaptive is designed to keep assurance relevant as threats evolve, helping organizations demonstrate security practices that align with today's threat environment.
HITRUST has also expanded its threat analysis beyond MITRE ATT&CK to include MITRE ATLAS, MITRE's knowledge base of adversarial tactics and techniques targeting AI-enabled systems. Based on extensive analysis of threat intelligence and attack indicators, HITRUST uses these insights to help ensure AI Security Certification remains responsive to the evolving AI threat landscape.
In an AI-driven world, relevance matters.
A control can still be operating exactly as designed and still no longer be sufficient for the risk it was intended to address. Continuous relevance asks whether controls remain effective against the threats organizations face now, not just the threats they faced when an assessment began.
AI systems require AI-specific assurance
The rise of AI is not only changing how attacks occur. It is also changing what organizations need to secure.
AI-enabled systems introduce considerations that extend beyond traditional software security.
Organizations must account for risks such as:
- Model and third-party AI dependencies
- Data exposure and sensitive information handling
- Access controls, permissions, and oversight responsibilities
- Integrations with business-critical systems
- Emerging attack techniques that target AI systems directly
These considerations create assurance requirements that differ from those for traditional software.
That is why AI security assurance cannot simply be treated as another checkbox within a broader security program.
Organizations need evidence that AI systems and the environments supporting them have been evaluated against AI-specific cybersecurity expectations.
HITRUST AI Security Certification was designed to help provide that evidence and assurance. Available as a standalone offering for deployed AI systems and AI-enabled technologies, it provides a structured path to validated AI cybersecurity assurance. Rather than relying solely on AI policies or high-level governance statements, organizations can demonstrate that AI systems have been assessed and validated against defined security requirements designed to address real-world threats.
This distinction is increasingly important as customers, partners, boards, and regulators seek stronger evidence that AI-enabled technologies are being deployed securely.
The future of AI trust depends on assurance
AI adoption will continue to accelerate.
The question is whether assurance can evolve at the same pace.
Organizations need more than confidence that controls were effective yesterday. They need confidence that assurance remains aligned with today's threats and tomorrow's risks.
That requires a threat-informed approach that continuously evaluates how adversaries operate, how technologies evolve, and how security expectations should adapt.
As AI reshapes the cybersecurity landscape, organizations will increasingly need assurance that is both validated and threat-relevant.
Because when AI accelerates exploitation, assurance cannot stand still.
Learn how HITRUST AI Security Certification helps organizations demonstrate validated, threat-informed assurance for deployed AI systems.
Contact us to learn how HITRUST AI Security Certification can help you demonstrate validated cybersecurity assurance for deployed AI systems.