In 2025, healthcare cybersecurity is no longer just about defending your own walls. It’s about hardening the entire network of partners, vendors, suppliers, and service providers on which your operations depend, as your vendors are under attack. Two recent reports make that clear: one from the American Hospital Association (AHA) and another from Comparitech.

How are cyber threats evolving in healthcare?

According to the AHA’s 2025 Cybersecurity Year in Review, healthcare continues to be a frequent target of data breaches and cyber incidents. As of early October, 364 hacking incidents had been reported to the U.S. Department of Health and Human Services’ Office for Civil Rights, affecting more than 33 million individuals.

The AHA report notes that while the forms of attack continue to evolve, from phishing and ransomware to exploitation of software vulnerabilities, many breaches persist because organizations still lack comprehensive, organization-wide frameworks for managing cybersecurity and third-party risk.

Meanwhile, Comparitech reports a troubling shift: ransomware attackers are increasingly focusing on vendors and third-party service providers rather than hospitals themselves. Attacks on healthcare businesses, including technology vendors, pharmaceutical firms, and billing providers, rose 51% — from 43 to 65 — over the past year.

Why does vendor and third-party exposure matter more than ever?

This evolution underscores a critical reality: even if your own systems are well defended, your extended ecosystem may be your greatest vulnerability.

A single vendor compromise can expose multiple downstream organizations that rely on that vendor’s systems or data. Attackers understand this dynamic. By breaching a third party with weaker defenses, they can gain entry to many targets at once — health systems, health plans, and business partners included.

Traditional approaches like securing internal systems and auditing a limited set of vendors are no longer enough. Effective cybersecurity now requires continuous oversight, consistent control standards, and validated assurance across the entire vendor network.

Table: Comparing internal vs. third-party cyber risk

Why is HITRUST TPRM the right strategic response?

If attackers are moving upstream, organizations must shift their defenses accordingly. A robust Third-Party Risk Management (TPRM) program, anchored in the HITRUST framework, enables organizations to manage and reduce cyber risk across their ecosystems.

Built-in assurance through a trusted framework

The HITRUST Framework provides a prescriptive and scalable set of controls that are widely recognized across healthcare, finance, and technology sectors. A HITRUST-aligned TPRM approach standardizes expectations for vendors and streamlines the process of assessing and verifying their security posture.

TPRM is about prevention, not reaction

TPRM is about prevention, ensuring vendors have strong controls in place before a breach occurs. Continuous monitoring, policy enforcement, and clear accountability transform risk management from a reactive compliance exercise into an active defense strategy.

A business differentiator

As regulators, partners, and customers demand more transparency about cyber risk, organizations that can prove their TPRM maturity have a competitive advantage. Demonstrating HITRUST alignment signals that your organization and its vendors meet the highest standards of security assurance.

What steps should you take now?

• Reassess your vendor portfolio to identify which partners have access to sensitive data or critical systems.
• Move from periodic vendor assessments to continuous, data-driven oversight.
• Align your TPRM program with a trusted approach, such as HITRUST, to enforce consistency and accountability.
• Elevate third-party risk to a board-level discussion. It is a business risk, not just an IT concern.

In today’s environment, cyber attackers don’t need to breach your defenses directly, they can simply compromise someone you depend on. As ransomware and breach campaigns increasingly target vendors, organizations must recognize that the security of their ecosystem is inseparable from their own.

The only sustainable path forward is to embed cybersecurity and third-party risk management into the organization’s DNA. With HITRUST as the foundation, that shift becomes measurable, repeatable, and trustworthy.

California has officially enacted Senate Bill 53 (SB 53), the Transparency in Frontier Artificial Intelligence Act, marking a pivotal moment in U.S. technology regulation. Signed by Governor Gavin Newsom on September 29, SB 53 introduces the nation’s first comprehensive safety and transparency requirements for frontier AI developers — those building the most advanced and computationally intensive AI systems.

What does SB 53 require?

California’s AI safety law, SB 53, focuses on transparency and risk mitigation rather than liability, distinguishing it from last year’s vetoed SB 1047. Key provisions include

• Public safety frameworks: Large AI developers (annual revenue >$500M and training models at ≥10²⁶ FLOPs) must publish documented frameworks detailing how they incorporate national and international standards into their AI development processes.
• Catastrophic risk assessments: Companies must disclose assessments of risks that could lead to mass harm or $1B+ in damages, such as autonomous misuse or bioweapon development.
• Incident reporting: Critical safety incidents must be reported to California’s Office of Emergency Services (OES) within 15 days, and imminent threats within 24 hours.
• Whistleblower protections: Employees who raise safety concerns are shielded from retaliation, reinforcing accountability.
• Civil penalties: Noncompliance can result in fines up to $1 million per violation, enforceable by the state attorney general.

Why does this matter?

California’s move underscores a growing trend: state-level leadership in AI governance amid stalled federal action. SB 53 is widely viewed as a blueprint for future regulation, similar to how GDPR influenced global privacy standards. Analysts predict that transparency requirements will become a competitive differentiator, shaping procurement decisions and investor confidence.

How does HITRUST help with SB 53 compliance?

HITRUST is uniquely positioned to help organizations navigate SB 53’s requirements through its AI Security Assessment and Certification, which includes

• 44 harmonized AI controls mapped to NIST, ISO, OWASP, and the HITRUST CSF.
• Catastrophic risk mitigation strategies addressing model poisoning, prompt injection, and supply chain threats
• Incident response alignment with SB 53’s 15-day and 24-hour reporting windows
• Governance and transparency support for publishing safety frameworks and enabling whistleblower protections
• Independent assurance through HITRUST’s centralized QA and certification process

“As California leads the way in AI governance, HITRUST offers a certifiable path to compliance that balances innovation with accountability,” said Jeremy Huval, Chief Innovation Officer at HITRUST.

Will other states follow California’s AI law?

SB 53 signals a new era of AI accountability. Whether other states follow suit or Congress steps in with a federal standard, organizations that prioritize risk management and transparency today will be better positioned for tomorrow’s regulatory landscape.

Learn more about HITRUST’s AI Security Certification and how we can help your organization meet SB 53 requirements.

What is CMMC, and why is it challenging for contractors?

The Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) is now a prerequisite for doing business within the Defense Industrial Base. Unlike a simple checklist, CMMC is a maturity model with level-specific expectations tied to federal rulemaking and Defense Federal Acquisition Regulation Supplement (DFARS).

Contractors must implement the right controls at the right level, prove they work, and keep proving it over time. Common hurdles in this process include fragmented frameworks, audit fatigue, and the burden of producing credible, repeatable evidence. The good news is that the HITRUST CSF v11.6 and later includes mappings to CMMC Levels 1–3, enabling organizations to align their cybersecurity programs with federal mandates while leveraging a single integrated framework.

How does HITRUST make CMMC readiness simpler and stronger?

HITRUST translates CMMC requirements into a practical, defensible, and scalable assurance program. With the HITRUST framework mappings to CMMC Levels 1–3 and targeted reporting (including Level 1 Insights), organizations can “build once” and inherit rigor across mandates, reducing rework while improving audit confidence with prime contractors, assessors, and the DoD.

What’s the quick view: CMMC vs. HITRUST support?

 How do we map a practical path to CMMC using HITRUST?

• Confirm your target level. Anchor plans to determine whether you handle FCI (often Level 1) or CUI (typically Level 2; certain scenarios may require Level 3).
• Adopt HITRUST CSF mappings. Align policies and procedures to mapped controls to reduce interpretation risk and ensure complete, level-appropriate coverage.
• Leverage Level 1 Insights (if applicable). Use the CMMC Level 1 Insights Report to structure self-assessments and streamline accurate SPRS submissions.
• Plan validated assurance for higher levels. For Levels 2–3, use HITRUST’s validated assessments and evidence model to prepare for third-party or government-led audits.
• Operationalize continuous readiness. Centralize evidence, manage inheritance, and schedule periodic checks to avoid last-minute remediation cycles.

What benefits can contractors and suppliers expect?

• Efficiency: One integrated framework supports multiple outcomes — CMMC and beyond — reducing duplication and audit fatigue.
• Credibility: Evidence grounded in tested controls resonates with prime governmental contract holders, C3PAOs, and federal stakeholders.
• Scalability: Right-sized for SMBs yet robust enough for large integrators; inheritance and centralization keep costs predictable.
• Resilience: Continuous-readiness practices help you maintain compliance as contracts, environments, and threats evolve.

Why is now the right time to act?

With CMMC requirements maturing across solicitations and flow-down clauses reaching subcontractors, delays increase the risk to pipeline and partner trust. Adopting HITRUST now accelerates certification readiness and sets a durable foundation for ongoing assurance, so you’re prepared not only to earn certification, but to keep it.

How do we get started fast?

• Identify your CMMC level based on data sensitivity and planned opportunities.
• Activate HITRUST mappings to translate CMMC into implementable, testable controls.
• Use Level 1 Insights for efficient, defensible self-assessments and clean SPRS submissions.
• Schedule a validated assessment pathway for Levels 2–3 and establish a cadence for continuous evidence maintenance.