The U.S. Department of Health and Human Services (HHS) has issued a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule for the first time in over 20 years, aiming to address evolving cybersecurity threats and data breaches in the healthcare industry. HITRUST welcomes these updates and is committed to supporting healthcare entities in navigating these new compliance requirements.

In our official statement, we highlight how organizations with HITRUST certifications are already well-positioned to meet over 90% of the proposed requirements, thanks to our robust framework and commitment to comprehensive risk management. Our statement also outlines the challenges posed by the NPRM and provides actionable recommendations to ensure that the proposed regulations effectively enhance cybersecurity without introducing unnecessary complexities.

We invite you to explore our full statement to learn more about HITRUST’s perspective on the NPRM, our commitment to supporting the healthcare industry, and our continued efforts to drive meaningful advancements in cybersecurity.

Due diligence and security questionnaires have become staples of the vendor risk assessment process for third-party risk management (TPRM). However, as the cybersecurity landscape evolves, our tools must evolve, too. Due diligence questionnaires remain a necessary component but the overreliance on static security questionnaires has become a barrier to effective risk management.

The value of due diligence questionnaires

Due diligence questionnaires are designed to answer critical, relationship-specific questions.

• Scope of engagement: What data, systems, or services will the third party access?
• Compliance requirements: Are specific legal, regulatory, or contractual obligations tied to this relationship?
• Business impact: What is the potential operational or reputational risk if this third party is compromised?

These questions go beyond generic cybersecurity concerns, focusing on the unique aspects of the partnership. They help organizations understand the relationship and ensure that appropriate safeguards align with its specifics. Due diligence questionnaires are a necessary foundation for establishing trust and setting expectations.

The problem with security questionnaires

Security questionnaires often fall short. These standardized forms ask third parties to provide detailed information about their cybersecurity practices.

• How do they handle encryption?
• Do they’ve had recent audits?
• What are their incident response protocols?

While these are important topics, the format of traditional questionnaires introduces several issues.

1. Static and stale data

Security questionnaires provide a snapshot in time that quickly becomes outdated. A vendor might submit a completed questionnaire today, but their environment, controls, or threat landscape could change tomorrow.

2. Lack of context

These forms are often disconnected from the specifics of the relationship. For example, knowing that a vendor uses encryption is less relevant if the relationship doesn’t involve handling sensitive data.

3. Inefficiency

Completing and reviewing lengthy questionnaires is time-consuming for both parties, creating bottlenecks that slow down procurement and vendor risk assessments.

4. Checkbox mentality

Organizations may treat completed questionnaires as a substitute for meaningful engagement, creating a false sense of security without truly understanding the risks.

5. Expertise of analysts

Questionnaires are typically developed by the staff at the requesting organization. The staff may lack the expertise to evaluate control selection or even the ability to interpret the results/responses to the questions.

A better approach to TPRM

To move forward, organizations must reimagine the role of questionnaires in TPRM.

1. Use due diligence for context

Focus on due diligence to capture relationship-specific insights. These questions matter most for tailoring your risk management approach to the specific vendor or partner.

2. Replace static questionnaires with dynamic assessments

Instead of relying on static forms, leverage real-time threat intelligence, continuous monitoring, and assessments that incorporate threat data into the control selection to understand a vendor’s security posture.

3. Focus on collaboration, not compliance

Engage with third parties to address risks collaboratively. Move beyond filling out forms to having meaningful discussions about risks, mitigations, and shared goals.

4. Streamline where possible

Adopt frameworks and framework bodies that actively collaborate on reciprocity to reduce redundancy and streamline the process for vendors managing multiple client requests.

The bottom line

Due diligence questionnaires remain a vital part of TPRM because they provide relationship-specific details needed to assess and manage risks effectively. Security questionnaires, however, need a modern overhaul. By transitioning from static, checklist-driven approaches to dynamic, real-time methods, organizations can focus on what truly matters: building resilient partnerships that mitigate risks and enable business growth.

It’s time to retire the outdated questionnaire model and embrace a more effective, efficient, and adaptive approach to TPRM. After all, managing third-party risks isn’t about ticking boxes — it’s about protecting your organization in an interconnected world.

HITRUST has submitted a letter to the incoming administration and key Congressional Committees regarding proposed modifications to the HIPAA Security Rule. This comes in light of proposed legislative measures aimed at improving the cybersecurity posture of the healthcare industry.

Despite existing regulations and guidelines, the healthcare sector continues to face direct and opportunistic targeting, with ongoing attacks impacting vital patient care and trust. While HITRUST believes in and aligns with the Department of Health and Human Services and Congress on the shared objective that healthcare organizations must manage information risk effectively and guidelines must be established based on the healthcare organization’s overall risk posture and be proven through compliance systems, it is critical to revisit the outdated and incomplete approaches historically used to address cybersecurity risks in healthcare.

HITRUST’s letter emphasizes the need to rethink these approaches and recommends leveraging proven, scalable models that enhance security outcomes while avoiding inefficiencies or unnecessary complexity. We believe that substantial improvements in cybersecurity can be achieved through actionable strategies and tools, not just compliance.

A key recommendation from HITRUST is addressing a significant design flaw in the HIPAA Security Rule. Currently, the Rule fails to effectively reduce risk because it lacks relevant, clear, and prescriptive guidelines for controls and assurance. The result is inconsistent implementation and lack of objective measurement, preventing meaningful risk management.

HITRUST’s 17 years of experience, along with insights from our 2024 Trust Report, demonstrate the effectiveness of comprehensive risk management strategies. Only 0.64% of HITRUST-certified environments reported breaches over the past two years — proof that robust risk management can yield substantial security outcomes with the right strategies and tools.

We invite you to read our letter to learn more about how HITRUST is advocating for practical, impactful changes to safeguard the healthcare system.