Takeaways

• Healthcare remains a top target for cyberattacks: Cybercriminals are intensifying attacks against healthcare organizations due to valuable patient data and outdated systems.
• Vendors are the new attack vector: Even the most secure organizations can be compromised through a trusted third party.
• HITRUST e1 provides proven protection: The HITRUST e1 offers a pragmatic, standardized way to verify that both organizations and their vendors have implemented critical cybersecurity controls to prevent, detect, and respond to today’s most prevalent threats.

Overview

The Huntress 2025 Cyber Threat Report analyzes attacks observed in 2024, showing that cybercriminals are repurposing sophisticated techniques for small and mid‑sized organizations. Healthcare was hit particularly hard because it holds valuable patient data and often relies on outdated systems. Threat actors frequently used malicious scripts, remote access Trojans (RATs), remote‑monitoring tool abuse, and ransomware. These patterns highlight the need for comprehensive security measures across the entire supply chain. One major risk associated with these attacks is that the threat actor may compromise enterprise systems via a third party. For example, any of your hundreds of software providers may be compromised by these attacks and used as a stepping stone into your customers’ environments.

Key threats and relevant e1 controls

Malicious scripts and fileless malware

• What Huntress saw: Malicious script executions were the most common attack vector in healthcare. Attackers used PowerShell or JavaScript to persist on hosts, modify the Windows Registry, or download additional malware.
• e1 controls: Deploy endpoint protection tools that can detect and block script‑based attacks and fileless malware. Enforce default‑deny rules on host‑based firewalls to prevent unauthorized outbound connections. Keep systems patched and configurations hardened to reduce exploitable vulnerabilities. Prohibit installation of unauthorized software and disable auto‑run features to limit untrusted code execution. Perform regular vulnerability scans and implement an incident response plan to catch and remediate malicious activity quickly.

Infostealers and credential harvesting

• What Huntress saw: Infostealers targeted healthcare to extract PHI and credentials. More than 38 % of hands‑on‑keyboard activity involved network or domain reconnaissance, and attackers used tools such as Mimikatz to dump cached credentials.
• e1 controls: Enforce strong password policies and change default credentials on all systems. Require multi‑factor authentication for privileged accounts and remote access to limit the impact of stolen passwords. Review account privileges regularly, limit administrative rights, and use separate accounts for administrative duties. Enable comprehensive logging and protect audit trails to support investigation of credential misuse. Provide ongoing security awareness and phishing‑resistance training so staff recognize and report credential‑stealing attempts.

Ransomware, data theft, and extortion

• What Huntress saw: Ransomware in healthcare shifted toward data theft and extortion. Attackers combined data exfiltration with encryption to coerce victims, and the rise in cryptocurrency prices emboldened them.
• e1 controls: Maintain offline or immutable backups and test restoration procedures regularly. Establish a robust incident response capability that includes detection, containment, and recovery. Limit access to sensitive data to authorized personnel and encrypt data on mobile devices. Use email and web‑filtering technologies to block phishing emails and connections to known malicious domains.

Remote Access Trojans (RATs) and RMM abuse

• What Huntress saw: Attackers deployed Java‑based RATs (such as JRat and Adwind) and abused legitimate remote monitoring tools.
• e1 controls: Secure remote access with multi‑factor authentication and restrict the use of remote administration tools to authorized solutions. Segment networks with firewalls to separate internal systems from external networks and limit lateral movement. Maintain an accurate inventory of IT assets and forbid installation of unauthorized software, including unauthorized RMM tools. Configure devices to log off idle sessions automatically and assign unique user accounts to all personnel.

Lateral movement and network enumeration

• What Huntress saw: Attackers spent significant time mapping networks and domains. They used toolkits (e.g., ntdsutil, diskshadow) to dump credentials and move laterally, often exploiting legacy systems.
• e1 controls: Apply least‑privilege principles; only authorized individuals should have administrative rights, and privileged activities should be logged and reviewed. Use network segmentation and host‑based firewalls to restrict inter‑segment traffic and make lateral movement more difficult. Perform regular asset inventories and vulnerability scans to identify legacy systems and misconfigurations. Enforce change‑control procedures and maintain baseline configurations to prevent unauthorized changes. Collect and retain audit logs so lateral movement can be detected and investigated.

Why vendor compliance with e1 requirements matters

The Huntress report shows that attackers exploit weaknesses not just in their primary targets but also in connected systems. Vendors often have direct network access or handle sensitive data on behalf of clients. If a vendor neglects patching, uses weak credentials, or does not enforce multi‑factor authentication, it can become the entry point for the same malicious scripts, infostealers, or remote‑access abuse described above.

Requiring vendors to adhere to the e1 requirements offers assurance that they implement comprehensive controls across governance, technical, and operational domains. These controls include endpoint security, firewalls, strong authentication, least‑privilege access, incident response, and employee training. Mandating an e1 certification in vendor contracts reduces third‑party risk, demonstrates due diligence, and aligns the entire ecosystem to best practices.

Conclusion

The 2025 Huntress report underscores the evolving threats facing healthcare organizations, from malicious scripts and infostealers to ransomware and lateral movement. The e1 requirements provide a structured set of practices that collectively mitigate these threats by addressing technical vulnerabilities, human factors, and incident response readiness. Organizations should not only implement these controls internally but also require their vendors to meet them. Doing so builds a resilient defense that protects patient data and ensures continuity of care in the face of an increasingly aggressive threat landscape.

By Jason Kor, Principal, Third Party Cyber Risk at HITRUST

If you’re using Oracle Cloud Infrastructure (OCI) and working through a HITRUST assessment in MyCSF, inheritance lets you rely on OCI’s existing HITRUST-validated controls instead of re-assessing everything from scratch. In this post, we’ll discuss what inheritance means, how it works in HITRUST MyCSF, and how you can use it to save time and effort on your journey to HITRUST certification.

What is inheritance in HITRUST?

Inheritance is a mechanism that allows one organization to leverage the assessment results of another. In simple terms, if a third party (like a cloud service provider) has already been assessed and certified for certain HITRUST CSF controls, you can “inherit” those controls instead of undergoing separate testing for them. For example, because Oracle Cloud Infrastructure is HITRUST certified, an OCI customer can reuse OCI’s assessment results for relevant cloud security requirements rather than testing those controls independently. This feature is built into MyCSF.

How does it work in MyCSF?

MyCSF is HITRUST’s online platform for managing assessments, and it enables inheritance of control testing results between assessments. The platform allows the control maturity scores of specific requirements to be transferred from a provider’s HITRUST assessment into your own assessment (with the provider’s permission). In practice, this can dramatically reduce your assessment workload.

What are the benefits of using inheritance with OCI?

Relying on OCI’s HITRUST validated controls offers several clear benefits for your organization, including

• Significant time and cost savings: By inheriting controls from OCI’s assessment, you avoid performing redundant testing and evidence collection for those controls. This streamlines your certification process, potentially saving hundreds of hours of effort and associated external assessor costs.
• Leverage proven security controls: OCI’s controls that have been evaluated against the HITRUST CSF are already proven effective. Inheriting these gives you immediate credit for the strong security measures implemented by OCI. This can even help boost your scores in certain areas, since you’re benefiting from controls that were assessed at higher maturity levels by a trusted provider.

What is the step-by-step process of inheriting OCI's controls in MyCSF? 

• Identify available inheritable controls: Start by determining which HITRUST CSF control requirements OCI has already covered for you. Oracle provides a HITRUST Shared Responsibility Matrix (SRM) that clearly shows which controls are fully or partially OCI’s responsibility. Review OCI’s SRM (available through MyCSF, HITRUST website, or Oracle’s compliance resources) to see which requirements are marked as inheritable from OCI. Focus on controls that align with the OCI services you are using.
• Evaluate applicability to your assessment scope: For each control that might be inheritable, ensure it applies to your assessment’s scope and your use of OCI. Verify that you are using the OCI service associated with that control and that you meet any conditions for relying on OCI’s implementation.
• With the help of your external assessor
  • Submit an inheritance request in MyCSF: In the MyCSF portal, create a new inheritance request against Oracle Cloud Infrastructure’s HITRUST assessment. Here, you will select OCI as the “Inheritance Provider” and specify which control requirements you wish to inherit.
  • Oracle reviews and approves (or denies) the request: After submission, the OCI compliance team reviews your inheritance request. They compare your requested controls against OCI’s HITRUST assessment and the shared responsibility criteria. In essence, OCI will approve the request if you’re a valid customer and the controls truly fall under OCI’s assessment.
  • Apply approved inherited controls: Once OCI approves your request, OCI’s assessment results for those control requirements are inherited into your MyCSF assessment.

Shared responsibilities across HITRUST domains

It’s important to understand that not all HITRUST requirements can be inherited. It depends on what responsibilities OCI assumes versus what remains with you. The concept of shared responsibility in cloud computing comes into play: OCI covers the security of the cloud (the underlying infrastructure), while you’re responsible for security in the cloud (your applications, data, and internal processes). Some domains lend themselves more readily to inheritance based on this split.

Each domain has many requirements, some of which will be inheritable. For detailed control-level inheritability, please refer to the resources shared below. Here is a summary.

Key resources for inheritance guidance

Before and during your use of inheritance, make sure to take advantage of official HITRUST and MyCSF resources that define the rules and best practices.

• HITRUST Shared Responsibility Matrix (SRM): This is your roadmap for inheritance. OCI’s HITRUST Shared Responsibility Matrix is available to download from MyCSF or the HITRUST website, and it outlines exactly which controls in each domain are inherited. Treat the SRM as the source of truth on provider vs. customer control ownership. When in doubt about a particular requirement, consult the SRM to see if OCI or the customer is listed as responsible.
• HITRUST Assessment Handbook: The HITRUST Assessment Handbook (latest version) provides comprehensive guidance on the assessment process, including the inheritance program. Section 12 of the handbook covers “Reliance on Assessment Results Using Inheritance” and details the requirements for using inheritance properly. It explains, for instance, the need for valid business justification and how inheritance requests must be submitted and approved within the MyCSF workflow.
• MyCSF Help: Within the MyCSF platform, you can find help with documentation and tools like the Inheritance Calculator that let you simulate how much effort you’ll save by inheriting certain control.
• OCI Compliance Documentation: Oracle Cloud may provide documentation or guides specific to its HITRUST offering. Check OCI’s compliance or security portals for any HITRUST inheritance guides or FAQs.

Getting support: External assessors and consultants

Finally, remember that you don’t have to navigate the HITRUST inheritance process alone. If you have questions or run into confusion, consider reaching out to a HITRUST Approved External Assessor or consultant for guidance. HITRUST maintains a directory of authorized External Assessor organizations. These are firms trained in the HITRUST CSF and assessment process. An experienced assessor can help you identify inheritance opportunities, interpret the SRM, and ensure you apply inherited controls correctly. In fact, if you are pursuing a Validated Assessment, you will need an External Assessor to validate your results, so involving them early can smooth out the process.

Don’t hesitate to use these expert resources. A quick consultation with a HITRUST assessor or a cloud security consultant can clarify doubts about what you can inherit and how to document it. They can also verify that you’re meeting all HITRUST requirements in the areas you don’t inherit (so nothing falls through the cracks).

Conclusion

Inheritance is a powerful feature in HITRUST MyCSF that can make your certification journey far more efficient. By leaning on OCI’s already-certified security controls, you can save time, reduce costs, and focus your energy on the areas that truly require your attention. Just remember that with great power comes responsibility. Always use the HITRUST Shared Responsibility Matrix and official guidance to know exactly what can be inherited versus what remains your duty. When in doubt, consult the experts (HITRUST-approved assessors or seasoned consultants) to ensure you’re on the right track. Leveraging the work of others through inheritance, when done correctly, helps turn HITRUST compliance manageable and collaborative effort. Good luck with your HITRUST assessment, and happy inheriting!

Key Takeaway: Use OCI’s HITRUST certification to your advantage. Inherit what you can, implement what you must, and always refer to HITRUST’s official resources for clarity. And if you need help, the HITRUST assessor community is there to support you in achieving a successful, stress-reduced certification.

By Sean Dowling, Vice President of Cybersecurity & Compliance, Accorian

In today’s compliance landscape, few things drain more resources than duplicative assessments. Organizations often find themselves juggling multiple frameworks, ISO 27001, HITRUST, SOC 2, and now even emerging AI and privacy standards, each with overlapping requirements but different scoring and evidence rules. I’ve seen this play out across industries: a health tech startup chasing HITRUST certification after ISO 27001, a global enterprise needing both HITRUST and SOC 2 for customer contracts, or a payer network navigating ISO and HITRUST simultaneously for international and U.S. obligations.

The good news is that alignment between frameworks, particularly ISO 27001 and HITRUST, has matured to the point where organizations can meaningfully reduce redundant work. When done right, you’re not just checking boxes twice, you’re building a more integrated, resilient security program.

Why ISO and HITRUST overlap so much

ISO 27001 has long been a well-known standard for global information security, while HITRUST dominates U.S. healthcare, technology, finance, and adjacent industries. Both frameworks require the following.

• Risk-based approaches – ISO through its ISMS (Information Security Management System), HITRUST through control inheritance and scoping.
• Policies, procedures, and evidence of effectiveness – both care less about “paper compliance” and more about demonstrable maturity.
• Technical safeguards and continuous improvement – ISO calls it Annex A, HITRUST maps it to its control categories.

For organizations already having ISO 27001 certifications, at least 60%–70% of the groundwork is directly applicable to HITRUST. HITRUST itself maintains mappings to ISO 27001 and other frameworks within its framework (HITRUST CSF), which allows for “leveraging existing certifications” during assessment.

Where alignment saves effort

At Accorian, we’ve helped clients streamline by focusing on control mapping and evidence rationalization. The big wins typically come in

• Policies and governance: One information security policy aligned to both frameworks beats two near-duplicates.
• Risk assessment methodology: Use the ISO risk treatment plan as the basis for HITRUST inherent risk factors.
• Technical controls: Encryption, access management, logging, and endpoint protection often map one-to-one.
• Continuous monitoring: ISO’s internal audit cadence can serve as input for HITRUST’s interim and recurring review requirements.

Instead of running parallel audit tracks, we build a single control inventory, then annotate where each requirement ties to HITRUST.

Where organizations still struggle

Despite the overlap, there are nuances where an ISO control doesn’t go far enough for HITRUST. Common sticking points we’ve seen include

• Granularity of testing: HITRUST often requires sampled evidence across populations, whereas ISO may accept a point-in-time artifact.
• Healthcare-specific safeguards: HITRUST introduces HIPAA-driven controls that ISO doesn’t cover.
• Maturity scoring: ISO certifies the system, HITRUST grades the maturity of individual controls across policy, process, and implementation.

This is where organizations fall into the trap of re-documenting or scrambling last minute for artifacts. A smart alignment strategy bakes these gaps into the roadmap early.

My advice: Build once, certify many times

• Start with a crosswalk: Build or adopt a mapping between ISO Annex A and HITRUST CSF controls.
• Establish a single evidence repository: Tag each artifact with the frameworks it satisfies.
• Automate where possible: Use compliance platforms (MyCSF, GoRICO (Accorian)) to reduce manual duplication.
• Plan assessment timelines together: Avoid audit fatigue by sequencing ISO surveillance and HITRUST interim reviews.

By reframing compliance as an integrated ecosystem, organizations cut redundant work, reduce assessor hours, and most importantly, strengthen the underlying security program.

How Accorian can assist organizations

This is where Accorian steps in. Our team specializes in helping organizations avoid duplicated effort by

• Framework crosswalks and control mapping: We build tailored ISO-to-HITRUST mappings so you know exactly where evidence overlaps and where unique work is required.
• Evidence management and rationalization: Our assessors consolidate your documentation into a single repository, tagging artifacts for ISO, HITRUST, or CMMC.
• Gap assessments and roadmaps: We identify where ISO compliance falls short of HITRUST’s stricter maturity and specific requirements, and create a phased remediation plan.
• Assessment readiness: By sequencing your ISO surveillance audits and HITRUST assessments, we reduce audit fatigue while maximizing reuse of control testing.
• Technology enablement: Whether leveraging HITRUST MyCSF, Vanta, Drata, or custom Smartsheet trackers, we integrate compliance tooling into your workflow to cut down on manual effort.

With Accorian’s support, clients move away from siloed compliance projects toward an integrated, scalable security program.

Closing thoughts

Framework alignment is more than a cost-savings exercise — it’s a strategy that transforms compliance from a series of isolated projects into a sustainable, business-enabling program. When organizations embrace alignment, something powerful happens

• Compliance shifts from reactive to proactive. Instead of scrambling for artifacts, organizations build a single, living compliance backbone that supports multiple certifications.
• Security maturity accelerates. Aligned frameworks reinforce one another — ISO’s ISMS discipline strengthens HITRUST’s maturity scoring, while HITRUST’s safeguards raise the bar for ISO environments.
• Stakeholder confidence grows. Customers, partners, and regulators recognize that your organization is demonstrating resilience across multiple requirements.

At Accorian, we’ve seen that the real payoff of ISO–HITRUST alignment isn’t just fewer hours of duplicated effort — it’s a stronger security culture, better risk visibility, and the agility to expand into future certifications like AI security certification without starting from scratch.

The reality is that compliance demands will only continue to multiply. Organizations that continue to chase frameworks one by one will burn time, money, and talent. Those that align, however, will future-proof themselves, turning compliance from a burden into a strategic differentiator.

My message is simple: do the work once, do it right, and let it count everywhere.

Talk to Accorian today about how our HITRUST approach can help you save time, reduce audit fatigue, and strengthen your security posture.