Traditional third-party risk management (TPRM) practices may not keep pace as they often rely on manual, self-attested, and inconsistent methods. As vendor ecosystems expand and the frequency and cost of breaches rise, organizations need a new approach — one built on verified, standardized, and defensible assurance like that offered by HITRUST.

What’s driving the third-party risk crisis?

The modern enterprise depends on thousands of third parties for everything from IT infrastructure to cloud services and data processing. According to SecurityScorecard and Cyentia 2024, the average Global 2000 organization now manages over 8,000 vendors providing nearly 18,000 IT products and services, each representing a potential point of risk.

The impact is real.

• 99% of Global 2000 organizations are connected to vendors that have experienced a cyber incident.

• The average third-party breach costs $4.91 million (IBM 2025).

These numbers reveal a growing truth: Cybersecurity risk associated with the supply chain has become material to an enterprise. Even a single weak link can expose the entire ecosystem to breach and disruption.

Why is traditional TPRM challenging?

Legacy TPRM programs were designed for a simpler, slower world. Today, they rely on outdated processes that create friction, delay, and false confidence.

These inefficiencies leave teams overwhelmed and unable to keep pace with expanding vendor ecosystems. Instead of reducing risk, traditional TPRM often becomes an administrative burden that delays procurement and frustrates vendors.

What happens when TPRM becomes a bottleneck?

For most enterprises, the TPRM process has turned into a roadblock. Assessments can take weeks or months, draining staff resources and stalling business. Vendors often repeatedly fill out lengthy questionnaires for every customer, creating frustration on both sides.

The result?

• Procurement delays
• Slower time-to-market for services that depend on vendors
• Inconsistent risk visibility across vendors
• Friction with vendors forced to repeat assessments

In short, traditional TPRM may create more noise than insight, leaving organizations vulnerable to the very risks they’re trying to mitigate.

What’s the better way to manage third-party risk?

Security-mature organizations are shifting from self-attested trust to validated assurance — a model that uses verified, standardized, and quality-controlled assessments to prove that vendor controls are effective.

Validated assurance eliminates redundancy, improves consistency, and provides defensible, audit-ready proof of compliance. Rather than taking vendors at their word, organizations gain confidence from independently verified results.

With validated assurance

• Risk decisions are based on evidence, not assumptions.
• Vendor reviews are faster and reusable.
• Security teams spend less time chasing documentation and more time managing risk.

It’s not just a better way to assess. It’s a smarter way to trust.

How can you learn more?

To understand how validated assurance transforms vendor oversight from a reactive burden into a scalable model of trust, download our latest white paper: Redefining Third-Party Risk Management with the HITRUST Validated Assurance.

Learn how HITRUST empowers organizations to address the challenge of vendor risk management and stay resilient against the growing wave of third-party breaches.

Takeaways

• Healthcare remains a top target for cyberattacks: Cybercriminals are intensifying attacks against healthcare organizations due to valuable patient data and outdated systems.
• Vendors are the new attack vector: Even the most secure organizations can be compromised through a trusted third party.
• HITRUST e1 provides proven protection: The HITRUST e1 offers a pragmatic, standardized way to verify that both organizations and their vendors have implemented critical cybersecurity controls to prevent, detect, and respond to today’s most prevalent threats.

Overview

The Huntress 2025 Cyber Threat Report analyzes attacks observed in 2024, showing that cybercriminals are repurposing sophisticated techniques for small and mid‑sized organizations. Healthcare was hit particularly hard because it holds valuable patient data and often relies on outdated systems. Threat actors frequently used malicious scripts, remote access Trojans (RATs), remote‑monitoring tool abuse, and ransomware. These patterns highlight the need for comprehensive security measures across the entire supply chain. One major risk associated with these attacks is that the threat actor may compromise enterprise systems via a third party. For example, any of your hundreds of software providers may be compromised by these attacks and used as a stepping stone into your customers’ environments.

Key threats and relevant e1 controls

Malicious scripts and fileless malware

• What Huntress saw: Malicious script executions were the most common attack vector in healthcare. Attackers used PowerShell or JavaScript to persist on hosts, modify the Windows Registry, or download additional malware.
• e1 controls: Deploy endpoint protection tools that can detect and block script‑based attacks and fileless malware. Enforce default‑deny rules on host‑based firewalls to prevent unauthorized outbound connections. Keep systems patched and configurations hardened to reduce exploitable vulnerabilities. Prohibit installation of unauthorized software and disable auto‑run features to limit untrusted code execution. Perform regular vulnerability scans and implement an incident response plan to catch and remediate malicious activity quickly.

Infostealers and credential harvesting

• What Huntress saw: Infostealers targeted healthcare to extract PHI and credentials. More than 38 % of hands‑on‑keyboard activity involved network or domain reconnaissance, and attackers used tools such as Mimikatz to dump cached credentials.
• e1 controls: Enforce strong password policies and change default credentials on all systems. Require multi‑factor authentication for privileged accounts and remote access to limit the impact of stolen passwords. Review account privileges regularly, limit administrative rights, and use separate accounts for administrative duties. Enable comprehensive logging and protect audit trails to support investigation of credential misuse. Provide ongoing security awareness and phishing‑resistance training so staff recognize and report credential‑stealing attempts.

Ransomware, data theft, and extortion

• What Huntress saw: Ransomware in healthcare shifted toward data theft and extortion. Attackers combined data exfiltration with encryption to coerce victims, and the rise in cryptocurrency prices emboldened them.
• e1 controls: Maintain offline or immutable backups and test restoration procedures regularly. Establish a robust incident response capability that includes detection, containment, and recovery. Limit access to sensitive data to authorized personnel and encrypt data on mobile devices. Use email and web‑filtering technologies to block phishing emails and connections to known malicious domains.

Remote Access Trojans (RATs) and RMM abuse

• What Huntress saw: Attackers deployed Java‑based RATs (such as JRat and Adwind) and abused legitimate remote monitoring tools.
• e1 controls: Secure remote access with multi‑factor authentication and restrict the use of remote administration tools to authorized solutions. Segment networks with firewalls to separate internal systems from external networks and limit lateral movement. Maintain an accurate inventory of IT assets and forbid installation of unauthorized software, including unauthorized RMM tools. Configure devices to log off idle sessions automatically and assign unique user accounts to all personnel.

Lateral movement and network enumeration

• What Huntress saw: Attackers spent significant time mapping networks and domains. They used toolkits (e.g., ntdsutil, diskshadow) to dump credentials and move laterally, often exploiting legacy systems.
• e1 controls: Apply least‑privilege principles; only authorized individuals should have administrative rights, and privileged activities should be logged and reviewed. Use network segmentation and host‑based firewalls to restrict inter‑segment traffic and make lateral movement more difficult. Perform regular asset inventories and vulnerability scans to identify legacy systems and misconfigurations. Enforce change‑control procedures and maintain baseline configurations to prevent unauthorized changes. Collect and retain audit logs so lateral movement can be detected and investigated.

Why vendor compliance with e1 requirements matters

The Huntress report shows that attackers exploit weaknesses not just in their primary targets but also in connected systems. Vendors often have direct network access or handle sensitive data on behalf of clients. If a vendor neglects patching, uses weak credentials, or does not enforce multi‑factor authentication, it can become the entry point for the same malicious scripts, infostealers, or remote‑access abuse described above.

Requiring vendors to adhere to the e1 requirements offers assurance that they implement comprehensive controls across governance, technical, and operational domains. These controls include endpoint security, firewalls, strong authentication, least‑privilege access, incident response, and employee training. Mandating an e1 certification in vendor contracts reduces third‑party risk, demonstrates due diligence, and aligns the entire ecosystem to best practices.

Conclusion

The 2025 Huntress report underscores the evolving threats facing healthcare organizations, from malicious scripts and infostealers to ransomware and lateral movement. The e1 requirements provide a structured set of practices that collectively mitigate these threats by addressing technical vulnerabilities, human factors, and incident response readiness. Organizations should not only implement these controls internally but also require their vendors to meet them. Doing so builds a resilient defense that protects patient data and ensures continuity of care in the face of an increasingly aggressive threat landscape.

By Jason Kor, Principal, Third Party Cyber Risk at HITRUST

If you’re using Oracle Cloud Infrastructure (OCI) and working through a HITRUST assessment in MyCSF, inheritance lets you rely on OCI’s existing HITRUST-validated controls instead of re-assessing everything from scratch. In this post, we’ll discuss what inheritance means, how it works in HITRUST MyCSF, and how you can use it to save time and effort on your journey to HITRUST certification.

What is inheritance in HITRUST?

Inheritance is a mechanism that allows one organization to leverage the assessment results of another. In simple terms, if a third party (like a cloud service provider) has already been assessed and certified for certain HITRUST CSF controls, you can “inherit” those controls instead of undergoing separate testing for them. For example, because Oracle Cloud Infrastructure is HITRUST certified, an OCI customer can reuse OCI’s assessment results for relevant cloud security requirements rather than testing those controls independently. This feature is built into MyCSF.

How does it work in MyCSF?

MyCSF is HITRUST’s online platform for managing assessments, and it enables inheritance of control testing results between assessments. The platform allows the control maturity scores of specific requirements to be transferred from a provider’s HITRUST assessment into your own assessment (with the provider’s permission). In practice, this can dramatically reduce your assessment workload.

What are the benefits of using inheritance with OCI?

Relying on OCI’s HITRUST validated controls offers several clear benefits for your organization, including

• Significant time and cost savings: By inheriting controls from OCI’s assessment, you avoid performing redundant testing and evidence collection for those controls. This streamlines your certification process, potentially saving hundreds of hours of effort and associated external assessor costs.
• Leverage proven security controls: OCI’s controls that have been evaluated against the HITRUST CSF are already proven effective. Inheriting these gives you immediate credit for the strong security measures implemented by OCI. This can even help boost your scores in certain areas, since you’re benefiting from controls that were assessed at higher maturity levels by a trusted provider.

What is the step-by-step process of inheriting OCI's controls in MyCSF? 

• Identify available inheritable controls: Start by determining which HITRUST CSF control requirements OCI has already covered for you. Oracle provides a HITRUST Shared Responsibility Matrix (SRM) that clearly shows which controls are fully or partially OCI’s responsibility. Review OCI’s SRM (available through MyCSF, HITRUST website, or Oracle’s compliance resources) to see which requirements are marked as inheritable from OCI. Focus on controls that align with the OCI services you are using.
• Evaluate applicability to your assessment scope: For each control that might be inheritable, ensure it applies to your assessment’s scope and your use of OCI. Verify that you are using the OCI service associated with that control and that you meet any conditions for relying on OCI’s implementation.
• With the help of your external assessor
  • Submit an inheritance request in MyCSF: In the MyCSF portal, create a new inheritance request against Oracle Cloud Infrastructure’s HITRUST assessment. Here, you will select OCI as the “Inheritance Provider” and specify which control requirements you wish to inherit.
  • Oracle reviews and approves (or denies) the request: After submission, the OCI compliance team reviews your inheritance request. They compare your requested controls against OCI’s HITRUST assessment and the shared responsibility criteria. In essence, OCI will approve the request if you’re a valid customer and the controls truly fall under OCI’s assessment.
  • Apply approved inherited controls: Once OCI approves your request, OCI’s assessment results for those control requirements are inherited into your MyCSF assessment.

Shared responsibilities across HITRUST domains

It’s important to understand that not all HITRUST requirements can be inherited. It depends on what responsibilities OCI assumes versus what remains with you. The concept of shared responsibility in cloud computing comes into play: OCI covers the security of the cloud (the underlying infrastructure), while you’re responsible for security in the cloud (your applications, data, and internal processes). Some domains lend themselves more readily to inheritance based on this split.

Each domain has many requirements, some of which will be inheritable. For detailed control-level inheritability, please refer to the resources shared below. Here is a summary.

Key resources for inheritance guidance

Before and during your use of inheritance, make sure to take advantage of official HITRUST and MyCSF resources that define the rules and best practices.

• HITRUST Shared Responsibility Matrix (SRM): This is your roadmap for inheritance. OCI’s HITRUST Shared Responsibility Matrix is available to download from MyCSF or the HITRUST website, and it outlines exactly which controls in each domain are inherited. Treat the SRM as the source of truth on provider vs. customer control ownership. When in doubt about a particular requirement, consult the SRM to see if OCI or the customer is listed as responsible.
• HITRUST Assessment Handbook: The HITRUST Assessment Handbook (latest version) provides comprehensive guidance on the assessment process, including the inheritance program. Section 12 of the handbook covers “Reliance on Assessment Results Using Inheritance” and details the requirements for using inheritance properly. It explains, for instance, the need for valid business justification and how inheritance requests must be submitted and approved within the MyCSF workflow.
• MyCSF Help: Within the MyCSF platform, you can find help with documentation and tools like the Inheritance Calculator that let you simulate how much effort you’ll save by inheriting certain control.
• OCI Compliance Documentation: Oracle Cloud may provide documentation or guides specific to its HITRUST offering. Check OCI’s compliance or security portals for any HITRUST inheritance guides or FAQs.

Getting support: External assessors and consultants

Finally, remember that you don’t have to navigate the HITRUST inheritance process alone. If you have questions or run into confusion, consider reaching out to a HITRUST Approved External Assessor or consultant for guidance. HITRUST maintains a directory of authorized External Assessor organizations. These are firms trained in the HITRUST CSF and assessment process. An experienced assessor can help you identify inheritance opportunities, interpret the SRM, and ensure you apply inherited controls correctly. In fact, if you are pursuing a Validated Assessment, you will need an External Assessor to validate your results, so involving them early can smooth out the process.

Don’t hesitate to use these expert resources. A quick consultation with a HITRUST assessor or a cloud security consultant can clarify doubts about what you can inherit and how to document it. They can also verify that you’re meeting all HITRUST requirements in the areas you don’t inherit (so nothing falls through the cracks).

Conclusion

Inheritance is a powerful feature in HITRUST MyCSF that can make your certification journey far more efficient. By leaning on OCI’s already-certified security controls, you can save time, reduce costs, and focus your energy on the areas that truly require your attention. Just remember that with great power comes responsibility. Always use the HITRUST Shared Responsibility Matrix and official guidance to know exactly what can be inherited versus what remains your duty. When in doubt, consult the experts (HITRUST-approved assessors or seasoned consultants) to ensure you’re on the right track. Leveraging the work of others through inheritance, when done correctly, helps turn HITRUST compliance manageable and collaborative effort. Good luck with your HITRUST assessment, and happy inheriting!

Key Takeaway: Use OCI’s HITRUST certification to your advantage. Inherit what you can, implement what you must, and always refer to HITRUST’s official resources for clarity. And if you need help, the HITRUST assessor community is there to support you in achieving a successful, stress-reduced certification.