Cyber threats are increasing every year. Organizations need more than just compliance checkboxes. They need real security that works.

The 2025 HITRUST Trust Report provides evidence that HITRUST certification reduces cyber risk, strengthens security postures, and adapts to new challenges.

This year’s report highlights the proven effectiveness of HITRUST certifications, the comprehensive coverage of its framework, the expansion of AI assurances, and the continuous improvements customers experience with repeated HITRUST certifications. These insights demonstrate why HITRUST remains the most reliable and data-backed cybersecurity assurance provider.

Here are five key takeaways from the 2025 HITRUST Trust Report.

1. HITRUST is proven to reduce cyber risk

HITRUST certification protects from cyber threats better than any other security framework. The 2025 Trust Report provides measurable proof that HITRUST certifications are effective.

99.41% of HITRUST-certified environments remained breach-free in 2024. Only 0.59% of organizations with a HITRUST certification reported a security incident. This rate is significantly lower than industry averages.

No other cybersecurity assurance framework provides quantifiable proof that its certifications work. Many organizations rely on compliance reports that do not measure actual security performance. HITRUST takes a different approach. It requires certified entities to report breaches, allowing HITRUST to measure the effectiveness of its certifications.

Organizations that choose HITRUST are not just meeting compliance requirements, they are adopting a framework that has been proven to reduce cyber risk and protect sensitive data.

2. HITRUST stays ahead of emerging threats

Cyber threats constantly evolve. Security programs must keep pace with new tactics, techniques, and attack methods. The cyber threat-adaptive HITRUST framework is designed to adapt to these changes.

HITRUST continuously integrates data from top cyber threat intelligence sources to ensure its framework remains relevant. It addresses emerging threats before they become widespread risks. No other security framework makes such frequent updates to stay relevant.

HITRUST maps its framework to address 100% of the MITRE mitigations that can be controlled through cybersecurity defenses. It ensures its assessments provide the most comprehensive coverage to keep organizations ahead of cybercriminals.

3. HITRUST introduces AI security and risk management assurances

Organizations are using AI to become more efficient. But they struggle to assess AI-related threats, including data privacy risks, security vulnerabilities, and ethical concerns. HITRUST is leading the way in AI assurance. In 2024, HITRUST introduced two AI-related assessments.

• The AI Security Certification helps organizations prove that their AI models and platforms are built securely. This certification can be added to any HITRUST core certification, including e1, i1, or r2.

• The AI Risk Management Assessment allows organizations to evaluate and improve their AI risk management programs. It aligns with global standards like ISO/IEC and NIST.

Organizations need trustworthy and structured cybersecurity assurances as AI adoption increases. HITRUST is providing the tools they need to manage AI risks effectively.

4. HITRUST customers improve security

Achieving HITRUST certification is only the beginning. Maintaining strong security requires continuous improvement. The 2025 HITRUST Trust Report shows that customers undergoing repeated HITRUST certifications significantly strengthen their security postures over time.

In 2024, businesses maintaining HITRUST certifications experienced

• 54% fewer corrective actions in subsequent i1 certifications
• 32% fewer corrective actions in subsequent r2 certifications

HITRUST does not just provide an assessment; it creates a culture of continuous security improvement that helps organizations stay resilient in an evolving threat landscape.

5. HITRUST expands its framework for maximum security coverage

Organizations need a security framework that is comprehensive, adaptable, and built to address real-world challenges. The HITRUST framework continues to set the gold standard by expanding its coverage and integrating the most relevant security requirements.

The latest version, HITRUST CSF v11.4, harmonizes 60 authoritative sources, including HIPAA, NIST, and ISO. This represents a 36% increase from the previous year, ensuring organizations can meet multiple security, privacy, and compliance requirements within a single, unified framework.

HITRUST offers a comprehensive and scalable framework. Unlike fragmented approaches that require organizations to juggle multiple frameworks, HITRUST simplifies the process by consolidating the most critical standards into one powerful solution.

The future of trust in cybersecurity

The 2025 HITRUST Trust Report proves that HITRUST is a data-backed security assurance that reduces risk, adapts to evolving threats, and drives continuous improvement. Organizations that choose HITRUST gain more than a certification. They gain a proven security strategy that protects their data, enhances their security posture, and prepares them for the future.

Read the full 2025 Trust Report to learn more.

Vendor risk management is a cornerstone of safeguarding sensitive data and systems, particularly in sectors like healthcare, where protecting patient information is crucial. Despite best efforts, significant blind spots often remain in vendor risk assessments. These vulnerabilities stem from incomplete vendor inventories, prioritization challenges, and a lack of visibility into downstream risks. Understanding and addressing these gaps is critical to bolstering enterprise security.

The scope of the problem

Most organizations struggle to achieve full visibility across their vendor portfolio. Risk assessments often cover only a small fraction of the total number of vendors servicing the organization. This limited scope is largely driven by difficulties in accurately identifying all vendors and the necessity to focus resources on those perceived as most critical. Consequently, vendors that are not deemed mission-critical or high-risk are often overlooked, leaving hundreds of vendors unassessed. This creates significant blind spots, especially in a healthcare environment where even low-risk vendors could inadvertently compromise patient data or systems.

Fourth-party risks amplify the challenge

The problem extends beyond third-party vendors to the broader supply chain. The emergence of vulnerabilities and breaches in fourth-party products and services, such as the Log4j vulnerability, the SolarWinds attack, and the Okta compromise, underscores the cascading risks organizations face. These incidents highlight a troubling reality: many third-party vendors do not maintain accurate inventories of their own supply chain products. This lack of transparency means organizations are often unaware of their exposure to downstream vulnerabilities.

For example, a vendor may rely on a software library that contains a critical vulnerability, yet this dependency remains unreported or undiscovered. In such cases, organizations are blind to the risks posed to their critical data and applications, compounding the difficulty of implementing effective remediation strategies.

Prioritization and risk triage fall short

When faced with limited resources, organizations understandably prioritize vendors based on criticality. Mission-critical vendors and those presenting the highest inherent risks receive the most attention. However, this approach leaves out less obvious forms of risk that can still have significant consequences.

For instance, vendors with remote access to systems, those with physical access to facilities, or those managing privileged accounts might not be classified as critical but can still introduce substantial vulnerabilities. These forms of access can be exploited by malicious actors to bypass traditional security measures, emphasizing the need for a broader view of what constitutes risk.

Addressing the blind spots

To mitigate these gaps, organizations must adopt a more comprehensive and dynamic approach to vendor risk management. Here are some key strategies.

1. Develop a comprehensive vendor inventory: Organizations need complete and accurate inventory of all vendors servicing their operations. This requires cross-departmental collaboration and the use of automated tools to identify and catalog vendors.
2. Enhance visibility into fourth-party risks: Working with third-party vendors to improve transparency in their supply chains is critical. Organizations should mandate that vendors maintain detailed inventories of their own dependencies and report any vulnerabilities promptly.
3. Adapt assessments based on threat intelligence: Incorporating real-time threat intelligence into vendor assessments allows organizations to adapt risk evaluations based on the latest cyber threat landscape. This approach ensures that assessments account for emerging vulnerabilities, attack vectors, and threat actors targeting specific industries or systems. Organizations can identify which vendors are most susceptible to active threats and prioritize remediation efforts by leveraging threat intelligence.
4. Leverage technology and automation: Advanced risk management platforms can help organizations streamline vendor assessments, prioritize risks more effectively, and monitor for vulnerabilities in real time. Automation can also reduce the burden on internal teams, enabling them to focus on higher-value tasks.
5. Adopt continuous monitoring: Risk management cannot be a one-time effort. Continuous monitoring of vendors, their supply chains, and emerging vulnerabilities is essential for maintaining an up-to-date risk profile.
6. Foster collaborative risk mitigation: Establishing strong partnerships with vendors can lead to more proactive risk mitigation. Vendors should be treated as extensions of the organization’s security ecosystem, with clear expectations for compliance and risk management practices.

Conclusion

The blind spots in vendor risk assessments present significant challenges to enterprise security, particularly in high-stakes environments like healthcare. By addressing gaps in vendor inventories, improving visibility into fourth-party risks, and expanding risk assessment criteria, organizations can enhance their resilience against emerging threats. While the task may seem daunting, a proactive and collaborative approach can transform vendor risk management from a reactive necessity into a strategic advantage.

The Digital Operational Resilience Act (DORA), passed by the European Union, marks a significant shift in how businesses manage and mitigate digital risks. Aimed primarily at financial institutions and critical service providers, DORA is designed to ensure that these entities remain operationally resilient despite digital disruptions, cyberattacks, and system failures. 

What organizations are subject to DORA? 

DORA impacts a wide range of entities, including 

• Banks and financial institutions 

• Payment processors and providers 

• Insurance firms 

• Information and Communications Technology (ICT) third-party service providers 

• Investment firms 

These organizations must adhere to DORA to safeguard the EU’s financial system from the cascading effects of digital disruptions. 

What does DORA require for compliance? 

DORA compliance revolves around several core pillars. 

• Risk Management: Organizations must implement comprehensive risk management frameworks that cover all aspects of their digital operations, from data integrity to security of systems.
• Incident Reporting: Institutions must establish a protocol for reporting significant digital incidents, ensuring that appropriate authorities are notified within specific timeframes.
• Testing: Regular testing of ICT systems is mandatory to ensure resilience against potential vulnerabilities.
• Operational Resilience Plans: Businesses need well-documented and executable plans to continue operations in the event of significant disruptions.
• Vendor Risk Management: One of the most stringent aspects of DORA is the focus on third-party vendor risk. Financial institutions must scrutinize their ICT third-party providers to ensure compliance with resilience standards. Vendor relationships need to be assessed, monitored, and managed to avoid introducing vulnerabilities into the organization. 

The stringency of vendor risk management 

DORA’s provisions for vendor risk management are particularly rigorous. Businesses must not only vet their vendors carefully but also have continuous oversight of their performance and compliance. Third-party providers must meet specific resilience standards, and contracts with these vendors must reflect the organization’s commitment to minimizing digital risk exposure. This heightened focus on third-party risk places significant responsibility on businesses to extend their operational resilience beyond their internal systems. 

DORA roll-out: A phased approach to compliance 

The roll-out of the EU’s DORA regulation is scheduled through January 2025. Key dates for businesses include 

• January 2023: DORA was formally adopted by the EU, marking the beginning of the awareness and preparation phase. 

• January 2025: This is the deadline by which businesses must be fully DORA compliant. By this date, financial institutions and relevant ICT service providers will be expected to implement the necessary frameworks and systems for digital operational resilience, including risk management, incident reporting, and vendor oversight. 

• Ongoing: Post-2025, supervisory authorities will start stringent enforcement, conducting audits and assessments to ensure continuous DORA compliance. Businesses will be required to regularly test their ICT systems, report significant incidents, and manage vendor risk proactively. 

Organizations should update internal processes and make sure that they align with DORA’s standards to avoid penalties and ensure operational resilience. 

HITRUST: Supporting DORA compliance

In this iteration of the HITRUST CSF, businesses will have the ability to assess and manage their DORA compliance efficiently. HITRUST, with its comprehensive risk management framework, will enable organizations to align with DORA’s requirements, particularly in areas like vendor risk management and operational resilience. As DORA continues to set the benchmark for operational resilience across the EU, HITRUST will ensure that businesses are equipped to meet these expectations, simplifying the certification process and maintaining the highest standards of security, privacy, and supply chain risk.