HITRUST has submitted a letter to the incoming administration and key Congressional Committees regarding proposed modifications to the HIPAA Security Rule. This comes in light of proposed legislative measures aimed at improving the cybersecurity posture of the healthcare industry.

Despite existing regulations and guidelines, the healthcare sector continues to face direct and opportunistic targeting, with ongoing attacks impacting vital patient care and trust. While HITRUST believes in and aligns with the Department of Health and Human Services and Congress on the shared objective that healthcare organizations must manage information risk effectively and guidelines must be established based on the healthcare organization’s overall risk posture and be proven through compliance systems, it is critical to revisit the outdated and incomplete approaches historically used to address cybersecurity risks in healthcare.

HITRUST’s letter emphasizes the need to rethink these approaches and recommends leveraging proven, scalable models that enhance security outcomes while avoiding inefficiencies or unnecessary complexity. We believe that substantial improvements in cybersecurity can be achieved through actionable strategies and tools, not just compliance.

A key recommendation from HITRUST is addressing a significant design flaw in the HIPAA Security Rule. Currently, the Rule fails to effectively reduce risk because it lacks relevant, clear, and prescriptive guidelines for controls and assurance. The result is inconsistent implementation and lack of objective measurement, preventing meaningful risk management.

HITRUST’s 17 years of experience, along with insights from our 2024 Trust Report, demonstrate the effectiveness of comprehensive risk management strategies. Only 0.64% of HITRUST-certified environments reported breaches over the past two years — proof that robust risk management can yield substantial security outcomes with the right strategies and tools.

We invite you to read our letter to learn more about how HITRUST is advocating for practical, impactful changes to safeguard the healthcare system.

- Ryan Patrick, VP of Adoption, HITRUST 

Third-Party Risk Management (TPRM) is supposed to be the bedrock of securing organizations from the risks posed by external vendors and business partners, but the current system is fundamentally broken. This becomes painfully clear when we examine three of the most critical pain points: the low quality and variability of SOC 2 reports, the inefficiency of questionnaires, and the lack of reciprocity between governing bodies. 

SOC 2 Reports: A Quality Crisis 

SOC 2 reports are often regarded as the “go-to” standard for assessing the security controls of third-party vendors because of their wide adoption across all industries. Yet, the quality and reliability of these reports can vary dramatically. Some SOC 2s are meticulously detailed and provide actionable insights into a vendor's security posture. However, many others are shallow, missing critical information, or worse, relying on outdated practices that no longer align with today's threat landscape. The control selection is purely up to the organization being assessed. Furthermore, there is a race to the bottom with “SOC in box” firms pencil whipping reports at the lowest cost possible. The variability of these reports erodes trust.  

What is the point of asking for a SOC 2 if you can’t guarantee a consistent standard? SOC 2 reports will remain an unreliable cornerstone in TPRM until there is a way to enforce more uniform, higher-quality reporting. 

The Questionnaire Bottleneck 

The next pain point is the inefficiency of vendor questionnaires. In theory, these should help organizations get a clearer understanding of a vendor’s security practices. In reality, they’ve become a bureaucratic nightmare. Security questionnaires are often long, repetitive, and rarely tailored to the specific risks posed by a particular vendor. Worse yet, vendors receive dozens, sometimes hundreds, of these questionnaires, leading to inconsistent or hurried responses. It’s not uncommon for vendors to send recycled answers that don’t address the nuances of the questions asked. This "checkbox" approach is inefficient for both sides and doesn’t provide the insight to make informed risk decisions. 

It’s even more troubling that the organizations requesting the security questionnaires often lack the time, expertise, or resources to assess the answers they receive thoroughly. Most companies don't have dedicated teams or the specialized knowledge required to interpret the responses and probe deeper into potential vulnerabilities. As a result, the due diligence process often becomes superficial, with organizations relying on incomplete or misunderstood information. Organizations may unwittingly expose themselves to greater vulnerabilities instead of truly mitigating risk.  

Reciprocity Between Governing Bodies: A Missing Link 

One of the biggest systemic failures in TPRM is the lack of reciprocity between governing bodies and frameworks. We have SOC 2, ISO 27001, NIST, and a host of other frameworks, all serving slightly different functions but ultimately aiming at the same goal: reducing risk. However, organizations are forced to undergo multiple, redundant audits and assessments as there’s little reciprocity between these frameworks. Vendors end up in a web of overlapping requirements, increasing the time and cost of compliance without adding meaningful value to security. The industry needs a system of mutual recognition, where frameworks work together to streamline the risk management process, creating a unified standard that works across sectors and regions. 

A Call for Change 

TPRM is in dire need of reform. Although SOC 2s serve a specific purpose within an organization, they were not designed for TPRM and should not be used for this purpose. Questionnaires must become more focused on the relationship between the two organizations and should stop there. Relying on industry-recognized risk-based assessments/certifications and getting rid of questionnaires lead to streamlined processes and reduced risk profiles. Finally, there must be reciprocity and collaboration between governing bodies to eliminate redundant processes and create a more efficient, effective approach to managing third-party risks. 

The current system is broken, but with concerted efforts from industry leaders, governing bodies, and security professionals, we can rebuild TPRM into a process that truly protects organizations without wasting time or resources. 

HITRUST, the leader in information security assurances for risk management and compliance, information security, and compliance assurances, announces the release of version 11.4.0 of the HITRUST Framework (HITRUST CSF®).

This update reaffirms HITRUST's commitment to providing organizations with a comprehensive, up-to-date framework that addresses evolving cyber threats and regulatory requirements.

What is the HITRUST Framework?

The HITRUST Framework (HITRUST CSF) is a comprehensive, scalable, reliable, and efficient framework for information risk management, cybersecurity, and regulatory compliance. It is designed to help organizations globally, in any sector, earn the trust of their customers and stakeholders by demonstrating their commitment to relevant and reliable information security standards.

What's New in CSF v11.4.0

• Expanded Coverage of Emerging Standards: Incorporates NIST Cybersecurity Framework 2.0, NIST SP 800-171 r3, CMMC 2.0, and CMS ARS v5.1, providing updated protections for sensitive information across industries and regulatory environments.
• Enhanced Global and Industry-Specific Compliance: Adds authoritative sources such as ISO/IEC 29151:2017, EU Digital Operational Resilience Act (DORA), NAIC 668, and 16 CFR 314 to address international, financial, and healthcare regulatory requirements.
• Focus on AI and Advanced Technologies: Introduces the OWASP Machine Learning Top 10 to mitigate risks in AI and machine learning systems, enhancing security for organizations leveraging advanced technologies.
• Refreshed Authoritative Sources: Updates existing mappings for several key authoritative sources, including the South Carolina Insurance Data Security Act (SCIDSA), Texas Medical Records Privacy Act, FISMA, 201 CMR 17.00, California Consumer Privacy Act § 1798, FDA 21 CFR Part 11, NIST SP 800-171 r2, OWASP AI Exchange, and MITRE ATLAS.
• Removed Authoritative Sources: The following sources have been retired in v11.4.0 due to obsolescence or evolving industry priorities: DirectTrust, EHNAC, Banking Requirements, and Title 1 Texas Administrative Code § 390.2.

Customer Benefits

• Regulatory Alignment: The inclusion of authoritative sources like DORA, 16 CFR 314, and NAIC 668 ensures organizations can meet evolving compliance mandates across diverse sectors, including finance, healthcare, and government.
• AI and Cyber Resilience: The addition of OWASP ML Top 10 and the latest NIST and CMMC updates provides tools to address emerging threats and adapt to complex cybersecurity challenges.
• Global Standards Integration: ISO/IEC 29151:2017 and CMS ARS v5.1 bring international and healthcare-focused privacy and security practices into a unified framework, simplifying compliance for global organizations.
• Streamlined Process: Leveraging a centralized framework reduces redundancy in compliance efforts, enabling organizations to efficiently achieve HITRUST certification while addressing multiple regulatory requirements simultaneously.
• Future-Ready Framework: HITRUST CSF v11.4.0 equips organizations to stay ahead of regulatory changes, ensuring long-term adaptability and resilience in the face of evolving cybersecurity and privacy landscapes.

Transition Information

With the launch of v11.4.0, new e1 and i1 assessments will be aligned with the updated framework, ensuring organizations benefit from the latest cybersecurity and compliance advancements. Existing assessments under v11.3.2 can still proceed, providing flexibility and continuity for ongoing certification efforts.

Access and Implementation

HITRUST CSF v11.4.0 is available for download on the HITRUST website.

Organizations are encouraged to transition to the updated framework to leverage the enhanced protections and efficiencies it offers. For more information and to download the HITRUST CSF v11.4.0, visit the HITRUST Framework page.