GRC Academy Podcast May 27, 2025 S-2 / E-8 00:55:55

How HITRUST Fixes What’s Broken in Cybersecurity Compliance

Interview with Ryan Patrick about HITRUST and how it approaches cybersecurity assurance.

Cybersecurity frameworks can learn a lot from HITRUST.

In this episode, Ryan Patrick of HITRUST explains how HITRUST approaches the assurance problem, from centralizing the certification process to frequent updates to the control sets based on threat data.

I barely knew anything about HITRUST going in, but it’s clear they’re tackling the cybersecurity assurance problem in a radically different way.

Here’s what stood out to me:

  • HITRUST reviews its security controls quarterly based on threat intel and control effectiveness
  • There are three distinct assessment levels (like CMMC)
  • HITRUST itself issues a certification after the 3rd party assessment and running the assessment results through two stages of QA
  • Every 3rd assessment gets reviewed. Every. Single. One.

The centralized approach of HITRUST allows them to provide feedback to its assessment community after each and every assessment which results in assessments that are more consistent and higher quality.

HITRUST certified organizations are contractually required to report incidents which then allows them to evaluate the effectiveness of their controls.

I personally think that commercial cybersecurity frameworks should take a look at HITRUST.

What were your biggest takeaways? Let me know in the comments.

Follow Ryan on LinkedIn: https://www.linkedin.com/in/ryan-patrick-3699117a/

HITRUST Website: https://hitrustalliance.net/


Thanks to our sponsor Vanta!

Get back time to focus on strengthening security and scaling your business.

Discover the new way to GRC here: https://vanta.com/grcacademy