The future of healthcare compliance: HITRUST as the foundation of a multi-framework approach

big city with highway against a sunset

As we enter 2024, Healthcare Technology (HealthTech) Infosec Teams will be asked to do more with less.  Cyber threats for HealthTech continue to grow at a rapid pace. As the iconic Pat Benatar says, “Love is a Battlefield“—and so is healthcare compliance.

Thoropass infosec compliance experts Leith Khanafseh and Zach Rutz recently met with Ryan Patrick, VP of Adoption at HITRUST, for an intriguing webinar titled: Future Trends in Healthcare Compliance: How to use HITRUST as the foundation to a multi-framework approach.

This article highlights some of the key takeaways, including:

  • Why healthcare entities must prioritize cybersecurity and update their compliance strategies beyond traditional frameworks like HIPAA due to evolving technology and increasing cyber threats.
  • An overview of the HITRUST Common Security Framework (CSF) and how it can solve for many of the pain points organizations face in today’s cybersecurity environment, including the need to pursue multiple security frameworks at once
  • How automation plays a pivotal in enabling a multi-framework compliance process, reducing the administrative burden, improving efficiency, and enabling healthcare organizations to better focus on their core functions.

Miss the webinar? You can watch the whole discussion here.

The dangerous world of healthcare technology

Healthcare technology cybersecurity

The healthcare sector, ripe with extensive sensitive data, has quickly become the #1 attacked industry. A recent report by Claroty found that 78% of surveyed healthcare organizations experienced a cybersecurity incident in the last year, and 55% of those breaches resulted from a third-party breach, such as the Okta security breach, resulting in a butterfly effect.

The complete nature of healthcare records makes it a prime target. The situation is exacerbated by the sector’s dependence on outdated regulations established in an era before wireless, big data, and cloud technologies. As a result, healthcare providers must remain vigilant and prioritize cybersecurity measures to protect patient information.

Adherence to comprehensive information security standards and regulations like HIPAA, HITRUST, and SOC 2 is now a must-have. Compliance officers play a crucial role in ensuring adherence to laws, requirements, and ethical standards, emphasizing the prevention, detection, and resolution of non-compliant conduct through an effective compliance program. However, the industry is currently grappling with significant obstacles in cybersecurity and risk management due to subpar compliance programs, outdated regulations, and the high value of its data.

Why HIPAA is no longer enough

The Health Insurance Portability and Accountability Act (HIPAA) was established as a fundamental framework for healthcare compliance and healthcare security. However, in the face of evolving threats and the rapid advancement of technology, compliance with HIPAA alone is no longer sufficient.

As stated by Ryan Patrick of HITRUST, the healthcare sector must exceed HIPAA requirements to guarantee enhanced protection. While progress has been made in healthcare sector security, it is slow and not keeping pace with the increasing threats. Even though HIPAA revisions may be underway, they haven’t been implemented yet, leaving numerous healthcare entities in a risky situation.

Meanwhile, novel solutions are emerging in response to contemporary, more adaptable threats. The healthcare sector coordinating council is working with various initiatives to enhance the security of the healthcare industry, including collaboration with human services organizations. However, HIPAA’s limitations in addressing current security threats necessitate a more robust solution.

The multi-framework nightmare

Compliance requirements for healthcare entities are escalating, with the average organization now obliged to adhere to three or four frameworks. The intricate task of aligning with multiple compliance frameworks, each with its distinct requirements, can result in a heightened administrative burden and escalated expenses and resources required to prove compliance across various standards. Implementing effective compliance programs can help organizations manage these challenges more efficiently by utilizing appropriate compliance resources.

Introducing the HITRUST Common Security Framework (HITRUST CSF), a holistic framework for centralizing information security initiatives. This framework can eliminate the insanity of providing evidence for the same control repeatedly across different frameworks, a situation many healthcare organizations find themselves in.

Take the quiz
Which framework(s) are best for your organization?

Take this free quiz to discover your best path to comprehensive compliance

Which compliance framework is best for your business? Take our quiz to find out icon-arrow-long

Utilizing HITRUST in conjunction with other necessary frameworks, like SOC 2, allows healthcare entities to:

  • Simplify their compliance processes by consolidating audits
  • Have a more concentrated strategy for managing information security programs
  • Evade the need for duplicated efforts when complying with several distinct frameworks

This approach results in a more efficient and effective approach to information security and compliance, which is the core of an effective compliance program.

HITRUST to the rescue

Established over 16 years ago to solve for the fact that HIPAA can be quite vague and subjective, HITRUST offers a predefined set of security and privacy controls. The HITRUST report is a comprehensive framework of security and privacy controls, aligned with 40 other authoritative sources, designed to ensure robust data protection within the healthcare industry.

HITRUST’s assurance program provides a high degree of certainty through a methodology that emphasizes verification alongside trust. Organizations pursuing HITRUST certification undergo an impartial assessment by a validated HITRUST External Assessor like Thoropass to validate their compliance milestones, leading to certification. The HITRUST framework, therefore, provides the much-needed assurance of data protection and compliance in an industry where data breaches are on the rise.

HITRUST fully or partially covers a wide array of standards and frameworks, including applicable trust service criteria, such as:

  • ISO
  • NIST

The globalization of HITRUST

HITRUST is not just working in isolation; it is actively collaborating with other standards bodies and industry stakeholders. For instance, HITRUST is working with the stateRAMP team to build a program where HITRUST certification can expedite the stateRAMP authorization process. It is also recognized by Texas’s own cloud service provider authorization program, txRAMP, as a viable option to fast-track their authorization process. This level of collaboration makes HITRUST a valuable asset not just for healthcare organizations, but for a broad range of entities dealing with sensitive data.

By collaborating with various industry stakeholders, HITRUST aids constituents in navigating their processes and building trust more efficiently. Additionally, the federal government acknowledges the worth of HITRUST certification. It now requires qualified health information networks to get HITRUST certified, proving the worth of HITRUST certification in the broader regulatory landscape.

Moreover, clients are capitalizing on their HITRUST certifications during the cyber insurance underwriting process, thus receiving more advantageous terms.


Although HITRUST, SOC 2, and HIPAA may appear to be distinct entities, they share common objectives—safeguarding the security and privacy of sensitive data. HITRUST can cover a majority of SOC 2 and HIPAA regulations if the controls are properly mapped. This makes HITRUST a comprehensive solution for healthcare organizations grappling with multiple compliance requirements.

Continued reading
HITRUST vs SOC 2: Key differences and which to choose

HITRUST? SOC 2? Both? Discover the right mix for your business

HITRUST vs SOC 2: Key differences and which to choose icon-arrow-long

While it may be necessary for healthcare organizations to pursue SOC 2 and HIPAA alongside HITRUST, the comprehensive nature of the HITRUST framework can simplify this process significantly. Despite being industry-agnostic, HITRUST still has a HIPAA core, which makes it particularly beneficial for healthcare organizations.

HITRUST’s e1 offers good cyber basics, i1 covers the majority of the HIPAA security rule, and r2 offers the option to cover it completely. With this level of coverage, it’s clear that HITRUST, SOC 2, and HIPAA are not mutually exclusive but can work together to provide a comprehensive compliance solution for healthcare organizations.

How automation enables a multi-framework approach to compliance

In the journey to handle multiple frameworks, automation and effective solutions can play a significant role. Thoropass helps customers leverage automation to pursue a multiple framework approach and simplify and streamline the process.

With Thoropass, you can:

  • Identify overlapping requirements across various frameworks
  • Simplify the compliance process through the consolidation of common elements
  • Reduce redundancy and repetition in the compliance process
  • Improve efficiency and reduce resource consumption.

Automation can also play a significant part in making compliance efforts more efficient by minimizing duplicate work, leading to increased productivity and less resource usage. With automation, healthcare organizations can focus on their core business functions while ensuring that they remain compliant with multiple regulatory frameworks.

Multi-framework: Before and after

Prior to the introduction of an automated solution like Thoropass, organizations frequently implemented SOC 2, HITRUST, and HIPAA separately. This process, involving engineers, product managers, and CISOs, could span the course of an entire year, with each standard taking several months to implement.

Nonetheless, the emergence of automation technologies combined with the development HITRUST over the last decade has changed the game for HealthTech companies looking to future proof their business. By leveraging integrations and efficiencies across all frameworks, HealthTech organizations can make the process more manageable, reducing the time and resources required to prove compliance with the help of HITRUST certification reports.

The advantages of this approach are evident:

  • By condensing compliance efforts into a shorter period, individuals have more time to concentrate on their primary business operations.
  • This approach improves efficiency.
  • It allows for a more focused and effective approach to compliance.

Real-world example: Analog Informatics

One organization that has successfully navigated the complex landscape of healthcare compliance is Analog Informatics. Analog Informatics offers solutions for patient engagement, reputation management, and anomaly detection with AI, aimed to demonstrate their commitment to security to their customers and potential customers.

Analog Informatics opted to consolidate its HIPAA, HITRUST, and SOC 2 certification efforts into a single initiative, capitalizing on existing compliance measures to showcase its commitment to security. This approach enabled Analog Informatics to manage its compliance requirements efficiently, demonstrating the viability of a multi-framework approach with the support of automation and by placing HITRUST as the cornerstone of their compliance program.

The future of healthcare compliance: Expert advice

Our experts offer some final advice as your forge ahead on your quest to innovate in the healthcare space.

Zach: Expand further into the supply chain to see what other players could pose a risk to the overall security of your systems. Given that 55% of breaches are caused by third party companies, you must broaden your coverage beyond your primary partners.

Leith: Start early, especially if you’re in the healthcare space. It’s never too early to start. HITRUST even introduced a basic e1 certification to help smaller companies get a foot in the door”

Ryan: Think about your cybersecurity from a threat informed perspective. Putting threat at the centre is really, really critical. HITRUST provides security over compliance when it comes to these different assurance mechanisms. It’s not a time to ignore what’s going on from a threat perspective. 

Share this post with your network: