Frequently Asked Questions:

Why Do Companies seek HITRUST Certification? 
How can a Company have a Security Event or Breach if they have a HITRUST Certification?
How does HITRUST Respond to Security Events or Breaches?  
Why Does a Security Event or Breach Happen to a Certified Company? 
How Do I Know that Use of HITRUST is Helpful? 
Will HITRUST Revoke the Certification(s) of Victim Companies? 
If Attacks can Happen, What Is the Value of a HITRUST Certification?
Following a Security Event or Breach, what does HITRUST do to Prevent Attacks to other Customers?   

Why Do Companies seek HITRUST Certification? 

Many leading companies seek and obtain HITRUST Certification.  This signifies their commitment to maintaining high standards of reasonable and appropriate cyber security and privacy measures.  However, HITRUST does not certify companies but rather certifies specific, “In Scope” implemented systems for defined periods of time.  Many HITRUST customers seek and maintain multiple certifications at different levels for different business units or technology platforms. 

The validity of a HITRUST Certification is based on the level of assurance offered by the HITRUST certification for the covered scope of the certification — two years for an r2 certification which includes an interim assessment after the first year of the certification, and one year for an i1 or e1 certification. The level of certification requested by an assessed entity is based upon requirements from relying parties seeking evidence of the assessed entity’s cyber security and cyber resilience and compliance status which often aligns with the inherent risk of the certified scope. 

How can a Company have a Security Event or Breach if they have a HITRUST Certification? 

Cyber criminals and nation states continue to attack all industries. This unfortunately includes disproportionate and persistent attacks on health care companies and the health sector overall. HITRUST Certifications indicate a high level of preparedness and evidence of reasonable and appropriate security measures against the highly dynamic cybersecurity risk landscape backed by selection of relevant controls, rigorous examination, maturity scoring, and assurance quality.   

The relevant and reliable assurances provided by HITRUST certifications reduce the likelihood and potential impact of an attack and affirms the organization’s readiness to detect, respond and recover from an attack but does not guarantee absolute security or immunity from all possible threats.  Multi-year attack data shows that zero-day vulnerabilities and advanced and persistent attack methods by motivated and highly skilled attackers remain significant threats against even well defended and fully compliant companies. Compliance is not security, but good security can yield compliance and HITRUST supports both. 

How does HITRUST Respond to Security Events or Breaches? 

HITRUST has built its assurance system on a model of continuous improvement to ensure it remains relevant and responsive with a focus on adapting as the threat environment changes — what HITRUST defines as cyber threat adaptive.  After a reported or discovered security event, HITRUST engages with the victim company(s) to understand and analyze the incident and the control environment. This information is then reviewed alongside threat intelligence data aligned with the MITRE ATT&CK framework. Once this review is completed, HITRUST makes changes to our framework and assurance system if needed and, if warranted, communicates observations and guidance to customers, our ecosystem of partners, and the industry at-large to protect the companies and industries that we serve. 

Why Does a Security Event or Breach Happen to a Certified Company? 

HITRUST certifications are relevant to specific implemented systems, or scope, and not companies.  However, our analysis of prior security events suggests there are a few reasons why a certified system can experience a security event. Possibilities include, but are not limited to, one or a combination of the following contributors: 

• The attack was on infrastructure that was not in the scope of the certification; 
• There was change in the environment and its controls between the time of certification and the time of a security event; 
• The attack employed a “zero-day attack” on a platform or outside of the protection of a single control or a set of controls without sufficient available mitigation including persistent attacks by highly motivated and funded actors such as a Nation State or “sponsored” threat actors’; 
• One or more control requirements have become insufficient due to evolution of TTPs (Tactics, Techniques, and Procedures) used by an attacker which may also decay the effectiveness of controls over time, and / or; 
• There were errors with the scoping, assessment, or validation of the environment. 

How Do I Know that Use of HITRUST is Helpful? 

HITRUST collects and publishes data to assess relevance and reliability and to continually improve the system.  HITRUST’s recently published 2024 Trust Report demonstrates quantifiable metrics about the effectiveness of the HITRUST program.  While security events and breaches still happen for the reasons outlined above, only 0.64% of HITRUST-certified environments reported breaches in 2022 and 2023. This metric is important as the ultimate outcome of an assurance system is to mitigate information risk to an appropriate and acceptable level. That outcome is achieved because of controls that are relevant and specific enough to address identified threats and reliable assurance reports that test and prove that the controls are implemented. The certifications generated by this system are available to stakeholders and relying parties seeking an understanding of the system including regulators. 

A deeper look at the HITRUST data provides clarity around how the system operates.  Rigorous testing and risk reduction is an expectation of companies that seek a HITRUST certification and those that rely on those certifications.  72% of certified companies at the Expanded Practices, or r2, validated assessment level identify at least one corrective action which requires mitigation through their HITRUST assessment.  And, 92% of those issues are remediated within one year of their HITRUST assessment which demonstrates that these companies are committed to true accountability and remediation and report their progress on their commitments. 

HITRUST Certifications indicate a high level of cyber resilience and preparedness using reasonable and appropriate security measures. The security and resilience reflected in a HITRUST Certification makes attack success difficult but does not guarantee absolute protection against all threats. Even with rigorous, reasonable, and appropriate security, no system is entirely immune to an event or a breach which is why HITRUST is committed to learning from each Breach. 

Will HITRUST Revoke the Certification(s) of Victim Companies?  

HITRUST’s first objective is to help a victim company respond and recover in any way that it can.  At the appropriate time and in partnership with the victim company, HITRUST, the External Assessor, and the company’s internal and external forensic support team meet to review the event, the certified environment, and its controls, both overall and as it relates to the HITRUST’s Certification.  Based on the findings of the review, HITRUST may take many actions.  Suspension or revocation of a certificate are two possible outcomes if warranted. 

However, the focus of the HITRUST investigation is on understanding what happened in consultation with the victim company for the purpose of learning from the root cause of the event, understanding control gaps if present, considering possible improvements in the control environment, the HITRUST control specifications or assessment protocols, and communicating the learnings to the industry so that other companies can take action to avoid being victimized by similar attacks. 

If Attacks can Happen, What Is the Value of a HITRUST Certification?  

The value of a HITRUST certification lies in its comprehensive approach to managing information risk and demonstrating an assessed entity’s compliance with various regulations and standards. Establishing trust in assurance mechanisms is challenging because many organizations do not know how to properly assess the options available to assess whether the assurance mechanism used is both relevant and reliable. 

Relevant assurances must allow an organization to demonstrate their cyber resilience, which includes the ability to detect, protect, respond and recover from cybersecurity incidents.  

And, reliable assurances require the six essential principles of Transparency, Scalability, Consistency, Accuracy, Integrity, and Efficiency. HITRUST assessments encompass each of these principles and demonstrate HITRUST’s commitment to a high-quality assurance process. HITRUST uses a quality assurance program to govern the assessment submission and report issuance processes and each assessment submitted to HITRUST must undergo a comprehensive quality review prior to earning certification. 

Ultimately, certification signals to partners, customers, and regulators that an organization is serious about cybersecurity and privacy, has implemented a clear security posture, and is committed to measuring and maintaining it. While no certification can eliminate risk entirely, HITRUST's rigorous standards and threat adaptive model significantly reduce the likelihood and impact of data breaches, establishing a foundation of trust and resilience in an increasingly complex digital world. 

Following a Security Event or Breach, what does HITRUST do to Prevent Attacks to other Customers? 

HITRUST is committed to leading the industry by providing a system for information security, privacy, and compliance assurance that is unparalleled in relevance and reliability. In an environment where the threat of cyber-attacks is ever-present and absolute security cannot be guaranteed, HITRUST focuses on continuous improvement and adaptation to meet the challenges of current threats and market demands. 

To uphold this commitment, HITRUST has developed several key initiatives over the past decade, including: 

• Cyber Threat Adaptive Program: Utilizes leading threat intelligence on Tactics, Techniques, and Procedures (TTPs), viewed through the MITRE ATT&CK framework lens. This program leverages HITRUST's proprietary AI technology to analyze the HITRUST CSF (Cybersecurity Framework) for potential enhancements, ensuring it remains responsive to evolving cyber threats. 
• Framework and Standards Harmonization: Engages with industry standards, authoritative sources, governments, and regulatory bodies to integrate and harmonize controls from newly updated standards and frameworks. This continuous effort ensures the assessment options we provide are both relevant and reliable. 
• Regular and Frequent Framework Updates: HITRUST releases updates to the CSF and its assessment methodologies regularly and issues emergency guidance bulletins as needed to address the rapidly changing threat landscape.  This includes the appropriate sunsetting of controls and framework versions that are deemed insufficient. 
• Updated Assessor Training and Re-Authorizations: Supported by the HITRUST Academy, a premier training facility, HITRUST mandates annual updates and recertifications for assessors. This ensures that our large ecosystem of assessor firms remains equipped with the latest knowledge and techniques.
• By recognizing the challenges inherent in achieving absolute cybersecurity and emphasizing our dedication to innovation and excellence, HITRUST aims to enhance the overall security and trust within the digital ecosystem. Our comprehensive strategy ensures that we remain at the leading edge, providing our clients and partners with the most effective assurance system available.