How HITRUST Fixes What’s Broken in Cybersecurity Compliance

How HITRUST Fixes What’s Broken in Cybersecurity Compliance

From GRC Academy by Jacob Hill

May 27, 2025 · 56 min · Season 2 · Episode 8

About this episode

Ryan Patrick discusses how HITRUST addresses cybersecurity compliance challenges.

Cybersecurity frameworks can learn a lot from HITRUST. In this episode, Ryan Patrick of HITRUST explains how HITRUST approaches the assurance problem, from centralizing the certification process to frequent updates to the control sets based on threat data. I barely knew anything about HITRUST going in, but it’s clear they’re tackling the cybersecurity assurance problem in a radically different way. Here’s what stood out to me: HITRUST reviews its security controls quarterly based on threat intel and control effectiveness There are three distinct assessment levels (like CMMC) HITRUST itself issues a certification after the 3rd party assessment and running the assessment results through two stages of QA Every 3rd assessment gets reviewed. Every. Single. One. The centralized approach of HITRUST allows them to provide feedback to its assessment community after each and every assessment which results in assessments that are more consistent and higher quality. HITRUST certified organizations are contractually required to report incidents which then allows them to evaluate the effectiveness of their controls. I personally think that commercial cybersecurity frameworks should take a look…

People in this episode

Host: Jacob Hill

Guest: Ryan Patrick

Topics covered

  • cybersecurity
  • HITRUST
  • compliance
  • certification
  • threat intelligence

Keywords

  • HITRUST
  • cybersecurity compliance
  • certification process
  • threat data
  • security controls

Sponsors

Vanta

Mentioned in this episode

Organizations: HITRUST

More episodes of GRC Academy

Explore listener stats, chart rankings, contacts and more on the GRC Academy podcast page.