• About Us
  • Events
  • Newsletter Sign Up
  • Spotlight Series
  • Webinars
  • WhitePapers
  • Videos
  • Podcasts
    1. Cybersecurity
    2. Compliance

    HITRUST: Password Management Domain Remains a Challenge to Secure

    March 1, 2025
    Healthcare Innovation spoke to HITRUST VP of Quality on findings in the annual TRUST report
    Vincent Bennekers
    Vincent Bennekers

    On February 20, Texas-based risk management company HITRUST released its second annual 2025 TRUST Report. Organizations with a HITRUST certification reported an incident rate of 0.59 percent in 2024, according to HITRUST. Last year, 60 percent of organizations that manage information risk ad-hoc experienced a data breach, according to industry data.

    HITRUST found system vulnerability exploits to be the top breach type over three years. Password management, data protection, and access control are found to be the most complex domains in which to achieve security maturity. A press release stated that inadequate Endpoint Protection is the leading cause of HITRUST certification failures. 

    Healthcare Innovation spoke with Vincent Bennekers, VP of quality, about the findings in the report.

    Could you provide some background for the HITRUST certification?

    We have an assessment handbook that all organizations and customers are expected to follow when they submit an assessment to us before we issue a certification. We offer three different assessment types. The first is e1, the entry-level assessment for an organization. It consists of 44 different requirements.

    The i1 is the next step up from the e1. It's the leading practices for an organization. It consists of 182 requirements within an assessment.

    The r2 is…a very robust security assessment. It includes our risk analysis, which every organization goes through to determine which requirements are included in that assessment. It includes all 182 requirements from the I1, but then it adds additional requirements an organization should meet based on that risk analysis.

    How long does the certification process take?

    We always recommend organizations do readiness assessments before they perform an assessment. The time it takes depends on how familiar you are with HITRUST, the requirements to be met, and the scope of your assessment. Generally, the fieldwork period for any HITRUST assessment is 90 days. You have 90 days to perform the assessment and then submit it to us, and we can determine the criteria for certification.

    What are the main obstacles?

    Organizations seem to have the most challenges in particular domains depending on which assessment they're doing. If an organization doesn't meet a particular requirement in an assessment, they get a corrective action that they should perform.

    R2 had the lowest scores in password management. For i1, the lowest scoring domain, was in vulnerability management. For e1, it was access control. What we saw in some of the common security breaches reported to HITRUST was also in those categories.

    We did a comparison this year to the Verizon data breach investigation report because that's an organization that produces a report on what the most common breach causes across the entire industry are. Verizon noted that those vulnerability exploits had almost tripled in the last year. A lot of it had to do with what are called Zero Day vulnerabilities. It's those vulnerabilities that a company doesn't have a patch for yet.

    Verizon's data breach report highlighted the leading way in for an attacker, which was through account compromise. This is basically stolen usernames and passwords. For the breaches that were reported to us, that was the second of the leading causes.

    Were there any unexpected findings?

    Customers want to improve their security postures. They're not just getting a high trust certification because they're required to. We saw a lot of improvement in those year-over-year customers for the i1 in the corrective actions. We saw an improvement of over 50 percent reduction in those corrective actions on repeat.

    What are the most complex domains for organizations to achieve security on?

    The password management domain was the most difficult, and it also ties into the breaches. We have 19 different domains in a high trust assessment. I don't think it's a coincidence that we're seeing similar domains having those issues year over year.

    What is the most common reason an organization fails a certification?

    The domain we saw the highest reason for failing in was endpoint protection. That's the domain where we look at the laptops and the servers connecting to their in-scope systems, ensuring that those laptops and servers have antivirus installed and other malware protection in place. I think that in some cases, organizations may have challenges in making sure that the system is properly installed across the enterprise. I think that may be why we're seeing some of those issues in endpoint protection.

    Could you discuss how HITRUST addresses tactics, techniques, and procedures (TTPS)?

    We want organizations to really focus on the relevant threat they are facing. Our framework is cyber threat adaptive, which means we constantly look at those TTPs and the different methods attackers use to get into a system. We use data from the MITRE ATT&CK framework. It's a third party that looks at all the different TTPs and attack methods attackers use and then maps those to how those attacks can be mitigated. We look at those mitigations and identify high trust requirements that an organization can implement to offer that mitigation.

    We mapped each assessment type to those mitigations in the MITRE ATT&CK framework. For the e1, although it only has 44 requirements, it maps to 62 percent of those mitigations.

    Do you have advice for health organizations that want to obtain certification?

    The question they should ask themselves is, how do they know that the information and the security assessment they're receiving are relevant to the organization? Does it address their needs as an organization? You have different sizes of organizations, and you have different risk profiles for organizations.

    We understand that organizations also have limited budgets, so they don't want to overspend. They want to make sure those security assessments are relevant but also reliable. We introduced the trust report because we wanted to communicate everything we're doing to ensure that security assessments represent what is relevant and reliable.

    We would encourage any leaders to look at what we're doing, then look at the other security assessments, and question whether they can rely on the reports they're receiving and whether the information is relevant for their organization.

    Some relevant questions they can ask of any assurance provider are: What was the assessment process and scoring approach? How did the assessment address the relevant security threats for their company, and what quality assurances were used in their assessment?

    Continue Reading

    Sponsored Recommendations

    Six Cloud Strategies to Combat Healthcare's Workforce Crisis

    The healthcare workforce shortage is a complex challenge, but cloud communications offer powerful solutions to address it. These technologies go beyond filling gaps—they are transformin...

    Transforming Healthcare with AI Powered Solutions

    AI-powered solutions are revolutionizing healthcare by enhancing diagnostics, patient monitoring, and operational efficiency - learn how to integrate these innovations into your...

    Enhancing Healthcare Through Strategic IT and AI Innovations

    Learn how strategic IT and AI innovations are transforming healthcare - join Tomas Gregorio as he explores practical applications that enhance clinical decision-making, optimize...

    The Intersection of Healthcare Compliance and Security in the Age of Deepfakes

    As healthcare regulations struggle to keep up with rapid advancements in AI-driven threats like deepfakes, the security gaps have never been more concerning.