As cybersecurity risks grow more sophisticated and organizations face mounting pressure to prove resilience, frameworks like HITRUST are evolving to deliver more than just compliance; they’re building stronger, smarter systems. The newly released 2025 HITRUST Trust Report highlights that shift, offering a roadmap for organizations that want to move from reactive compliance to proactive assurance.

One major theme from this year’s report is the shift toward continuous assurance—an approach that aims to replace static, point-in-time assessments with ongoing, real-time insights. This vision leverages automation, big data and continuous monitoring to help organizations manage risk more dynamically. While still in early stages, it signals a thoughtful response to growing fatigue around traditional compliance cycles, especially among those pursuing the HITRUST r2 assessment.

A Framework Rooted in Relevance and Reliability

Two themes echo throughout the report: relevance and reliability. HITRUST has introduced several innovations to meet emerging challenges:

• AI-focused Risk Assessment Tools: As AI adoption surges, HITRUST now offers tools that work alongside the standard framework to evaluate risks in AI systems; an early but vital move to help organizations navigate ethical, privacy and safety concerns.
• Assurance Intelligence Engine: This tool helps automate quality checks throughout the assessment lifecycle.
• Six-layer Centralized QA Review: Quality assurance remains a cornerstone of HITRUST’s value proposition. Their new QA reservation system has significantly reduced turnaround times, with most reviews now completed in about 30 days. Additionally, HITRUST introduced SLAs to guarantee timely delivery, even offering to review one future report at no cost if deadlines aren’t met.
• Enhanced Inheritance Feature: This feature helps organizations streamline their assessments by reusing verified controls from trusted vendors, without compromising rigor or oversight.

These updates reflect a growing recognition: compliance must evolve at the speed of business and technology.

Real-World Security Outcomes

HITRUST assessments are driving measurable security improvements. Among organizations that returned for reassessments:

• r2 participants saw a 32% reduction in corrective action plans (CAPs)
• i1 participants saw a 54% reduction

The report also notes that 99.41% of HITRUST-certified organizations experienced no reported breaches. For the rare few that did, most incidents stemmed from familiar vulnerabilities: more than half were due to unpatched systems, while over 30% involved compromised credentials.

Phishing accounted for fewer than 10% of incidents—far below industry norms. These insights directly inform HITRUST’s framework updates, including more rigorous access control requirements in the latest e1 assessment.

Corrective Action Plans: Signals for Growth

While CAPs are often seen as failures, the Trust Report presents them as opportunities for growth. In 2024, nearly 65% of assessments included at least one CAP, most commonly related to access control. Other frequent CAP areas included third-party assurance, network protection, logging and monitoring and vulnerability management.

Over time, organizations that engage in regular reassessments tend to see CAPs decline. Between 2022 and 2024, the average number of CAPs in r2 assessments dropped from 11.6 to 7.9, reinforcing the value of sticking with the process.

Meeting Organizations Where They Are

HITRUST’s tiered approach continues to gain traction across industries:

• Newcomers are adopting the foundational e1 assessment
• Repeat customers often pursue the more comprehensive r2
• Adoption is expanding beyond healthcare and tech into government, financial services, retail and manufacturing

This signals that HITRUST is succeeding in its goal to scale trust across sectors and maturity levels.

What’s Next for HITRUST?

HITRUST isn’t standing still. The report outlines three major initiatives for the year ahead:

1. CSF version 12 will likely include further updates to account for evolving risks and industry feedback.
2. A new AI assurance and insights reporting feature, aimed at giving organizations better visibility into AI-related risk.
3. Assessor performance benchmarking, adding transparency to the assurance ecosystem

Combined with new service-level agreements (SLAs), faster QA turnarounds and a centralized platform experience, HITRUST is positioning itself as not just a framework, but a trusted partner in building cyber resilience.

Final Thoughts

For organizations seeking to build real, lasting trust with customers, partners and regulators, HITRUST continues to raise the bar. Whether through new AI certifications, enhanced QA processes or more accessible assessment pathways, HITRUST continues to make it easier for organizations to achieve and maintain strong cybersecurity practices.  

Ready to strengthen your organization’s security posture?

Our team can help you navigate the HITRUST landscape—from selecting the right assessment level to leveraging inheritance and continuous assurance strategies. Explore how Frazier & Deeter can support your cybersecurity and compliance goals today.

Explore related insights

Explore Insights & Resources

• • Article

  •

  June 17, 2025

  Big Changes for R&D Tax Breaks: What the “One Big Beautiful Bill” Means for Innovators

  Read more: Big Changes for R&D Tax Breaks: What the “One Big Beautiful Bill” Means for Innovators

  

• • Article

  •

  June 10, 2025

  The CFO’s Balancing Act: Growth vs. Resilience

  Read more: The CFO’s Balancing Act: Growth vs. Resilience