HITRUST report shows improved outcomes for 2025 with AI

The Second Annual HITRUST Trust Report for 2025 highlights improved cybersecurity outcomes for organisations holding HITRUST certifications.

According to the report, released by the cybersecurity assurance entity, HITRUST-certified organisations reported an incident rate of only 0.59% in 2024, with 99.41% of certified bodies remaining breach-free. This percentage marks an improvement from the 0.64% incident rate reported in 2023, demonstrating that HITRUST certifications, encompassing e1, i1, and r2 certifications, effectively deliver risk reduction across its portfolio.

Daniel Nutkis, Chief Executive Officer of HITRUST, said, "The HITRUST Trust Report continues to demonstrate that our rigorous, continuously validated cybersecurity approach is not just effective—it is unmatched. Organisations that adopt HITRUST achieve significantly lower breach rates and greater security resilience, reinforcing why HITRUST is the most trusted name in information risk and cyber assurance in the industry."

The report documents that HITRUST's cyber threat-adaptive approach, which leverages top intelligence sources and is directly mapped to MITRE ATT&CK, mitigates 100% of addressable tactics, techniques, and procedures (TTPs), addressing all known cyber threats.

Furthermore, organisations maintaining HITRUST certification see a reduction of up to 54% in the required corrective actions yearly, signifying ongoing security improvements with repeat certifications. Moreover, HITRUST has introduced AI Security Assessment and Certification within the industry, facilitating the seamless integration of AI risk management into broader security frameworks.

Over the past three years, system vulnerability exploits have been the most common breach encountered by organisations. Challenges in cultivating security maturity prominently arise in the Password Management, Data Protection, and Access Control domains. Additionally, inadequate endpoint protection has been identified as a predominant reason for failure to attain HITRUST certification.

HITRUST's framework ensures its control requirements stay relevant and effective through its cyber threat-adaptive engine. This engine uses proprietary, patent-pending technology to continuously assess and mitigate current and emerging threats. Unlike static frameworks, HITRUST tailors its standards to ensure genuine risk mitigation.

To support its design of reliable assurance, HITRUST includes prescriptive control requirements in its certification methodology that facilitate accurate validation, independent third-party verification, and a centralised quality assurance review process. Certification drives continuous improvement through annual reassessments, ensuring consistent security outcomes, a feature the cyber insurance industry validates. As a result, several insurers have established a shared risk facility offering enhanced options, including better coverage and competitive rates, for HITRUST-certified entities.

HITRUST plans to release public reports on cyber threat-adaptive analytics in the months ahead. These reports aim to bolster confidence in HITRUST's control architecture and guide strategic security investments based on current attack trends and threat evolution.

HITRUST transcends mere certification by serving as a blueprint for managing information security risk and fostering trust. It supports internal security structuring, enhances vendor risk management, aids compliance, and facilitates security posture demonstration in business dealings.