Episode notes
Cybersecurity frameworks can learn a lot from HITRUST.
In this episode, Ryan Patrick of HITRUST explains how HITRUST approaches the assurance problem, from centralizing the certification process to frequent updates to the control sets based on threat data.
I barely knew anything about HITRUST going in, but it’s clear they’re tackling the cybersecurity assurance problem in a radically different way.
Here’s what stood out to me:
- HITRUST reviews its security controls quarterly based on threat intel and control effectiveness
- There are three distinct assessment levels (like CMMC)
- HITRUST itself issues a certification after the 3rd party assessment and running the assessment results through two stages of QA
- Every 3rd assessment gets reviewed. Every. Single. One.
The centralized approach o ...
Keywords
HITRUST