Global Site
Argentina Aruba Barbados Bolivia Brazil Canada Cayman Islands Chile Colombia Costa Rica Curacao Ecuador El Salvador Guatemala Honduras Mexico Panama Paraguay Peru Puerto Rico Saint Martin Suriname United States Uruguay Venezuela
Australia Cambodia China Hawaii Hong Kong India Indonesia Japan Macau Malaysia Maldives Mongolia Myanmar Nepal New Zealand Pakistan Philippines Singapore South Korea Sri Lanka Taiwan Thailand Vietnam
Albania Andorra Armenia Austria Azerbaijan Belgium Bulgaria Croatia Cyprus Czech Republic Denmark Estonia Finland France Georgia Germany Greece Hungary Ireland Italy Kazakhstan Kosovo Latvia Lithuania Luxembourg Malta Moldova Netherlands Norway Poland Portugal Romania Serbia Slovakia Slovenia Spain Sweden Switzerland Tajikistan Turkey Ukraine United Kingdom Uzbekistan
Algeria Angola Bahrain Egypt Ghana Iraq Israel Jordan Kenya Kuwait Lebanon Liberia Mauritius Morocco Mozambique Nigeria Oman Qatar Saudi Arabia Senegal Sierra Leone South Africa Tanzania Togo Tunisia Uganda United Arab Emirates Yemen
home Insights

Crowe Quarterly Update on HITRUST – April 2026

Erika L. Del Giudice, Jared Hamilton
HITRUST
| 4/20/2026
Team meets around a table, representing collaboration and sharing updates in a quarterly HITRUST cybersecurity newsletter.

As we move further into 2026, we highlight key updates in the HITRUST program and reflect on the most impactful developments from the last quarter. 

As we enter the second quarter of 2026, adversaries are accelerating their use of AI-driven attack techniques, while organizations are pushing for more standardized third-party assurance. These trends reinforce the importance of HITRUST’s threat-adaptive model and ecosystem initiatives in advancing trust and resilience.

In this edition of our quarterly newsletter, we share key findings from HITRUST’s 2025 H2 Threat Analysis, insight into the growing momentum behind third-party trust initiatives, and recent Assessment Handbook clarifications, including what they mean for your security program.

Assurance program updates

2025 H2 threat analysis: AI-driven tactics on the rise

On Feb. 19, 2026, HITRUST announced the release of the “HITRUST CSF Threat and Mitigation Analysis H2 2025” report and highlighted that HITRUST’s continually updated e1, i1, and r2 assessment portfolio effectively mitigated the most prevalent adversarial techniques observed in real-world attacks throughout 2025.

Key findings from the report demonstrate that:

  • Phishing and social engineering campaigns are increasingly enhanced by generative AI
  • Exploitation of external remote services and internet-facing systems is increasing
  • Scaling of attack automation to accelerate reconnaissance and initial access is intensifying

The report reinforces HITRUST’s Cyber Threat Adaptive methodology, which dynamically aligns HITRUST assessment requirements with active adversary techniques. As threat patterns evolve, control requirements are recalibrated to confirm relevance and measurable defensive value.

This threat-informed model emphasizes:

  • Alignment with observed MITRE ATT&CK® techniques
  • Periodic refinement of HITRUST control requirements
  • Removal of outdated or low-relevance control mappings
Healthcare ecosystem collaboration: Advancing third-party trust

The healthcare industry continues to mature its approach to third-party risk oversight through collaborative initiatives such as the Health 3rd Party Trust (H3PT) Council.

The council, composed of healthcare providers, payors, and risk leaders, focuses on:

  • Reducing duplicative vendor questionnaires
  • Promoting standardized, validated assurance approaches
  • Increasing transparency and consistency in third-party security evaluations

This initiative reflects a broader industry shift toward independently validated security certifications as a mechanism to strengthen trust across complex healthcare ecosystems.

Organizations that have self-identified as accepting HITRUST assessments are listed in the H3PT directory along with the type of assessment accepted. Any organization can request to join the directory to show commitment to comprehensive third-party risk management via pursuit or achievement of a HITRUST certification.

Assessment Handbook v1.2 clarifications

HITRUST recently released Assessment Handbook v1.2, introducing refinements that might impact 2026 assessment planning, including:

  • Clarified guidance for evidence generated through intermediate platforms or automation tooling
  • Refined inheritance eligibility criteria based on current certification status and expiration timelines
  • Additional flexibility permitting certain scenarios to use e1 or i1 assessments in place of traditional interim assessments

These updates aim to improve assessment consistency and streamline documentation expectations while preserving rigor.

2026 HITRUST Trust Report

Earlier this month, HITRUST released the 2026 HITRUST Trust Report, its third annual.

This year’s edition revealed that across multiple industries, HITRUST-certified environments continue to demonstrate exceptionally low breach rates. In fact, in 2025, 99.62% of HITRUST-certified environments did not report a security breach.

Crowe insights

Threat-adaptive assurance is becoming essential

AI-enabled attacks are compressing the time between vulnerability discovery and exploitation, resulting in static compliance programs being increasingly challenged in this environment.

Organizations should evaluate whether their assurance program:

  • Incorporates current threat intelligence into control validation
  • Regularly tests phishing resilience and remote access controls
  • Uses assessment outputs to prioritize controls aligned to high-frequency attack techniques

A threat-adaptive model is no longer aspirational. It is becoming foundational. The HITRUST CSF® framework is continually updated to include controls that mitigate the most prevalent attack vectors.

Third-party risk moving toward validated assurance

Many organizational leaders are signaling a shift away from questionnaire-driven vendor reviews toward standardized, independently validated security certifications.

We recommend that organizations:

  • Incorporate HITRUST certification status into vendor tiering methodologies
  • Map validated assessment results into enterprise risk reporting
  • Use certifications to reduce redundant evidence collection

As ecosystem expectations evolve, validated assurance might increasingly serve as a baseline requirement rather than a competitive differentiator.

2026 assessment planning: Practical considerations

With the Assessment Handbook updates in effect, organizations preparing for 2026 submissions should:

  • Consider if AI is in scope and should be part of their HITRUST assessment
  • Confirm inheritance assumptions early in scoping discussions
  • Validate that automated evidence sources meet clarified documentation standards
  • Evaluate the option to perform an e1 or i1 assessment in lieu of an interim assessment over the same scope

Proactive alignment between internal teams and assessors can reduce rework and improve efficiency.

Looking ahead

The convergence of AI-accelerated threats and ecosystem-driven assurance expectations is reshaping how organizations define and demonstrate trust.

HITRUST’s continued refinement of threat-adaptive controls and third-party collaboration models signals a broader shift toward measurable, intelligence-informed assurance.

Organizations that treat HITRUST not as a periodic certification exercise but as an integrated risk management capability will be better positioned to navigate the evolving threat and regulatory landscape.

HITRUST assessment services
Our collaborative, customizable HITRUST assessment services remove the guesswork from the process.
Explore our services

Contact our authorized assessors

As a HITRUST Authorized External Assessor and a current HITRUST Authorized External Assessor Council member, we’re here to help you keep you apprised of the most current changes. Our team also regularly provides insights and participates in discussions concerning the growth and evolution of HITRUST.

We look forward to hearing your questions and comments.

Erika Del Giudice
Erika L. Del Giudice
Principal, HITRUST Consulting Leader
+1 630 575 4366
Jared Hamilton
Jared Hamilton
Managing Director, Cyber Consulting
+1 317 706 2724
Jordan Cooley
Jordan Cooley
Cyber Consulting
+1 312 632 6551