HITRUST has developed the HITRUST Assessment XChange® portal to help simplify your third-party risk management process.
As Q1 of 2025 comes to a close, we’re excited to share our latest newsletter, highlighting key updates in the HITRUST program and reflecting on the most impactful developments from the beginning of the year.
Assurance program updates
HITRUST AI assessments: Q&A on what you need to know
With AI adoption accelerating across industries, HITRUST has introduced two new offerings to help organizations assess and strengthen their AI programs: the AI Risk Management Assessment and the AI Security Assessment and Certification. These solutions address both the governance and technical security dimensions of AI, offering organizations a structured path to manage risk, build trust, and demonstrate accountability in their AI systems. Here, we break down the key differences, describe use cases, and identify how to determine which approach is right for your organization.
Q: What’s the difference between the HITRUST AI Risk Management Assessment and the AI Security Assessment and Certification?
A: These are some differences:
- The AI Risk Management Assessment is informational and provides insight into your organization’s alignment with AI governance and risk management practices. It maps to industry frameworks such as International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 23894:2024 and the National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF) v1.0 and is ideal for organizations seeking an evaluation of their AI risk management practices.
- The AI Security Assessment and Certification is a validated, certifiable solution focused on technical and security controls specific to AI system platforms. Built on HITRUST CSF® v11.4, it includes 44 prescriptive controls to evaluate the security of AI systems.
Q: Do these apply to my organization?
A: If you answer yes to any of the following questions, then these solutions apply, especially if you’re managing or controlling the AI solution or its outputs.
- Have you deployed AI systems internally or for customer-facing applications?
- Are you planning to implement AI tools or models in the future?
- Are you integrating third-party AI application programming interfaces (APIs) into your systems?
- Even if you’re leveraging a third-party provider’s AI model, are you training, tuning, or enhancing the model?
Q: I’m planning on certifying this year on a HITRUST e1, i1, or r2 assessment. Can I add these solutions?
A: Yes.
- The AI Security Assessment can be added to an ongoing e1, i1, or r2 assessment. Or, if the assessment is already completed, it can be pursued via an e1 as a standalone assessment to complement your existing assessment.
- The AI Risk Management Assessment is a separate assessment from the e1, i1, and r2 assessments but can be done in tandem.
Q: Can you give examples of how these assessments apply?
A: Here are two examples.
- Example 1: AI Risk Management Assessment. A healthcare organization that is using or planning to use AI to optimize internal workflows and isn’t ready for a formal certification might benefit from the AI Risk Management Assessment to guide responsible AI adoption and governance alignment without the pressure of a certification.
- Example 2: AI Security Assessment. A software as a service company offering an AI-powered diagnostic tool for hospitals needs to demonstrate security and regulatory alignment. This organization is a great fit for the AI Security Assessment and Certification to showcase its technical safeguards and compliance posture.
Q: Why Crowe?
A: Crowe is actively contributing to the HITRUST AI working group, is currently working with several clients on their AI assessments, and stays at the forefront of this evolving space. Whether you’re evaluating AI use or ready to pursue certification, our team can guide you through the process.
We’re available to discuss your options and can coordinate a conversation with HITRUST if you’d like to explore whether these programs align with your organization’s goals.
HITRUST Assessment XChange® app for ServiceNow®
In January 2025, HITRUST announced the general availability of the HITRUST Assessment XChange app for ServiceNow, a significant advancement in third-party risk management (TPRM). This integration embeds HITRUST’s proven assessment and TPRM tool kit directly into the ServiceNow platform, providing organizations with seamless automation, actionable insights, and reduced assessment fatigue.
Key features of the HITRUST Assessment XChange app include:
- Cyberthreat-adaptive controls. Ensures relevance to emerging cyberthreats, eliminating the need for additional, redundant questionnaires.
- Comprehensive assessment portfolio. Offers assessments tailored to various risk levels (e1, i1, r2), including AI Risk Management and AI Security assessments, all built on the widely recognized HITRUST framework.
- Proven assurance methodology. Leverages HITRUST’s rigorous assurance programs, which have demonstrated low reported breach rates among assessed entities, as highlighted in “The HITRUST 2025 Trust Report.”
- Results distribution system (RDS). Facilitates seamless, detailed, and secure sharing of assessment results within the ServiceNow platform, enabling efficient vendor control analysis.
- Automated control inheritance. Reduces redundant assessments by allowing vendors to reuse validated security controls across assessments.
As a trusted HITRUST Assessor and experienced ServiceNow implementation partner, Crowe is uniquely positioned to help organizations get the most out of the HITRUST Assessment XChange app. Whether you are exploring the integration, need help aligning assessments to your third-party risk processes, or want to streamline automation within ServiceNow technology, our team can guide you through every step. We combine deep knowledge of the HITRUST framework with technical ServiceNow expertise to deliver practical, scalable solutions tailored to your organization’s needs.
Let’s connect to explore how we can support your TPRM program.
Crowe insights
Indiana and Utah join states requiring StateRAMP (doing business as GovRAMP) authorization for vendors
In Q1, both Indiana and Utah officially joined a growing number of states requiring vendors that handle government data or provide cloud services to achieve StateRAMP authorization. Modeled after FedRAMP, StateRAMP provides a standardized approach to verifying cloud security postures for state and local governments, focusing on data protection, transparency, and continuous monitoring.
For vendors, this means that doing business with Indiana and Utah – and many other states – now comes with clear expectations for third-party cybersecurity assurance. If your organization supports government clients in Indiana, Utah, or other participating governments across the country, now is the time to assess your readiness for StateRAMP.
Achieving StateRAMP authorization doesn’t always mean starting from scratch. If your organization has already completed a HITRUST r2 certification, you might be closer than you think.
Thanks to the alignment between HITRUST and NIST special publication (SP) 800-53, the core framework behind StateRAMP, organizations can leverage their HITRUST r2 certification to support StateRAMP authorization efforts. Specifically:
- HITRUST’s control set includes a comprehensive mapping to NIST SP 800-53, including Moderate baseline requirements.
- The rigor of the HITRUST assurance process, combined with validated control implementation, positions organizations well for StateRAMP readiness.
- In some cases, a HITRUST r2 assessment can be used to support a fast-track path to StateRAMP Authorized status, reducing time and duplication of effort.
Navigating the intersection of HITRUST and StateRAMP requirements can be complex. As a certified HITRUST Assessor and experienced adviser in cybersecurity, Crowe is equipped to guide organizations through the StateRAMP authorization journey. Our team can help map existing HITRUST controls to StateRAMP requirements, identify gaps, and develop a tailored strategy to achieve and maintain compliance.
If your organization is pursuing StateRAMP authorization or seeking to leverage HITRUST certification for compliance, contact Crowe to explore how we can support your objectives.
Aligning with the new HIPAA security requirements using HITRUST
In January 2025, the U.S. Department of Health and Human Services proposed significant updates to the HIPAA Security Rule, aiming to enhance protections for electronic protected health information (ePHI) in response to evolving cyberthreats. Key proposed changes include mandatory annual technical inventories, rigorous security risk assessments, enhanced vendor oversight, mandatory multifactor authentication, and stringent encryption standards. These updates underscore the need for healthcare organizations to bolster their cybersecurity frameworks to safeguard patient data effectively.
The HITRUST CSF offers a comprehensive, certifiable approach that aligns with multiple regulations and standards, including HIPAA. By integrating various security, privacy, and regulatory requirements, the HITRUST CSF enables organizations to address the enhanced provisions proposed in the HIPAA Security Rule update. For instance, the CSF’s prescriptive controls encompass areas such as risk management, access control, and encryption, which are focal points of the proposed changes.
Achieving HITRUST certification demonstrates an organization's commitment to robust cybersecurity practices and positions it to meet the forthcoming HIPAA requirements effectively. Leveraging the HITRUST CSF can streamline compliance efforts, reduce redundancy, and enhance the protection of ePHI against emerging cyberthreats.
Crowe provides comprehensive HIPAA Security Assessment services designed to help organizations identify gaps, assess risk, and align with both current and proposed regulatory requirements. Whether you’re preparing for the upcoming HIPAA Security Rule changes or looking to integrate your efforts with a HITRUST certification, our team can guide you through the process with practical, risk-based insights and actionable recommendations.
Crowe at HIMSS25: Cyber insights, connections, and innovation
The Crowe cybersecurity and HITRUST team wrapped up a dynamic and energizing week at HIMSS25 in Las Vegas, held March 3-6 at the Venetian Convention & Expo Center. As one of the healthcare industry’s most influential gatherings, HIMSS25 was the perfect opportunity to stay ahead of emerging trends, explore cutting-edge innovations, and connect with clients, partners, and peers from across the country.
Crowe practitioners were on-site throughout the week, engaging in conversations about healthcare cybersecurity, compliance, and risk management. The conference showcased technologies and strategies transforming the future of healthcare – from AI and automation to evolving cybersecurity frameworks.
Beyond the packed agenda, HIMSS25 offered a chance to reconnect with past colleagues, strengthen industry relationships, and share insights face-to-face. The energy of the conference, the scale of the innovation on display, and the countless networking moments made for a truly valuable experience.
If we missed you at the booth or didn’t get a chance to connect on-site, let’s change that. Reach out to our team to learn how Crowe can help you navigate your healthcare cybersecurity and HITRUST-related goals in 2025.
HITRUST assessment services
Our collaborative, customizable HITRUST assessment services remove the guesswork from the process.
Contact our authorized assessors
As part of an Authorized External Assessor firm with current HITRUST Assessor Council members, the Crowe team is here to keep you apprised of the most current changes. We also regularly provide insights and participate in discussions concerning the growth and evolution of HITRUST.
Crowe has relationships with firms that can help with remediation of gaps and implementation of necessary controls identified during the readiness assessment and prior to the validated assessment. If you’re finding remediation time-consuming, we are happy to make an introduction.
We look forward to hearing your questions and comments.
Stay up to date on the latest HITRUST information with our quarterly HITRUST newsletter.
Crowe IT security professionals answer FAQ about SOC 2 scoping issues and explain why now is an ideal time to refine your SOC 2 reports.
Looking for help deciding which report is best for you? Check out our SOC reporting guide or contact us for an in-depth, personalized consultation.
Stay up to date on the latest HITRUST information with our quarterly HITRUST newsletter.
Crowe IT security professionals answer FAQ about SOC 2 scoping issues and explain why now is an ideal time to refine your SOC 2 reports.
Looking for help deciding which report is best for you? Check out our SOC reporting guide or contact us for an in-depth, personalized consultation.