As we start the first quarter of 2026, we highlight key updates in the HITRUST program and reflect on the most impactful developments from the last quarter.
We are excited to kick off the new year with our first newsletter, highlight key updates on the HITRUST program, and reflect on significant developments from the past quarter. In this edition of our quarterly newsletter, we share how organizations can proactively defend against cyberthreats and offer insights from the HITRUST 2025 Trust Report. Additionally, we present you with opportunities to centralize your HITRUST experience with Crowe as your external assessor firm.
Assurance program updates
HITRUST CSF version 11.7 release
With the release of v11.7, there were some changes to the e1 and i1 baseline, aligning better with the cyberthreat coverage metric in the MITRE ATT&CK® framework. With these changes, the e1 baseline will consist of 43 requirement statements while the i1 baseline will continue with 182 requirement statements. In addition, any HITRUST Common Security Framework® (CSF) versions 11.6 and earlier will be decommissioned. These versions can be created through March 31, 2026, but must be submitted by June 30, 2026.
Defense against modern cyberthreats with the HITRUST e1 certification
Healthcare organizations remain a prime target for cyberattacks because of the high value of patient data and often outdated systems. Cybercriminals are increasingly deploying malicious scripts, remote access trojans, ransomware, and credential harvesting to breach systems. A 2025 cyberthreat report published by Huntress found that attackers exploit weaknesses not just in their primary targets but also in connected systems.
While cyberthreats continue to evolve, adopting the HITRUST CSF allows organizations to address key risks often exploited by malicious actors. This HITRUST article explores how these risks can be mitigated with e1 controls, such as endpoint security, firewalls, strong authentication, least privilege access, incident response, and employee training.
HITRUST 2025 Trust Report
The HITRUST 2025 Trust Report delivers compelling, data-backed proof that HITRUST certification significantly reduces cyber risk. HITRUST-certified organizations saw just a 0.59% incident rate in 2024. The report confirms the HITRUST framework is cyberthreat adaptive, covering known mitigatable tactics, techniques, and procedures.
New AI-focused offerings – an AI security certification and an AI risk management assessment – can help organizations extend proven security standards to AI platforms and deployments. IT and compliance programs built on HITRUST are not static checklists but evolving assurance mechanisms delivering measurable, continual improvement across internal systems, third-party vendors, and AI-enabled operations.
New HITRUST Report Center
The HITRUST Report Center provides a secure, browser-based landing page where organizations can share assessment details through a unique URL. Accessible within MyCSF, it displays scope, report information, and certification status, and it enables relying parties to verify authenticity in real time. Account administrators can control visibility and URL activation, while assessors can view report lists but cannot access the Report Center unless enabled. This streamlined, secure sharing enhances transparency and strengthens stakeholder confidence.
New subscription models and updated pricing
HITRUST has gathered extensive feedback from customers and partners, including a third-party-led engagement with months of in-depth interviews, workshops, and industry best-practice analysis. In response, it has restructured and repriced the core MyCSF offerings to deliver more value, faster. The result is a streamlined set of offerings that better align with real-world use cases and evolving assurance needs.
Starting in 2026, MyCSF will be available in two primary options:
- Basic: A foundational version designed to meet essential compliance and assurance needs, similar to the former e1 Lite Bundle
- Standard: A comprehensive package that now includes many of the premium features previously only available through the highest-tier subscriptions, or as add-ons
Pricing will be tailored to each organization based on a range of factors, with the goal of providing a MyCSF solution that fits an organization’s needs while continuing to deliver the trust, security, and innovation expected from a market leader in cybersecurity assurance and certification. We understand you might have questions, and we are here to assist and coordinate with the HITRUST sales team as needed to provide guidance on which option is the best fit for your organization.
Crowe insights
Crowe, an authorized reseller of MyCSF
In 2025, Crowe and HITRUST reached an agreement designating Crowe as an authorized reseller of MyCSF. Organizations can now work with us to purchase or renew their MyCSF subscription and report credits along with the professional services to test their HITRUST controls. As an authorized reseller, we can streamline the preliminary stages of your assessment and give you one vendor to work with for all your HITRUST needs. Ask one of our assessors today to learn how we can help you expedite the process for purchasing or renewing your MyCSF subscription.
HITRUST third-party risk management
Crowe and HITRUST have announced a new third-party risk management (TPRM) initiative to integrate HITRUST assurance reports and results directly into organizations’ TPRM programs, regardless of TPRM technology currently in use. The goal of this initiative is to create efficiencies and improve the security of TPRM programs by streamlining the vendor onboarding and due diligence processes.
Crowe is integrating advanced HITRUST platforms into our TPRM methodology and managed services to:
- Automate vendor intake
- Draw on verified assessment information to reduce interactions with third parties, streamlining the TPRM assessment process
- Continually monitor gaps and issues identified through the HITRUST certification process
Preparing for your next assessment
As organizations begin planning for 2026 HITRUST assessments, now is the ideal time to evaluate potential scope changes, assessment timing considerations, and evolving market requirements. To support this early planning, schedule a one-hour advisory session with a Crowe specialist. We’ve already discussed 2026 planning with a few clients, and we can help you navigate any changes you’re anticipating to optimize your certification strategy.
Even if you currently work with another assessor, our team can provide an objective, alternative perspective so that you are well-positioned for success in the year ahead. Learn more by contacting one of our authorized assessors today.
HITRUST assessment services
Our collaborative, customizable HITRUST assessment services remove the guesswork from the process.
Contact our authorized assessors
As part of an Authorized HITRUST External Assessor firm with current HITRUST Authorized External Assessor Council members, the Crowe team is here to keep you apprised of the most current changes. We also regularly provide insights and participate in discussions concerning the growth and evolution of HITRUST.
We look forward to hearing your questions and comments.
