The 2025 HITRUST Trust Report is more than just a retrospective on certification trends—it is a reflection of where cybersecurity assurance is heading. In a landscape where compliance complexity is growing and AI is rapidly transforming risk dynamics, the HITRUST ecosystem stands out as a scalable, rigorous, and data-driven model for building trust. Whether you’re a startup just beginning your journey or a global enterprise with mature systems, HITRUST offers a structured path toward validated security posture. In this article, we’ll explore the architecture of the HITRUST ecosystem, review the new AI security initiatives, and unpack the findings of the 2025 Trust Report to better understand how the industry is evolving.
What Is HITRUST?
Founded in 2007 and headquartered in Dallas, Texas, HITRUST has grown into a foundational player in cybersecurity assurance. It functions both as a developer and maintainer of the Common Security Framework (CSF) and as a certification body responsible for overseeing rigorous, third-party validated assessments. More than just a framework, HITRUST offers a suite of SaaS tools—including MyCSF, the HITRUST Assessment XChange, and the Results Distribution System—designed to streamline risk management, compliance tracking, and vendor oversight.
HITRUST assessments are maturity-based, independently validated, and scalable to organizations of various sizes and complexities. With increasing regulatory scrutiny and stakeholder demand for transparent controls, HITRUST has become a critical tool for demonstrating security and privacy posture in industries like healthcare, financial services, and technology.
Building Blocks of the HITRUST Ecosystem
At the core of the HITRUST ecosystem is a scalable and standardized assessment methodology built on the CSF. The framework adapts to evolving threats and aligns with global regulations, making it highly relevant across sectors. It incorporates multiple layers of quality assurance—from automated tooling to third-party assessor oversight—to deliver consistent, defensible results. This process is not just about checking boxes; it’s about building a sustainable and auditable program that organizations can grow with over time.
HITRUST certifications come in three primary levels: e1, i1, and r2. The e1 certification serves as a foundational entry point with a narrow scope and a short timeline. The i1 offers a broader set of leading practices, while the r2 encompasses the most comprehensive requirements, including options to evaluate higher maturity levels such as “Measured” and “Managed.” Each certification is valid for one to two years, depending on the type, and the maturity scoring system determines eligibility thresholds.
A Continuous Lifecycle of Improvement
Achieving certification is not a one-off event but a multi-phase journey. Organizations typically begin with a HITRUST readiness assessment lasting two to four weeks, followed by a remediation period that can span several months. A three-month settling period allows controls and processes to stabilize before a validated assessment begins. Scores roll up from individual requirement evaluations to domain-level averages, which ultimately determine certification eligibility.
What sets HITRUST apart is its emphasis on quantifying maturity. Assessments aren’t just pass/fail—they consider control implementation, policy depth, and process management. This approach encourages organizations to continuously improve their programs instead of aiming for a static benchmark.
Adding AI to the Assurance Equation
In 2024, HITRUST introduced two key initiatives focused on artificial intelligence. The AI Risk Management Assessment, released in August, offers a non-certifiable evaluation aimed at organizations leveraging AI. It focuses on evaluating 51 risk management controls. In December, HITRUST launched its AI Security Assessment and Certification program, designed for AI providers and developers. This certifiable layer builds on existing assessments and includes roughly 44 requirements, many of which can be inherited from cloud service providers already within the HITRUST ecosystem.
These initiatives provide a timely and strategic solution for a rapidly evolving area of risk. AI technologies are moving faster than regulatory frameworks can adapt, and existing standards such as ISO/IEC 23894 and the NIST AI Risk Management Framework are extensive and difficult to harmonize. HITRUST offers a way to simplify this complexity, giving organizations a path to align AI security with cybersecurity frameworks and stakeholder expectations.
What We Learned From the HITRUST 2025 Trust Report
Released in February 2025, the HITRUST Trust Report reveals detailed insights into certification adoption, scoring trends, industry dynamics, and the real-world impact of HITRUST programs.
When examining assessment types, the r2 certification continues to dominate, accounting for over 62% of all HITRUST assessments. This reflects a preference among mature organizations handling complex or sensitive data. However, the report also shows that entry-level certifications are becoming more popular. Approximately 22% of organizations chose i1 assessments, while 16% selected e1. Importantly, among new customers, more than 60% opted for e1 certifications—indicating that HITRUST’s accessibility strategy is paying off. This phased approach—starting with e1, progressing to i1, and ultimately reaching r2—supports organizations in growing their programs over time.
Industries embracing HITRUST span a wide range, with software and technology companies making up 37% of the ecosystem, followed by healthcare at 26% and business services at 19%. These numbers reflect both HITRUST’s historical alignment with HIPAA and its recent expansion beyond healthcare into technology-driven sectors.
Perhaps one of the most compelling data points is the report’s breach statistics. In 2024, over 99% of HITRUST-certified organizations reported no security breach in their in-scope environments. Among the small number of breaches reported, vulnerability exploits were the most common, followed by credential compromises and phishing attacks. This data suggests that organizations certified under the HITRUST framework are significantly more resilient to common attack vectors.
HITRUST Trust Report Data: Scores, CAPs, & Quality
The report also examines certification scores, which further underscore HITRUST’s role in program maturity. e1 and i1 assessments scored exceptionally high, averaging over 98%, while r2 assessments averaged around 74%. This gap reflects the increased complexity and stricter maturity evaluations in r2 assessments, where many organizations choose not to evaluate advanced maturity levels like “Measured” and “Managed.”
HITRUST Corrective Action Plans (CAPs) remain a standard part of the certification journey. In 2024, two-thirds of validated assessments required at least one CAP. i1 assessments had the highest rate, with nearly 89% including CAPs, while only about a quarter of e1 assessments required remediation. The average number of CAPs in r2 assessments decreased from 12 in 2022 to 8.6 in 2024, reflecting growing readiness and maturity among participants.
One of the most impactful trends is the increasing use of inheritance—where organizations reuse certified controls from cloud providers. In 2024, nearly 70% of r2 and i1 assessments leveraged external inheritance, resulting in significant time savings for both assessors and clients. These gains were most pronounced in i1 assessments, where assessor hours dropped by over 23%.
HITRUST’s QA function has also evolved. From 2022 to 2024, the number of QA tasks required per assessment declined across all types. While r2 assessments still carry the highest QA load, the average task count has decreased steadily, and overall QA cycle durations have shortened significantly—particularly for i1 and r2.
Conclusion: Assurance as a Journey, Not a Destination
The 2025 HITRUST Trust Report paints a picture of a maturing ecosystem—one where organizations are increasingly choosing scalable, structured approaches to risk management. With high certification rates, strong resistance to breaches, and expanding support for emerging technologies like AI, HITRUST is positioning itself as a cornerstone of modern cybersecurity assurance.
For organizations just beginning their compliance journey, e1 provides a reliable on-ramp. For those navigating complex regulatory and threat landscapes, r2 remains the gold standard. The report confirms that no matter where an organization starts, the HITRUST ecosystem offers a roadmap for continuous improvement.
Are you ready to take the next step in your HITRUST journey? Visit Linford & Company to learn more about our HITRUST assessment services, or contact us to discuss how we can support your cybersecurity goals.