For the first time since 2019, HITRUST Collaborate was held in-person with almost record attendance, and the conference did not disappoint. With multiple sessions running simultaneously and full of thought leaders from all industries and roles within the HITRUST value chain, there was something for everyone. Here are LBMC’s key takeaways from HITRUST Collaborate 2023.

A Common Challenge

The week commenced with a day-long forum, led by Health3PT, on a significant challenge assessed entities face: vendor risk management. Whether a start-up or a Fortune 10 company, companies are facing unprecedented difficulties with cataloging and risk-assessing their vendors, while vendors are facing miles of red tape before they can help their customers or earn a single penny. The remainder of the week continued to focus on Third-Party Risk Management (TRPM).

Chris Hetner, Cybersecurity and Privacy Chair, Nasdaq Center for Board Excellence, said it best: “Companies tend to focus too much on the rivets…and not enough on the larger picture.” As a result, a significant lift to collect and assess questionably relevant documentation is conducted. Speakers and attendees alike echoed the need to reassess the vendor vetting process to streamline documentation collection and only analyze that which is truly relevant.

LBMC’s Van Steel continued this theme with his presentation, “The Incredible Value of Talking to Your Vendors,” where he provided real-world examples he’s encountered over-auditing vendors when a simple, candid conversation would have been sufficient. The collective made a clear case that this is an issue that can only be solved by the collaboration of all parties in all industries.

SEC Cybersecurity Disclosure Rule

New SEC disclosure rules were the subject of multiple sessions. These rules address treatment of cybersecurity events and reporting requirements for public companies. Specifically, if an organization has a cybersecurity event, SEC enforcement requires additional disclosure around the event, including meeting minutes, understanding metrics that were being reported and discussed by the board, and how cybersecurity risks are/were actively managed.

This requirement also impacts more than just public companies, as there is likely to be more news on private equity groups and monitoring of their portfolio. This requirement may be released as soon as this fall.

All About AI

Expectedly, there was significant focus on Artificial Intelligence (AI), its use cases, and the need to govern and control the technology. HITRUST is quickly reacting to the National Institute of Standards and Technology (NIST)’s recent issuance of its first ever AI cybersecurity framework and rolling out the HITRUST AI Assurance Program.

Expect to see AI frameworks added to upcoming versions of the Cybersecurity Framework (CSF). With AI quickly becoming an integral part of the healthcare industry, risks associated with the technology were top of mind for many. More than likely, the need to address these risks will grow as AI permeates product offerings, controls, and governance functions, and even HITRUST itself.

A need to understand and govern the lack of predictability of AI and how it formulates outputs were amongst the key themes discussed. As AI capabilities continue to advance, corporate management must determine the most critical business problems to address using this powerful technology. Click to learn how LBMC help you gain competitive advantage through AI.

11.2 is coming!

The use of AI technology allows HITRUST to quickly incorporate refreshed and new authoritative sources into the framework. Next up is 11.2, expected on October 10. We are thrilled to hear that 11.2 includes more consolidation (eliminating duplication) and inclusion of several new sources, mostly notably those relating to AI, NIST AI Risk Management Framework (RMF) v1.0 and ISO/IEC 23894.

At some point in the future, in addition to the HITRUST CSF certification, organizations will also be able to obtain a HITRUST AI certification. The HITRUST roadmap is agile to address the ever-evolving security and privacy needs, and it was great to hear everything in process for v11.3 and v12.


For organizations required to maintain HITRUST and State Risk and Authorization Management Program (StateRAMP) certifications, it was encouraging to hear that HITRUST and StateRAMP are collaborating to allow organizations to achieve HITRUST certification eligibility through the StateRAMP fast track process. The goal of this process is to leverage the HITRUST assessment process to reduce and potentially eliminate the need to re-assess an organization for StateRAMP that has already achieved HITRUST certification.

It should be noted that the intended HITRUST scope is version 11.x r2 with the FedRAMP moderate scoping factors selected. Together, the two organizations will be rolling out a pilot program in the near future.

LBMC is here to help

Whether you are starting your HITRUST journey or have been on this ride for years, LBMC is here to help you navigate these updates. As the leader of the “10-year club” of HITRUST assessors, LBMC stands as the longest-serving assessor in the business with the most experienced team in the industry. We have helped countless organizations reach their HITRUST CSF Certification goal.

Please reach out any time to find out how we can assist you on your journey!

Content provided by LBMC’s HITRUST Practice Leader Robyn Barton and Senior Manager Jesse Goodale.