Healthcare Cybersecurity Strategy: Using HITRUST to Reduce Risk and Accelerate Contracting

AI might be all the rage, but attackers are using it in highly sophisticated ways to get access to healthcare data. This and other potential harm have left many healthcare cybersecurity leaders facing rising pressure and burnout, from expanding attack surfaces and relentless audits to rising executive expectations for digital transformation.

What is an attack surface? Represents every potential vulnerability—known or unknown—through which unauthorized access or data exfiltration could occur across digital, physical, and human domains.

Today, healthcare cybersecurity must do more than check regulatory boxes. It must actively protect data, accelerate contracting, and strengthen enterprise resilience, all while helping leaders do their jobs well.

In a recent Health Catalyst webinar, Devin Shirley of Arkansas BlueCross BlueShield and Ryan Patrick of HITRUST shared how CISOs and IT teams are using cybersecurity frameworks to transform healthcare data security compliance into a strategic advantage.

This article explores their insights.

The Regulatory Pressure Reshaping Healthcare Cybersecurity

It’s been nearly three decades since Congress signed HIPAA into law and two decades since the passage of the HITECH Act, and healthcare leaders are questioning how HIPAA’s aging framework can address today’s modern security threats arising from new technologies:

• AI.
• Healthcare analytics.
• Data sharing and interoperability tools.
• Telehealth and virtual care.

There is growing buzz about the potential regulatory changes to data protection, business associate requirements, and proactive security expectations for organizations, but timelines remain unclear.

Patrick said he’s not convinced the industry will see an update to HIPAA in the near term, but that doesn’t mean healthcare leaders shouldn’t be paying attention to it now.

“Compliance is never perfect. But you should approach both security and protection changes by prepping for them now.”—Devin Shirley, Chief Information Security Officer, Arkansas Blue Cross Blue Shield

Healthcare Cybersecurity Regulations to Watch in 2026

Experts predict four potential changes in cybersecurity:

1. ‍Health and Human Services HIPAA Security Rule NPRM (Jan 6, 2025): A proposed major overhaul to require more prescriptive, mandatory cybersecurity controls for covered entities and business associates.
2. ‍Enforcement and Scrutiny Beyond HIPAA: State and federal agencies are increasing enforcement of data sharing, third-party disclosures, and deceptive privacy practices.
3. ‍Interoperability/Prior Authorization and Data Access Rules (CMS): Rules that mandate improved data exchange and prior-authorization automation continue to shape data flows and vendor contracts.
4. ‍Regulatory Focus on AI, Analytics, and Telehealth Vendors: Expect guidance and enforcement around safe, explainable use of patient data.

Without solid control sets, healthcare organizations risk falling behind the moment new rules take effect.

Why Compliance-Driven Healthcare Cybersecurity Causes Burnout

Healthcare organizations juggle multiple, and often conflicting, enforcement frameworks across different control structures, languages, and audit expectations, including those associated with:

• HITRUST CSF.
• HIPAA.
• PCI Security Standards Council (PCI).
• NIST Cybersecurity Framework (CSF).
• SOC2.
• Federal and state agencies.

Overlapping requirements often trap teams in audit cycles, leaving little time for strategic planning. Fatigue is escalating for two main reasons:

1. Organizations are under constant threat of breach.
2. Small teams handle extensive data management workloads.

How HITRUST Improves Capacity in Healthcare Cybersecurity

HITRUST helps healthcare organizations comply with regulations, manage risks, and protect information. The HITRUST® Common Security Framework (HITRUST CSF®) leverages national and internationally accepted standards, including International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and PCI.

HITRUST’s certifiable framework is the industry standard for:

• Safeguarding sensitive healthcare data.
• Protecting organizations.
• Preventing severe financial losses.

How to Assess Healthcare Cybersecurity Maturity

HITRUST also provides clear, measurable insights into program strength and maturity. Key contributors to an organization’s overall cybersecurity health include:

• Strong oversight of third-party vendors to help prevent new compliance risks.
• A readiness mindset to close compliance gaps and meet evolving regulations.
• Risk management that allocates the right resources and people to cybersecurity priorities.
• Digital health privacy and security standards to protect patient data.

“The HITRUST audit will free teams up to get back to doing the hard work of operating the security program instead of continuous compliance. HITRUST gives you a quantifiable breakdown of how strong your program is. Are you improving or getting worse year over year? The HITRUST framework reports tell you that while tracking metrics and KPIs.”—Ryan Patrick, VP of Adoption, HITRUST

Building a Scalable Healthcare Cybersecurity Strategy

Start by asking the most important question: What risk to our business are we willing to tolerate? Then align your strategy with these five recommendations:

1. Identify the framework that best suits your business and meets baseline customer expectations.
2. Collaborate across teams and vendors to build trust and drive accountability.
3. Establish success metrics early and track year-over-year control maturity.
4. Maintain audit consistency to support long-term progression.
5. Don’t aim for perfection. Focus on continued growth, risk reduction, and readiness.

Frameworks like HITRUST provide teams with a practical roadmap for operationalizing data security.

How Healthcare Cybersecurity Drives Executive Buy-In and Revenue Protection

Driving buy-in for healthcare cybersecurity requires understanding the human side of security strategy. That means framing the approach in business terms rather than technical ones. For healthcare executives, two outcomes are equally important: risk reduction and contract velocity.

Teams should therefore connect security efforts to tangible business outcomes, such as:

• Breach avoidance and prevention.
• Regulatory fine avoidance.
• Cyber insurance premium credits.
• Revenue opportunities tied to a stronger security framework.

Patrick noted that momentum to adopt HITRUST grows as leaders understand its benefits:

1. Concrete metrics and clear remediation guidance.
2. Actionable insights to better manage risk.
3. Faster contracting with partners and vendors.

Three Must-Haves for Your Cybersecurity Strategy

Healthcare cybersecurity is no longer just a technical safeguard, but a strategic business asset. With frameworks like HITRUST, organizations can standardize healthcare data security compliance, reduce audit fatigue, and create measurable improvements in risk posture and security maturity.

Choose your cybersecurity framework wisely; it becomes the backbone of your data platforms. As you approach this work, incorporate the following:

• Flexible Thinking. Cybersecurity assessments should take time; be skeptical of a vendor offering short turnarounds.
• Open Communication. Keep stakeholders informed so teams stay aligned with goals, risks, and outcomes.
• Vendor Partner. Find a partner who stays up to date with emerging controls, especially AI-related requirements.

Ready to explore how HITRUST can protect your patients and your organization while unlocking the full potential of digital health? Contact our expert team today to learn how Health Catalyst can help you move beyond reactive compliance to proactive cyber resilience.