Blog/

Compliance /

Reducing risk and increasing ROI: why new industries are increasingly turning to HITRUST for certification

For years, HITRUST certification has been closely tied to healthcare. But we recently sat down with Ryan Patrick, VP of Market Research and Strategy for HITRUST, to learn more about the certification and how they’re supporting organizations across a much wider range of industries. From reducing risk to unlocking new business opportunities, HITRUST has become a standard worth considering regardless of your sector. Here are the main takeaways from our conversation.

Reducing risk in a fast-changing threat landscape

HITRUST can have an impressive impact on risk reduction. The gap between the industry and average and environments certified by HITRUST is pretty staggering.

“In 2024, only 0.59% of HITRUST-certified environments experienced a breach. Compare that to the industry average of 40–60% in the same timeframe.”

HITRUST provides clear requirements and rigorous quality assurance. Every assessment undergoes multiple levels of review, making it harder for organizations to cut corners. This, of course, makes it more challenging for compliance professionals compared to other industry certifications. But it also works as a clear indicator that your organization is willing to undergo this rigorous process, once you have it.  

In the world of security, threats can change on an almost daily basis. HITRUST is able to quickly adapt to new threats. Controls are informed by quarterly threat intelligence and mapped against frameworks like MITRE ATT&CK. That means organizations are evaluated on their ability to defend against today’s attack methods, not the ones in use five years ago.

Not all frameworks in the industry are updated as frequently. For some, it’s only every few years. Without th eright combination of certifications for your organization, this can leave your organization exposed. HITRUST helps to close that gap by treating security controls as a living and evolving system, continually aligned to the realities of the current threat landscape.

Financial benefits: lower costs and higher ROI

Any certification is an investment. So it’s important to understand what benefits your organization will get in return. “Independent research found that HITRUST certification delivers a 464% ROI,” Ryan noted. “That includes avoided fines, reduced breach costs, and revenue benefits from being seen as a lower-risk vendor.”

This point is critical for compliance leaders making the business case internally. Certification isn’t just an additional cost—it’s an enabler of new revenue and a way to reduce operational risk. For some organizations, HITRUST even helps win deals.

“A ton of organizations, especially in healthcare but increasingly in other sectors, prefer to work with HITRUST-certified vendors. That preference can translate directly into new contracts.” – Ryan Patrick

Efficiency through multi-framework overlap

Most companies aren’t just managing one certification. Many pursue SOC 2, ISO 27001, PCI DSS, HIPAA, or state-level requirements alongside HITRUST. Having these different certifications helps strengthen your security posture. But if they’re all pursued in silos, that’s a recipe for audit fatigue.

HITRUST has a lot of overlapping controls with these frameworks. This means that if you’re HITRUST certified, you’re already halfway there when it comes to other frameworks you might be considering. And the opposite is true as well.

This overlap allows organizations to run multiple certifications in parallel rather than back-to-back, reducing costs, saving time, and preserving team bandwidth.

“If you try to do SOC 2, HITRUST, ISO, and PCI separately, you’ve basically made your entire year an audit.” – Ryan Patrick

Thoropass helps companies put this into practice. By embedding auditors from day one and mapping controls across frameworks in a single platform, we eliminate the duplication that slows traditional firms. For mid-market teams juggling multiple frameworks, that means fewer evidence requests, faster certification, and less disruption to engineers and security staff.

Flexible Paths to Certification

HITRUST isn’t a one-size-fits-all framework. Instead, it offers multiple assessment types designed for organizations at different maturity levels:

  • e1 (essentials): 44 core controls, achievable in around 2-4 months.
  • i1 (implemented): 182 leading security practices, well-suited to SMBs and growth-stage companies. Achievable in around 6-12 months.
  • r2 (Risk-Based): The most comprehensive and rigorous certification, designed for large or complex enterprises.Timeline is around 12-18 months.

Three years ago, HITRUST only offered the r2. “I used to call it a significant emotional event,” Ryan admitted. “Now with the e1 and i1, we’ve made certification more accessible for organizations that aren’t ready for the r2 yet, while still maintaining the rigor organizations need to protect themselves.”

The tiered structure ensures that organizations don’t have to overcommit on day one. They can start with a lighter-weight assessment and grow into more rigorous certifications as their security programs mature.

Industries outside of healthcare leveraging HITRUST certification

HITRUST was born in healthcare, but it has quickly become relevant across industries. Financial services, retail, manufacturing, transportation, higher education, and hospitality companies are all now adopting it. They even have a trucking company getting certified.

Attackers don’t discriminate. The malicious actors out there are using the same tactics regardless of your industry. So organizations in other industries have taken note and decided to get certified. The same controls that help prevent phishing in healthcare help just as much across other industries as well.

By anchoring its controls to threat intelligence rather than industry-specific regulations, HITRUST has positioned itself as an industry-agnostic standard that any organization can use to build resilience and demonstrate trust.

Why This Matters for Thoropass Customers

At Thoropass, we view HITRUST as more than just another certification. It’s a way for companies to:

  • Build trust with customers, partners, and insurers by demonstrating rigorous security practices.
  • Reduce risk with controls mapped to real-time threat intelligence.
  • Save time and money by consolidating multiple frameworks into a single audit cycle.
  • Stay future-ready with flexible certification levels.

With traditional audit firms, HITRUST can feel like a process that drains teams of time and energy. Thoropass takes a different approach: combining automation, expert guidance, and in-platform auditors to help companies pursue HITRUST certification alongside SOC 2, ISO, PCI, and others in a single, streamlined process.

To learn more about how Thoropass can help you with HITRUST compliance, talk to an expert today.

icon-arrow-long
icon-arrow-long
icon-arrow-long
icon-arrow-long
icon-arrow-long

Thoropass Team

See all Posts

Related Posts

InfoSec as a strategic initiative

InfoSec teams have bigger ambitions than simply ticking off checkboxes to stay compliant. They want to drive real business outcomes for their organization—yet too often they’re stuck in a cycle of reactive firefighting, scrambling through audit seasons, and being viewed as a cost center that slows down deals rather than accelerating them.

Read Article

How AI changes compliance

For decades, compliance has demanded extensive manual work. Consider a typical access review: after user permissions are provisioned or revoked, compliance teams must manually confirm that changes were authorized, documented, and correctly executed. Change management, policy reviews, and document control have similarly required labor-intensive checks after the fact, creating operational costs and bottlenecks to business operations.

Read Article

Stay connected

Subscribe to receive new blog articles and updates from Thoropass in your inbox.


Want to join our team?

Help Thoropass ensure that compliance never gets in the way of innovation.

View Open Roles

Have any feedback?

Drop us a line and we’ll be in touch.

Contact us
Get Started

Solutions

Get CompliantMaintain ComplianceIT Security Audits

Products & Services

Thoropass AuditCompliance AutomationPentestingThoropass AIAccess ReviewsSecurity QuestionnairesRisk AssessmentTrust CenterIntegrations and APIs

Frameworks

SOC 1SOC 2HIPAAHITRUSTCyber EssentialsGDPRISO 27001ISO 27018ISO 42001CMMC Level 1NIST CSF 2.0PCI DSSOther Frameworks

Industries

HealthcareSaaSFinTechOther Industries

Company

Our DifferenceMeet the ExpertsNewsroomCareersIndependence and ExcellenceBecome a PartnerTrust CenterContact us

Resources

Case StudiesBlogGuidesEventsHelp Center

Legal

MSADPAReport an IssueTerms and ConditionsPrivacy Policy

Leading by Example: Thoropass' Certifications

© Copyright 2025 Thoropass, Inc.