It’s Not Just for Healthcare: Why Organizations Across All Industries Choose HITRUST
The HITRUST Common Security Framework (CSF) is a comprehensive, threat-adaptive standard designed to help organizations strengthen their security programs while building trust with stakeholders.
According to BARR Advisory Senior Attest Services Manager Steve Ryan, HITRUST is “considered the gold standard for healthcare organizations.” But while HITRUST is often associated with the healthcare industry, the framework extends far beyond hospitals and healthcare providers.
By The Numbers
Organizations of all sizes and across all industries can benefit from HITRUST. “We have retail organizations that are getting HITRUST certified,” Ryan said in a recent webinar.
In fact, the most common industry among organizations that achieved HITRUST certification in 2024 was software and technology, according to HITRUST’s newly published 2025 Trust Report. More than 37% of organizations that achieved HITRUST certification in 2024 were SaaS or tech firms.
Organizations in the healthcare field made up a quarter (25.9%) of HITRUST certifications last year, followed closely by business services firms, which accounted for roughly 19% of HITRUST certifications.
HITRUST was also a popular compliance framework for organizations in industries including:
- Financial services (9.3%)
- Retail and distribution (1.6%)
- Government (1.3%)
- Manufacturing (1.2%)
- Consumer goods and services (1.1%)
Across all these industries, most organizations (62.1%) opted to complete an r2 Assessment, the most rigorous of HITRUST’s three assessment options. According to the Trust Report, 21.9% of all HITRUST customers chose the i1 Assessment, while 16% chose the e1 Assessment, which is the fastest to obtain, but offers the lowest level of assurance.
Among organizations pursuing HITRUST certification for the first time, the e1 was the most popular choice: 60.4% of new HITRUST customers underwent an e1 Assessment.
“Because all of the e1 requirements can be found in the i1 and r2 Assessments, the e1 often functions as an excellent starting point for organizations that want time to implement more robust control environments,” Brianna Plush, senior specialist on BARR’s attest services team, said in a recent webinar. “But for many organizations, the e1 Assessment is their destination. The e1 is often right for startups or organizations that have a lower level of risk that just need to demonstrate that they’ve got the essential cyber hygiene in place.”
Why HITRUST?
So why are businesses in so many different fields choosing HITRUST as a means of assuring stakeholders that their security practices are up to par? Part of what makes HITRUST so effective is its flexibility. With three levels of reporting options, compliance leaders can choose the assessment that best fits their organization’s current needs, and scale up as the business grows.
What’s more, the HITRUST CSF is updated more frequently than other leading security frameworks, meaning organizations that achieve certification are better equipped to withstand emerging threats.
“HITRUST is one comprehensive and threat-adaptive framework,” Ryan said. “HITRUST is continuously looking at the threat environment. They have real-time intelligence, and they’re constantly looking at the threats that are out there.”
For growing organizations aiming to mature their security and compliance programs, achieving HITRUST certification can also help you carve a path toward other internationally recognized standards like ISO 27001.
Since ISO 27001 auditors aren’t allowed to provide guidance on how to fix issues or mitigate gaps, HITRUST is a great option to serve as a risk assessment ahead of your ISO 27001 audit. Working with a HITRUST Authorized External Assessor like BARR Advisory to remediate security gaps before you begin the ISO 27001 certification process can help you avoid potential nonconformities and make for a smoother certification process.
In addition to ISO 27001, a HITRUST certification can help satisfy the requirements of other security assessments, including SOC 2, PCI DSS, and FedRAMP. For example, the HITRUST CSF was designed to align with the AICPA’s trust services criteria, which underpin all SOC 2 reports. This empowers qualified auditing firms to issue both attestations in a collaborative reporting model.
Beyond HITRUST: Coordinated Audits with BARR
BARR Advisory is one of a small handful of U.S. firms that is eligible to perform audits against all of the highest-regarded cybersecurity compliance standards, including HITRUST, ISO 27001, SOC 2, and PCI DSS.* This allows us to take a coordinated approach to auditing that minimizes duplication and streamlines the path to compliance.
“Leveraging HITRUST to achieve ISO 27001 certification is a game changer for organizations. This allows for an ‘audit once, report many’ approach, which reduces the amount of resources organizations are required to delegate to achieving an ISO 27001 certification,” Ryan said.
ECS, a leading provider of advanced technology serving both the public and private sectors, leveraged BARR’s coordinated audit approach to achieve compliance with standards including ISO 27001, HITRUST, SOC 1, SOC 2, and PCI DSS, giving them a competitive edge and helping to cement their place as a market leader.
“One of the benefits from our point of view is the consistent approach. We have one team that we’re talking with, we have one team that our team is talking with, and there’s no need for duplication. They know who to go to for what, when, where, and how,” said Sydney Will, GRC project manager at ECS.
By reducing the administrative burden of compliance, ECS was able to focus its efforts on strengthening security measures rather than navigating complex audit logistics.
“From an organizational standpoint, it makes things cleaner for us,” Will said. “Not only does it relieve or reduce some of that administrative burden, but it also helps engrain the security into our culture here at ECS.”
Whether you’re focused on HITRUST or want to expand to other cybersecurity frameworks, navigating the auditing process can be complex—but you don’t have to do it alone. BARR Advisory has helped organizations across all industries achieve compliance while strengthening their overall security postures. Contact us today to get started.
*ISO 27001 certifications are issued by BARR Certifications, the certification body of BARR Advisory.