The Importance of HITRUST in Building Trust in Healthcare

By Kevin Heineman, Chief Information Security Officer, Lyric

In today's digital, interconnected data supply chain, healthcare organizations are facing increasing challenges in safeguarding sensitive patient data against cyber threats. The industry is continuously targeted with phishing, ransomware, and other malicious attacks and these attacks continue to increase year over year. According to the Office of Civil Rights the number of healthcare records breached surged 146% to 133 million records from 2022 to 2023. With several high-profile breaches in 2024, this number is expected to be significantly higher by the end of the year. Furthermore, the average cost of a healthcare data breach has grown to $10 million in 2024—twice the average of all other industries. These statistics underscore the need for comprehensive data security measures to protect sensitive information.

While there are many controls, frameworks, and approaches that this article could focus on to build out a comprehensive cyber program, we will specifically address the role of compliance in an effective cyber program. Specifically, improving the effectiveness of cybersecurity through the HITRUST CSF framework.

The Health Information Trust Alliance (HITRUST) provides a framework designed to help organizations effectively manage data security and compliance. The HITRUST Common Security Framework® (CSF) integrates over 50 different regulations and standards, including HIPAA, NIST, SOC 2, PCI DSS, and ISO, creating a comprehensive model for managing cybersecurity risks. HITRUST offers several different certifications to fit different organization types and sizes. In the most rigorous certification, HITRUST r2, the “r” stands for “risk” and the “2” indicates the certification is good for 2 years (an interim assessment is required after year 1).

HITRUST r2 certification signifies that an organization has implemented, maintained, and can demonstrate a robust set of security controls aligned with industry best practices. This certification process involves a thorough evaluation of an organization's policies, procedures, and technological safeguards, ensuring that they meet the stringent requirements of the HITRUST CSF across 19 cybersecurity domains.

Healthcare organizations often have complex data supply chains and must collaborate with several partners and vendors to achieve their business objectives. A HITRUST r2 certification streamlines due diligence processes when forming new partnerships by providing assurances that the sensitive data that is being shared will be protected with industry best practices. In other words, HITRUST certification establishes a shared commitment to data security and protection. For example, a healthcare organization with HITRUST certification can assure its partners that it adheres to high standards of security, making it an attractive collaborator in an increasingly interconnected industry. This not only strengthens existing partnerships but also opens doors for new opportunities.

In a competitive market, having HITRUST r2 certification can also set organizations apart. With so many healthcare providers vying to be part of the data supply chain, organizations who have achieved HITRUST r2 have the ability to showcase a commitment to data security and can be a deciding factor over organizations who do not. A robust cybersecurity posture, evidenced by HITRUST certification, positions organizations as leaders in the field.

Lyric is proud to have achieved HITRUST r2 certification for our market-leading pre-pay editing solution ClaimsXten®. It sends a clear message to our valued customers and partners, that we are committed to security, privacy, and compliance. In a time when healthcare organizations face significant cyber threats, achieving HITRUST r2 certification helps us bolster our cybersecurity posture while helping health plans unlock value and improve results across their payment integrity chain.

About Lyric

Lyric is the payment integrity Al company trusted by the nation's leading health plans at the beginning of the claims payment workflow. The Lyric platform is built on Al from the ground up and trained on 35 years of clinical expertise with real time integrations across 190 million lives. Lyric reduces wasted healthcare spending and ensures fast, accurate payments that drive transparency between payers and providers. Lyric is recognized as the 2025 Best in KLAS for Pre-payment Accuracy and Integrity.