Ryan Patrick, VP of Adoption at HITRUST, joins the conversation following HIMSS to share how HITRUST is helping healthcare organizations strengthen security, manage third-party risk, and support interoperability with a tiered approach to assessments. With record-breaking attendance at HIMSS, the discussion highlights why organizations are turning to HITRUST for scalable, efficient ways to navigate compliance and protect patient data.
The HIMSS Global Conference brings together healthcare professionals, technology providers, and industry leaders to discuss the most pressing challenges in healthcare. One of the key conversations this year focused on security, risk management, and the role of HITRUST in ensuring trust across the healthcare ecosystem.
HITRUST’s Expanding Role in Healthcare Security
Ryan Patrick, VP of Adoption at HITRUST, joined the discussion to share insights from the conference floor. One of the most striking takeaways was the sheer scale of engagement—attendance at HIMSS was at an all-time high, reflecting a growing focus on healthcare security and compliance. Organizations across the industry are looking for solutions that support innovation while maintaining security, and HITRUST is at the center of those conversations.
A common misconception about HITRUST is that it only provides a single, rigorous cybersecurity assessment. Patrick clarified that HITRUST now offers a tiered approach, including the E1 (entry-level), I1 (intermediate), and R2 (comprehensive) assessments, allowing organizations to align their security and compliance efforts with their level of maturity. The E1 assessment, in particular, has gained rapid adoption as organizations look for a scalable way to demonstrate security and compliance without the complexity of a full certification process.
The Role of HITRUST in Third-Party Risk Management
With interoperability becoming a priority in healthcare, third-party risk management is a growing concern. Many healthcare organizations work with hundreds—if not thousands—of vendors, and ensuring security across this extended network is critical. Patrick emphasized that HITRUST is not just a cybersecurity framework but a tool for managing third-party risk at scale. HITRUST assessments provide structured, standardized data that can be integrated into risk management platforms, allowing organizations to evaluate their vendors with greater efficiency and confidence.
As discussions around security and compliance continue, Patrick encourages healthcare organizations to educate themselves on the full range of HITRUST offerings. Whether an organization is starting its security journey or looking to optimize third-party risk management, HITRUST provides a structured path to achieving trust and resilience.
Learn more about HITRUST: https://itspm.ag/itsphitweb
Note: This story contains promotional content. Learn more.
Guest: Ryan Patrick, Vice President of Adoption at HITRUST | On LinkedIn: https://www.linkedin.com/in/ryan-patrick-3699117a/
Hosts:
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber] | On ITSPmagazine: https://www.itspmagazine.com/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast | On ITSPmagazine: https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
Learn more and catch more stories from HITRUST: https://itspm.ag/itsphitweb
____________________________
Resources
Learn more and catch more stories from HIMSS 2025 coverage: https://www.itspmagazine.com/himss-2025-health-technology-and-cybersecurity-event-coverage-las-vegas
HITRUST 2025 Trust Report: https://itspm.ag/hitrusz49c
____________________________
Catch all of our event coverage: https://www.itspmagazine.com/on-location
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast
To see and hear more Redefining Society stories on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-society-podcast
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
[00:00:28] Sean Martin: Marco,
[00:00:30] Marco Ciappelli: Sean, are you still in Vegas?
[00:00:32] Sean Martin: I made it back.
[00:00:33] Marco Ciappelli: Yeah,
[00:00:34] Sean Martin: Made it back safe and sound.
[00:00:36] Marco Ciappelli: there you go.
[00:00:36] Sean Martin: So, so safe and sound because I didn't even go.
[00:00:39] Marco Ciappelli: There you go. That was the joke.
[00:00:41] Sean Martin: I limit, I eliminated the risk completely. I'm just not going to
[00:00:44] Marco Ciappelli: When you don't go, it's easy. It's easy to get there. It's easy to come back. Although I missed the drive. I gotta say, I missed the drive that we used to do together to go to Vegas. So, uh, maybe next time. But, you know, we have somebody that actually was there and there was hims.
[00:01:02] Sean Martin: was HIMSS in Las Vegas and I mean often you hear, and I think it's true, especially when you talk about Vegas, it's about the journey, not necessarily the destination. But unless you're going to HIMSS to meet the team at HITRUST, including uh, Ryan Patrick. How are you, Ryan?
[00:01:20] Ryan Patrick: Living the dream, living the dream. You know what they say, Sean, it can't stay in Vegas if you don't stay in Vegas. So just keep that in mind.
[00:01:28] Sean Martin: That's right. That's right. Things leak sometimes. But, uh, you had a good week there. A lot of conversations, as I know. And, um, I think obviously we talked a bit before you went to Vegas about what you were hoping to talk about. Did, uh, were your expectations met? About what people Wanted to, uh, wanted to rap about with respect to HITRUST
[00:01:56] Ryan Patrick: Yeah, I mean, I'll start off with in the nearly decade of his attendance that I have had, this was probably the most well attended show that I've seen in a really, really long time. I mean, the hallways were packed, the exposition floor was packed, the session rooms were packed. It was, it was really energizing to see all the people and You know, understand that they're all kind of trying to work together to figure out how to solve multiple problems within the U.
S. healthcare industry. And like I said, it was really energizing. I was. Pleasantly surprised to see the amount of people there and the amount of folks that did come to talk to us at our booth. And the conversations really spanned from. How do you spell HITRUST? Like, what do you all do? How do I get in on this stuff?
Because that's where I need to go. Or that's where my organization is heading in. So, I mean, everything in between it was it was a really great show
[00:02:56] Marco Ciappelli: Well, I think going to a show with, with the intention to get answers to what the problem may be or getting a look into what The main topics and and then getting prepared. It's something that I think an organization like I trust it should be happy to know. It's not a show about, hey, let's talk about me and what I do as a company.
But let's let's talk of what is this scenario? What is the reality? And what can we do all together, including I trust? So is this the kind of conversations that Very
[00:03:32] Ryan Patrick: for sure. I mean, if you think about the types of people and the types of organizations that attend shows like him, it's not a cybersecurity show. Right? So it's not all about HITRUST. It's not. You know, organizations trying to figure out what do they need to do from cyber security perspective there.
There's some that are legitimately trying to improve the patient. Experience improved patient care, innovating from interoperability perspective perspective to. Help, you know, whether it be providers or whomever, just. Do a better job in the very foundation of what health care is doing. So. You know, it's really interesting for me to have conversations, the conversation walk from booth to booth.
And see how HITRUST is an enabler of all of those things, because if you think about the idea of, you know, what the folks in the industry are doing around interoperability and making patient record. Accessible, regardless of where your provider is and versus where you're at physically. You know, none of that happens if security isn't at the foundation, right?
The biggest thing from an H. I. E. perspective for interoperability is the availability of data. If these are not able to actually transmit data, then it defeats the whole purpose of what they're trying to do. And HITRUST. I would argue is like a key component of that because we have proven that our assessments and ultimately the certification.
Reduces risk and becomes that force multiplier so that the really smart people who are trying to solve complex health care problems. Can actually do that without having to look over their shoulder. And worry about whether there's going to be some kind of breach, or is the data not available because we've been ransomware, what have you?
So it was just really interesting for me. To see how we fit into almost every puzzle that everybody else within health care is trying to solve.
[00:05:39] Sean Martin: and we're, I know I saw one post that kind of leads me to this next question around what, what is HITRUST? Obviously the, the, the name is known, maybe not the spelling as you pointed to before we started recording, but, um, certainly HITRUST is known, connected very well into the healthcare ecosystem. As a way to manage and mitigate risk and, and, and raise the posture of security for organizations.
Um, but were there misconceptions still that you hear from folks? You talk about being an enabler, but as soon as you, for many folks, you bring up the word, uh, Regulation or, or, uh, industry policies, people's hair just starts to go on fire, right with, oh my gosh, all this extra stuff I have to do, I don't know, were there any misconceptions, one of them is cosmic, I don't know, any other misconceptions that, uh, you heard that, uh, surprised you and were maybe happy to, to have folks understand a little better.
[00:06:43] Ryan Patrick: Yeah, unfortunately, none of the misconceptions surprise me at this point. I probably heard them all. I've been working with HITRUST for over a decade at this point, but it's I guess what's surprising to me is. Folks still haven't heard about the full portfolio of assessments, right? Because historically, for the first 15 years or so of HITRUST's existence, we had one assessment, which is currently named the R2, which is what I call the significant emotional event that most people equate HITRUST to.
It's really robust. It's really rigorous. There's lots of controls, and with a lot of controls, what happens? A lot of time, effort, money have to go into that. And within the last 3 years, we've released 2 other assessments. Think about them. If they are 2 is, you know, the most comprehensive or the high assessment.
We have a medium assessment and a low assessment to really meet organization. Where they're at in their security journey. So, the low is 44 requirements can be done in a matter of weeks, maybe a few months, depending on the maturity of the organization and the cost is. Equitable to the amount of effort and time that goes into that.
So there are options really for any organization of any size and any maturity level from cybersecurity and to a certain extent of privacy perspective. Because we've, we've created these additional options that I, I do find that people are not aware of, which is, I guess. To contradict myself a little bit surprising at this point, uh, because they're a great tool.
And I will tell you that the E1 are low tier assessment. Is actually the fastest growing assessment that we have right now. So some people are catching on. But there's probably a still a ton of homework and a lot of work we can do to educate folks with these options that are available to them.
[00:08:45] Sean Martin: I know one, uh, quickly, Marco was, uh, you mentioned before we were recording as well, the, um. The, uh, third party risk, which obviously when you talk about interoperability, we're talking about third and parties, uh, quickly thoughts on that.
[00:09:03] Ryan Patrick: Yeah, I mean, if you look at HITRUST, I will tell you that we are a DPRM company. I may not always be agreed with on that, but if you look at what we're doing, we're building trust between organizations. And that's the very nature of what third party risk management is about is understanding. Where this business partner vendor supplier, whomever they are to you, where they're at in their security journey.
Are they mature enough if they're not mature enough? What's their plan to become more mature? That's really what HITRUST has been doing for 17 plus years is demonstrating maturity and establishing trust, or at least establishing visibility. And what I did find really. Satisfying, if you will, is I have more and more folks at hand, whether it be from providers, some payers and other health care adjacent, whether they be health tech firms or other types of firms out there who are now looking at leveraging HITRUST.
Within their 3rd party risk management programs, right? Because if you think about what's being used historically, there's a lot of variability and for the most prominent 1, the most prominent assessment here in the U. S. There's a lot of questions about the quality of those assessments, whereas, because HITRUST has centralized all of its quality assurance.
We have standardized on our assessment methodology and the assurance program that goes into each and every assessment. Those problems are not, uh, apparent for HITRUST and more and more organizations are starting to learn that. And if you think about how we have built tools on the back end. Of getting HITRUST certified to provide the result in an automated fashion.
And oh, by the way, you can ingest that into your TPRM module of choice or GRC tool of choice. It makes the actual analysis of that vendor that much more efficient. And if you think about most midsize organizations have hundreds, if not thousands of vendors, it makes managing and assessing the total vendor pool.
That much easier because you're not having to dig through a 2 to 500 page PDF. You actually, you're, you're pulling in structured data, which you can then manipulate based on your risk tolerances, based on what controls you want, what's happening in the industry today. Like, it gives you so much more capability and with the advent of AI, you may be able to layer AI on top of this structured data, just to enrich it even more to understand where do you need to pay attention to?
And a lot of the conversations that I had at hands were along those lines. How can I use the results of HITRUST in my TPRM program in a more efficient way?
[00:12:08] Marco Ciappelli: good. I'll tell you what, in one year, there'll be another one of him. I'm looking at the date. It's actually literally one year, like March 9th to the 12th, 2026, still in Las Vegas. And, uh, but people do not need To wait an entire year to meet with you guys because they can do that every day 365 So what what is the call to action people listening to?
This conversation or maybe they've been on hymns. Maybe they haven't but they're like, you know what? I want to talk with these guys. I want to talk with the HITRUST I want to learn how to spell that name and I want to learn what I can do with that. So what can they do?
[00:12:49] Ryan Patrick: Yeah, I mean, obviously go to HITRUSTalliance. net as a starting point. That's our website. It'll break down if you're unfamiliar with how the framework works or how our assessments work. It'll talk about the other enablers that we have. Think about shared responsibilities with cloud providers. Talk about that results distribution system that I was just referring to.
There's a wealth of information on our website. But feel free to reach out to me, reach out to my colleagues at HITRUST, dig in, ask us the tough questions, because you know what, this is not a small undertaking from a, you know, change perspective, meaning if you have been, you know, focused on SuckTo, or you've been focused on NIST, or what have you, this is different, and that's okay.
But what I find is that most organizations have not educated themselves on exactly what HITRUST is and how it works. And I encourage everybody, like I said, hit the website. Email me directly, find me on LinkedIn, follow me on LinkedIn. I'm constantly posting about HITRUST. The further educate the market on the things that we're doing, because we're constantly innovating.
We're trying to tackle. Is real problems and, uh, you know, kind of look ahead and see where we can start to influence. Uh, the market to ease their pains in the future, if you will,
[00:14:14] Sean Martin: Well, uh, if you, if you're listening and don't know what HITRUST is, go check it out. Look at the services and offerings. If you think you know what it is. Have a go, have a go at the site and connect with Ryan and the team because you might learn something that they do continue to innovate as, as you put Ryan and, uh, and you might be surprised at what, uh, what you find they can do for you, uh, along your, your own journey, which is unique to your own organization.
So Ryan, thanks for giving us an update on what you heard from him and, uh, hope. Hope the conversations keep going for you and everybody listening, watching. Hopefully Mark, when I get to see you in person at him's next year, we'll, uh, we'll make that drive to Vegas.
[00:14:56] Ryan Patrick: please do.
[00:14:57] Sean Martin: Yes. And in the meantime, uh, stay tuned on location with Sean and Marco much more coming, uh, do subscribe, thumbs up.
Marco was giving me, I was following your cues there for those watching. I was like,
[00:15:10] Marco Ciappelli: italian.
[00:15:11] Sean Martin: you don't do that. I'm like, what's he doing there? Uh, so have some fun with us, have some fun with Ryan and, uh, work toward your HITRUST certification. Thanks, everybody.
[00:15:21] Marco Ciappelli: Thank you, Ryan. Always a pleasure.
[00:15:23] Ryan Patrick: Thanks.