By: Scott Ross
For those who have been in healthcare IT and security as long as I have, you know how much the conversation around security has changed. Simply saying that you take data security seriously isn’t enough. Patients, providers, and regulators expect proof that you do, and for good reason. The stakes are high, and the risks are real.
For us, certification by an independent auditor, using a tried and tested framework tailored to healthcare, is a way to substantiate our commitment with action. Our HITRUST r2 validated certification across our arrive Navigate, arrive Accelerate, and arrive Collaborate platforms shows that we meet one of the toughest standards in healthcare security, and that we continue to hold ourselves to that mark year after year.
What HITRUST Actually Is
The HITRUST CSF is a framework that pulls together leading security standards such as HIPAA, NIST, ISO, and CIS into one structure.
This matters because most organizations already face a patchwork of audits and documentation. By pulling together the most common frameworks into one, HITRUST simplifies this work and makes it easier to keep security efforts consistent and aligned.
Why the r2 Certification Stands Out
The r2 Validated certification is the most in-depth assessment offered by HITRUST. It requires an independent audit and a review by HITRUST. In practice, that means someone looks not only at your policies but also at how well those policies are actually implemented.
To give a sense of scale:
- HITRUST r2 (in our most recent assessment) covers more than 550 controls across 19 domains
- SOC 2 covers about 80 controls
- ISO 27001 reviews around 100 controls
Different frameworks serve different purposes, but HITRUST stands out by going deeper into operational reality, while also covering a broader range of inputs, than most.
Proof That Keeps Going
One of the things I value most about HITRUST is that it is not a one-time exercise. Every 2 years, the full certification is reassessed against the latest HITRUST CSF, which is constantly updated. In the interim year, a randomly selected portion of the controls are retested. That cycle forces organizations to keep improving and the numbers back this up. According to the 2025 HITRUST Trust Report:
- In 2024, fewer than 1 percent of organizations holding HITRUST certification experienced a breach, underscoring the framework’s effectiveness in reducing security incidents.
- Groups that went through recertification cycles required significantly fewer fixes the second time, showing how the process drives lasting improvements.
- Certified organizations also tended to resolve security issues more quickly, often cutting remediation times by half compared to peers without HITRUST in place.
We have held a HITRUST r2 certification since 2020. For us, it is less about earning a certificate and more about using the framework to keep pace with evolving risks.
Why It Makes a Difference for Partners
If you have ever been through a vendor security review, you know how much work it can be. Questionnaires, spreadsheets, review meetings and follow-up questions, the process is demanding.
HITRUST helps take weight off that process. Because it maps to other frameworks like HIPAA, NIST, and ISO, a large share of your partners’ standard due diligence questions are already answered. That means less duplication, shorter timelines, and a framework for trust between organizations.
Why It Should Matter to You
If you are responsible for selecting or managing technology vendors, HITRUST r2 certification gives you confidence that the potential partner will meet your security requirements. It reduces the time you spend on assessments, lowers risk, and signals that a partner is operating at a high level of discipline.
For healthcare organizations, that translates into:
- Faster, smoother vendor reviews
- Less redundancy in compliance efforts
- A stronger overall security posture
Final Thought
In healthcare, trust depends on security. HITRUST r2 certification is one of the clearest ways to show that trust is being earned, checked, and proven, not just promised.
At Arrive Health, we see security as a responsibility, not a marketing point. It is reflected in how we approach our work with clarity, accountability, and a steady focus on protecting the patients and providers we all serve.
If your organization is evaluating technology partners, I encourage you to look beyond the checkbox and dig into how those partners prove their commitment to security. HITRUST is one of the strongest ways to do that, and we are always open to sharing what we have learned on our own journey.
If you’d like to learn more about our security approach, connect with Scott Ross at Arrive Health.
References
- HITRUST Alliance. (2025). HITRUST Trust Report. Retrieved from https://hitrustalliance.net
- S. Department of Health & Human Services. Health Insurance Portability and Accountability Act (HIPAA). Retrieved from https://www.hhs.gov/hipaa
- National Institute of Standards and Technology (NIST). Cybersecurity Framework. Retrieved from https://www.nist.gov/cyberframework
- International Organization for Standardization (ISO). ISO/IEC 27001 Information Security Management. Retrieved from https://www.iso.org/isoiec-27001-information-security.html
- Center for Internet Security (CIS). CIS Controls. Retrieved from https://www.cisecurity.org/controls
- American Institute of Certified Public Accountants (AICPA). SOC 2 Reporting. Retrieved from https://www.aicpa.org/soc4so