Compliance Isn’t Security: The Biggest Cybersecurity Myth in Healthcare (HITRUST Explained)

In this episode of the Cybersecurity at Vibe series on The Beat Podcast, host Sandy Vance sits down with Shreesh Bhattarai, Director of HITRUST at A-LIGN, for a candid and practical conversation about one of the most misunderstood topics in healthcare cybersecurity. With nearly a decade of experience building one of the highest-volume HITRUST assessment practices in the market, Shreesh breaks down the difference between checking a compliance box and actually being secure, walks through the three levels of HITRUST certification, and shares what organizations need to do right now to prepare for an AI-driven future. Whether you are just starting your compliance journey or managing nine certifications with a team of five, this episode has something for you.

In this episode, they talk about:

• Compliance is the baseline, not the finish line, and treating it as a once-a-year exercise is a serious mistake
• The biggest risk in compliance is not failing the audit, but passing it while still being insecure
• HITRUST has three certification levels: E1 (crawl), I1 (walk), and R2 (marathon)
• Organizations should choose the certification that matches their risk profile, not just go for the biggest one
• The best audits are boring because everything is already embedded in day-to-day operations
• HITRUST's "audit once, report multiple times" approach eliminates duplicative work across frameworks
• AI governance plans are no longer optional; shadow AI is a real and growing risk
• HITRUST now offers an AI cybersecurity assessment to help organizations put guardrails around AI use

A Little About Shreesh:

Shreesh Bhattarai is Director and HITRUST Practice Lead at A-LIGN, where he works at the intersection of cybersecurity assurance, regulatory pressure, and business growth. Since 2017, he has led more than 500 HITRUST certifications and assessments across healthcare, digital health, and high-growth technology organizations. Shreesh partners directly with CEOs, CISOs, and executive teams navigating increasing scrutiny from regulators, customers, and third parties. He is known for challenging the “check-the-box” compliance mindset and reframing HITRUST as a strategic trust mechanism — one that strengthens security posture, accelerates enterprise sales, and reduces third-party risk friction. He leads a national team of security professionals within A-LIGN’s HITRUST practice and regularly speaks on the evolution of compliance in healthcare at forums including ViVE, Health and HITRUST Collaborate. Prior to A-LIGN, he was part of the audit practice at Ernst & Young, focusing on SOX 404 and SOC engagements.