Modernizing Compliance In Healthcare

By George Totev, CISO, Trustero

Last week the Trustero team was at HIMSS in Las Vegas. It is one of the largest medical technology conferences in the world. Unsurprisingly, there were quite a few information security companies around us. Also unsurprisingly, AI and its use was in the center of the discussions. More specifically, AI agents and assistants were everywhere, including security and compliance. In the next 6-12 months we will see probably every function within security affected by this. Naturally, our message about the benefits of GRC AI Assistant resonated quite well, especially given the audience - highly regulated, complex, international businesses.

Let me share some key points from my presentation along with some reflection on the relevant discussions me and the Trustero team had.

There are other regulated industries but healthcare is special. If something goes wrong people literally could die. That is why many aspects of compliance are deeply operationalized. In contrast with some other industries, many aspects of the compliance programs were built around manual processes, with heavy reliance on paper. At the same time, the healthcare industry is going through a major transformation - from manual, paper-based processes to modern technology, including AI. The healthcare business is evolving quite quickly, the risk landscape is changing rapidly; inevitably, more regulations will follow. I said it before - our traditional GRC approach is not sustainable - but, after the conference, I am very confident that this statement especially applies to the healthcare industry.

Compliance Complexity is Outpacing Human Capacity

Healthcare’s compliance landscape isn’t standing still. Regulations evolve. Business processes change. Data flows expand. And every new vendor, system, or workflow adds complexity.

Traditional compliance tools weren’t built for this pace. They do a great job in cataloging artifacts - risks, policies, controls, tests, evidence, etc. - as well as the links and associated workflows. They were extremely helpful to keep us organized and project manage various tasks. This is great when we deal with a relatively static environment - the business is predictable, complexity is well understood, the pace of change is slow, we can do a couple of audits per year and focus on (relatively) continuous monitoring of some key controls.

However, once the pace of change picks up speed - because of the quickly evolving business, competitive landscape, regulations, etc. - that model does not scale well. It relies heavily on people to monitor, analyze and effect every single change, no matter how small it is. At the same time, in a complex system the downstream effects from a small change could be significant. We do not have one person who understands everything about every system in the environment. Inevitably, we have to involve more than one person, (find and) refer to documentation (hoping that it is current, complete and reliable), call meetings, etc. According to recent studies 60%-70% of the GRC team time is spent on such mundane tasks that are nevertheless important and have to be done. I spoke with quite a few people and they all dreaded the audit readiness time. While some of them had interesting approaches - spread the tasks over the audit period, crowd source or automate the evidence collection, focus on key areas only, etc. - they all were chipping away at the problem rather than solving it.

Large, complex, rapidly changing datasets are the AI domain. We need GRC AI Assistants. They could help us not only reduce the mundane workload and allow us to scale but also to become a true business partner for the rest of the organization.

AI-Driven Compliance Assistants

At Trustero, we’ve pioneered the concept of a GRC AI Assistant — an intelligent compliance partner, purpose-built to manage the real-world complexity healthcare organizations face.

What makes a GRC AI Assistant different?

• It integrates directly with your existing GRC tools — so you don’t have to rip and replace. We leverage the existing organizational and workflow capabilities of a traditional GRC tool that is already deployed and well integrated into your environment and combine it with the analytical power of AI.?
• It continuously analyzes your compliance posture — identifying gaps in real time across all active frameworks. This is not a new concept. We all know about the effectiveness of this approach. Unfortunately, we cannot achieve it with a traditional approach - we will need too many people.
• It learns and improves — applying intelligence across questionnaires, audits, and control monitoring. You have an assistant that knows everything about your environment. And it is up to date.

There are many areas where GRC AI Assistant could make a difference. In my presentations I focused on two common examples:

1. Continuous Monitoring — Audit-Readiness Every Day
2. Questionnaire Automation — Removing Sales Roadblocks

There are many other use cases for GRC AI Assistant to be helpful - gap assessments for onboarding new frameworks, analyzing policy and control changes, etc. All areas where we need to draw on large datasets and perform serious analysis.

A Roadmap to Modern Compliance

For organizations wondering where to start, here is a practical, phased approach to modernization — one that reduces operational burden and risk. In general, I am biased toward small, meaningful and consistent progress instead of larger, more risky initiatives.

A typical roadmap for GRC AI Assistant adoption includes:

1. Cataloguing your artifacts and workflows in a single source of truth. It does not necessarily need to be a specialized, off the shelf GRC platform. A collection of documents would suffice. In fact, this flexibility is one of the strengths of the Trustero GRC AI Assistant - we can work with anything.
2. Identifying pain points and building a data-driven business case for change. Spending too much time on answering questionnaires? Start there. Audit readiness jeopardizes other projects? That could be your initial step. There is a progressive benefit - by adding a bit more information you will open more use cases.
3. Running a proof of concept to see the real-world impact of automation. POC approach has a lot of merit in the traditional systems adoption. With AI Assistants this is paramount. In fact, you will start receiving benefits even during the POC, before the actual implementation.
4. Evaluating vendors not just on features, but on healthcare-ready security and AI capabilities. You have to augment your traditional TPRM areas like data and process protection with AI-related concerns. How does the vendor ensure consistency, accuracy, and authenticity? How is the tool protected against prompt injection, jailbreaking, etc.?
5. Moving to continuous monitoring for always-on compliance — not just point-in-time audits. You can do this in stages as well. For example, start with automated controls, or with controls under a policy, controls, related to a particular department, etc.

Why This Matters

Healthcare data is some of the most sensitive data in the world. Compliance is not just about satisfying auditors — it’s about protecting patient trust and ensuring clinical innovation isn’t slowed by compliance friction.

At Trustero, we believe the future of healthcare compliance is AI-driven, continuous, and proactive — enabling compliance teams to work smarter, not harder.