BLOG

Choosing the Right Security Framework: Why One Size Doesn’t Fit All (and How to Fill the Gaps)

Published On February 21, 2025

by Bethany Page Ishii

When conducting a security risk assessment, organizations often grapple with selecting the best framework to guide their assessment. Popular options such as the NIST Cybersecurity Framework (CSF) 2.0, HITRUST, NIST 800-171, ISO 27001/27002, and NIST 800-53 all offer structured methodologies to assess and improve security posture. For healthcare organizations, however, security risk assessments (SRAs) must consider regulatory perspectives—including compliance with HIPAA, evolving government expectations, and risk factors identified in past enforcement actions.

However, every cybersecurity framework has inherent limitations, areas they do not explicitly address emerging technologies they may not yet incorporate. To achieve a truly comprehensive assessment, organizations must adopt a broader perspective that goes beyond the constraints of predefined security frameworks, to ensure all critical risks and evolving threats are thoroughly addressed.

Key Factors for Choosing the Right Security Framework

Choosing the appropriate security framework requires consideration of several key factors:

  • Industry and Regulatory Requirements: Certain industries recommend specific frameworks (e.g., HITRUST and NIST CSF for healthcare organizations to align with HIPAA and other regulatory expectations, NIST 800-171 for government contractors, ISO 27001 for global security compliance, etc.).
  • Risk Profile and Business Objectives: Organizations with high-value intellectual property or sensitive data may want to opt for frameworks with stricter, highly structured controls, such as HITRUST, NIST 800-53 or FISMA, to safeguard their assets.
  • Scalability and Flexibility: Some cybersecurity frameworks, like the NIST CSF, offer a more adaptable approach, while others, such as HITRUST and ISO 27001, take a more prescriptive approach.
  • Security Compliance and Certification Goals: For organizations pursuing certifications, choosing a framework that supports auditing and third-party validation is essential (e.g., ISO 27001, HITRUST, NIST 800-53, or aligning an SRA with OCR expectations).
  • Technology and Infrastructure Considerations: The choice of framework may depend on specific operational factors such as cloud environments, artificial intelligence (AI) usage, and Internet of Things (IoT) security requirements.

By evaluating key factors, organizations can select the security framework that best aligns with their needs, risks, and long-term goals.

Understanding Limitations of Security Frameworks

Security frameworks are created with specific goals and scopes in mind, making it essential to understand both their capabilities and their limitations.

Here's an overview of key frameworks and their strengths and drawbacks:

  • NIST CSF 2.0: Widely adopted for its flexibility and risk-based approach, the NIST CSF 2.0 is highly versatile and suitable for organizations of all sizes. However, it lacks prescriptive controls, requiring organizations (or assessors) to define their own detailed security measures.
  • HITRUST: Widely used across the healthcare sector, HITRUST consolidates multiple security compliance requirements into a single certifiable framework. While comprehensive, it does not adequately address medical device security and may not address emerging security challenges at depth, such as AI risks, unless specifically scoped.
  • NIST 800-171: Focused on protecting Controlled Unclassified Information (CUI) in non-federal systems, this framework is critical for government contractors. However, it falls short when addressing broader enterprise security concerns such as limited incident response, risk management, continuous monitoring, and supply chain scope.
  • ISO 27001/27002: A globally recognized standard for information security management systems (ISMS), ISO 27001 provides a structured approach to certification. However, it is process-intensive and often requires significant customization to meet the unique needs of specific industries.

Meditology is framework-agnostic and works with all of the above frameworks, tailoring our approach to each organization’s unique needs. While we frequently conduct Security Risk Assessments (SRAs) using HITRUST or NIST CSF due to their adaptability and comprehensive coverage, we recognize that no single framework fits every organization perfectly.

We perform hundreds of SRAs annually across organizations of different sizes and industries, meeting them wherever they are in their cybersecurity journey. For healthcare organizations, we integrate regulatory requirements—including HIPAA security expectations and evolving government perspectives like the new HIPAA rule—to ensure our assessments address both compliance and security best practices.

Our team helps organizations select the most appropriate framework based on their size, risk profile, regulatory requirements, and business objectives. Where necessary, we augment the chosen framework with additional controls—such as considerations for AI, Medical Device Security, or emerging threats—to ensure full coverage of the environment under review. Our goal is to provide tailored, strategic security guidance that best supports each organization's cybersecurity maturity and compliance needs.

Common Gaps in Control Frameworks

While security frameworks provide valuable guidance, they often leave critical gaps that require additional consideration.

Some of the most overlooked or underrepresented areas include:

  • Emerging Technologies: Many frameworks lack specific controls for advanced technologies such as AI security, blockchain, and the risks associated with quantum computing. These fast-evolving areas demand tailored security measures that most existing frameworks fail to address comprehensively, leaving organizations to develop their own ad-hoc safeguards.
  • Cloud Security: Although frameworks may reference cloud security best practices, they often fail to deliver comprehensive, actionable guidance for securing complex hybrid and multi-cloud architectures and managing the nuances of shared responsibility models, workload segmentation, and data sovereignty.
  • IoT and Medical Device Security: The unique challenges of securing IoT and medical devices are often understated. Risks such as unsecured endpoints, lack of regular patching, and monitoring vast networks of connected devices requires specialized controls. Healthcare organizations, in particular, must incorporate customized assessments for connected medical devices because standard security frameworks often fall short of addressing these security demands.
  • Data Classification and Privacy: While data protection is generally covered, frameworks frequently lack granular controls for sensitive data classification, access segmentation, and automated enforcement of retention and disposal policies. Additionally, they often overlook privacy-by-design principles, which are crucial for compliance with evolving global regulations.
  • Cyber Resiliency: While many frameworks emphasize incident response, they often lack guidance on ensuring long-term operational stability through proactive recovery, redundancy, and business continuity planning. Organizations must move beyond compliance-driven recovery strategies and integrate resilience-by-design principles, including automated failover, supply chain contingency planning, and continuous resilience testing. Additionally, frameworks often fail to account for continuous threat evolution, supply chain dependencies, and the need for adaptive security architectures that can sustain operations during and after a cyberattack.

Organizations must proactively address these gaps, going beyond standard cybersecurity frameworks to implement tailored controls that address their unique risks and evolving technological landscapes.

Regulatory Requirements & New HIPAA Rule

Understanding where organizations often fall short in their security risk management efforts is critical for maintaining compliance and fostering a culture of proactive resilience. While the OCR Audit Protocol is not designed to be a comprehensive security framework, it provides a well-structured evaluation tool for HIPAA security, privacy, and breach notification controls. Organizations can leverage this protocol as a reference point when conducting a thorough SRA.

Analyzing trends in regulatory enforcement equips organizations with a clearer understanding of compliance expectations while enabling them to address vulnerabilities identified in previous audits. This dual approach not only meets security compliance standards but also encourages the proactive enhancement of security practices to counteract emerging threats.

The evolving nature of security risks is paralleled by the continuous refinement of regulatory requirements. The new HIPAA rule mandates for 2025, commonly referred to as HIPAA Security Rule 2.0, introduce stricter and more comprehensive security measures. Designed to strengthen both compliance and overall security resilience, these mandates emphasize the need for organizations to stay adaptive. Additional details on the updated requirements can be reviewed in HIPAA Security Rule 2.0.

Ultimately, these evolving regulations highlight the necessity for organizations to transition from static security frameworks to dynamic risk management strategies. By integrating new requirements in real-time and maintaining a flexible, forward-looking approach to security, organizations position themselves to better withstand the challenges posed by an increasingly complex threat landscape.

How Meditology Closes the Security Gap

At Meditology, we stay ahead of evolving regulations by continuously monitoring updates–such as the new HIPAA rule for 2025–and integrate regulatory perspectives into security frameworks such as HITRUST and NIST CSF. Our security risk assessments are thoughtfully designed to integrate emerging security compliance requirements, closing gaps that could otherwise lead to penalties. By aligning compliance with proactive risk management, we help our clients meet regulatory obligations and strengthen their overall security posture.

We recognize that traditional cybersecurity frameworks, while essential, often struggle to keep pace with the rapidly evolving threat landscape. With many frameworks updated only every three to five years, organizations are often left exposed to emerging risks during the years in between updates. To address this challenge, we have developed a proprietary, comprehensive security control set designed to assess modern and evolving security threats head on.

Our solution ensures that security risk assessments remain current, thorough, and aligned with today’s regulatory requirements and threat environment. By seamlessly integrating industry-standard frameworks with our custom control set, we deliver a holistic security evaluation that leaves no critical vulnerabilities unchecked.

Whether it’s adapting to emerging technologies, navigating regulatory changes, or countering new attack vectors, Meditology’s approach ensures your organization is equipped to meet modern security challenges with confidence.

Final Thoughts

Choosing a security risk assessment framework is just the first step. Organizations must understand the inherent limitations of these frameworks and take deliberate action to address any gaps. By incorporating additional considerations such as emerging technologies (AI security), cyber resiliency, IoT, and cloud security, organizations can strengthen their defenses and create a security posture that is both robust and future-proof.

At Meditology, we empower organizations to move beyond basic security compliance and achieve true security maturity. Contact us today to learn how we can guide you in conducting a comprehensive, up-to-date security risk assessment tailored to ever-evolving cyber threats.

About the Author

Bethany Page Ishii | Senior Director, Cybersecurity & IT Risk Management

Bethany Page Ishii is a seasoned cybersecurity and risk management executive with 15 years of experience. Her expertise spans security consulting, operational leadership, and customer success, making her uniquely equipped to deliver comprehensive solutions that align strategic vision with practical execution. With a decade of consulting under her belt, Bethany led the firm’s Validation Service Line, overseeing Security Risk Assessments, HITRUST certifications, Privacy Assessments and SOC 2 attestation efforts. Bethany also served as a CISO for five years, where she directed data security and threat response activities. Her approach marries practitioner experience, consulting insight, and a focus on client relationships to drive success across a variety of security disciplines.

Resources

HIPAA 2.0

HITRUST

ISO/IEC 27001:2022

NIST 800-171

NIST 800-53

NIST CSF 2.0

Most Recent Posts
HIPAA Security Rule 2.0 Read More
The Future of HIPAA Regulations Read More
Cloud Security Risk Assessments Instrumental in Transforming Healthcare Organizations’ Cloud Security Posture Read More

Featured Blog Posts

Choosing the Right Security Framework: Why One Size Doesn’t Fit All (and How to Fill the Gaps)

Read

HIPAA Security Rule 2.0

Read

The Future of HIPAA Regulations

Read

Cloud Security Risk Assessments Instrumental in Transforming Healthcare Organizations’ Cloud Security Posture

Read

Meditology Services

5256 Peachtree Road NE, Suite 190
Atlanta, Georgia 30341

SUBSCRIBE TO EXCLUSIVE IT RISK MANAGEMENT UPDATES

Sign up to receive the latest information on Meditology Services and IT Risk Management.

© 2025 Meditology Services, LLC. All Rights Reserved | Privacy Policy