10 Ways Organizations Leverage HITRUST To Build Trust & Drive Revenue

[5 minute read]

Scaling a cybersecurity program is often perceived as a necessary expense to protect against threats rather than a revenue-generating opportunity. However, a well-executed security strategy can enhance customer trust, attract new clients, and open doors to lucrative partnerships. By safeguarding valuable data and demonstrating a commitment to security, businesses can build a competitive advantage that directly impacts their bottom line.

In a recent webinar featuring Dina CEO, Ashish V. Shah, and Voluware CEO, Marty Staszak, we delved into how these companies strategically leverage their data security programs to gain a competitive edge while protecting sensitive data. We discovered how these companies use their data security programs to bring them to the table during contract negotiations. We also heard from Brett Williams, Partner at Aprio, who provided valuable insights on the audit process and what it takes for a client to approach HITRUST with confidence.

Let's review the 10 ways that organizations leverage HITRUST to build trust and drive revenue.

1. Build trust by investing in security and compliance as a continual process - not a one-time certification process

Explaining why security and compliance were so important to his organization, Dina CEO, Ashish V. Shah, said that trust is at the core of Dina’s business. As a digital network management and coordination solution involved in the healthcare industry, Shah aimed to first and foremost “be good custodians of people’s health information. We need to do that because it is the right thing to do but also because it is required by regulations,” he said.

From day one, Dina built a culture of security from the start and views security as a journey of continual improvement. Although Dina has achieved HITRUST, partnering with Ostendio, Shah says there is always a responsibility to continue to improve in the future.

2. Building a culture of security into the foundation of all organizational processes 

Voluware CEO, Marty Staszak also sees security and privacy as a paramount priority for his organization. He added that, at first, their security focus was on technical safeguards and being on the ball with knowing where their data was stored. It was at this point that he realized understanding of the administration required to work within HITRUST’s guidelines of organizational security. 

“[With HITRUST,] Everyone has to work together. HITRUST touches each part of our organization. It is easier as a small company to put these practices into place so that when we grow they are already established,” he said.

“When we look at our priorities, we felt that being best in class in security and privacy was paramount to success. Risk assessments have evolved dramatically over time. Once you look at how they are constructed. They are built around HITRUST controls. It is table-stakes for us, to be HITRUST certified to be able to be at the discussion. It gets us closer to getting deals done. So it is really important to us.”

3. Conducting a thorough risk assessment to establish organizational security priorities  

Dina and Voluware have chosen HITRUST. However, many organizations are concerned with the costs involved in managing complex security audits. There are only so many hours in the day and their staff also have full-time jobs to fulfill. 

Brett Williams, Partner at Aprio, a leading audit firm, provides his recommendations to cost-conscious organizations. He says at the end of the day, companies need to conduct and review their risk assessment. He acknowledges that there are different levels of expectation based on the size of the client. They have to consider what they want to achieve based on their size and resources.  Williams shares that there are many tools to help prepare for audits. He suggests organizations think longer term at the outset about their compliance goals. “It is a journey, start the journey and grow responsibly.”

With growing budget constraints there is always pressure to limit spend, but both Dina and Voluware explained the importance to their overall business of having a strong security and compliance program in place.

Ostendio looked at the ROI of a compliance program with examples of how an investment in a robust compliance and security platform can pay dividends to ensure your organization and your people are continuously secure while improving work efficiencies.

4. Taking a proactive approach and building HITRUST compliance into your product investment 

Shah explained that dealing with a budget these days is tough and all organizations are evaluating spending.  But for Dina, their founding story is important. Shah says, “We are making healthcare more accessible and want to be secure and trustworthy.  It is integrated into our product. It is a new capability we wanted to launch - HITRUST. We look at it as a product investment rather than a check-the-box.”

Shah explained the way they approached this project in the same way an athlete would approach training. “You can be Michael Jordan and you still need a coach. We needed to stay ahead of the game - to be on offense rather than defense. We had a great team but to demonstrate to the board, market, and prospects how serious we were about our product - we wanted to team up with a high-performance coach and for us that was Ostendio. Ostendio was a good fit for us, taking our high-performance team to bring something special home.”  He added that Dina understood that this is a lifetime project and their goal is to be better tomorrow than they were yesterday.

5. Partnering with HITRUST experts to save time and resources 

Staszak explained that Voluware quickly realized how important a robust security and compliance program was to his company. “Our business model is built on being the fastest boat in the water. When we looked at what was needed to do it was HITRUST … we could have just done our best and worked with an auditor but it would have meant the people running the product stepping back from their daily role and learning what was needed and developing expertise. Initially, we engaged with Ostendio for a gap assessment and then we looked at what it would cost to have Ostendio do everything because we wanted to be the best in class. It shaved about a year off the process for us and in developing the materials we could leverage the understanding of the Ostendio team to write documents so the auditor can review them properly.”  

Voluware also protected its investment by taking advantage of the Ostendio Audit Guarantee. Staszak said, “Working with Ostendio, and the audit guarantee, was important to us. It meant people could focus on their own work, we could continue with our velocity as an organization while moving forward with HITRUST. Yes, there was a cost associated with it but we realized there was a cost of not doing it and not doing it right. Shaving a year off the process was important to us, but working with Ostendio gave us confidence we were doing it right.”

6. Conducting a readiness assessment prior to the HITRUST audit 

There’s a lot of work in preparing for an audit. Not everyone is ready when they come to an auditor.  When an organization approaches an audit firm, how does the auditor determine if they are ready or not? 

Williams explains that there are very few clients he would take on who have not completed a readiness assessment or worked with a partner like Ostendio to prepare for an audit.  Williams explains that the reality is that companies find complex security audits hard to do in-house if they haven’t done it before because they often don’t understand what is required. He says this lack of experience can lead to a disastrous audit. Williams explains that all the documents required must be good enough for an audit and if you haven’t gone through an audit before you might not appreciate what is required.  At a larger organization, they may have the ability to hire a compliance officer but most smaller organizations don’t have enough people to prepare and that’s why you hire a consultant to help you.

7. Scoping your audit and not aiming for a 100% score 

Ostendio has years of experience assisting clients with audit prep. Scoping for an audit is an important element of the audit preparation process. Clients often go from resisting the audit to wanting to include every element of their business and being highly aspirational in their audit goals. 

There is an art in understanding the nature, scale, and risk of an organization and building a scope that is achievable.

As an experienced auditor, Williams described how HITRUST has a scoring system that means reaching a mark of 75% is a passing score and that it is hard to reach over 80% for most organizations. He often finds himself restraining smaller organizations who feel they need a 100% score to pass. This is overkill for smaller organizations that need to start with smaller goals so they understand the nature of the audit and can increase their scope over time as their businesses mature and grow.

8. Starting the HITRUST recertification process 12 months into the 2-year process 

After passing their HITRUST audit, Shah recognized the need for his organization to continue the momentum. With HITRUST there is an interim checkpoint in 12 months and that recertification work starts well before the 2-year certification expires. Shah is confident that his organization is now working with the right security mindset. He added, “We have tools, including Ostendio, to stay organized and work through the evidence collection process.  You have to be able to demonstrate your compliance and you have to be well organized so you are not starting back from scratch. The journey is living within our framework and making it better as we move forward.” 

For Voluware it is a similar approach. According to Staszak, “This is an attitude and culture. Once you embrace what HITRUST needs it permeates your entire organization…there is value in the organizational alignment that you gain.” He added that the challenge he faces is not going too fast and instead taking the time to be methodical.

9. Working in lock-step with your auditor and viewing the audit as part of the organizational process 

Brett Williams has completed over 3,000 audits, and in his experience, successful organizations are the ones that have the right attitude. He said, “You can tell if a company is well run and they treat an audit like any other part of their business. You can tell they will be successful. If organizations treat the audit as if it is terrible, a hassle, then the end result will not be good. If they approach it positively, and as part of their business, not doing extra just for the audit, they have the information already. If it is permeated into their business, the audit will be smooth and you will get value out of the audit. That attitude is the one that most successful companies have with regards to their audit.”

10. Establishing HITRUST as a revenue enabler, not a cost-center 

Some organizations may have a challenge explaining the ROI of an audit.  

For Shah, at Dina, HITRUST was clearly a revenue enabler. He believes that it makes Dina products stronger. “So for us, it is a revenue driver, not an expense line item.”

For Staszak at Voluware, it is an essential element of doing business, “It boils down to what we do. We work with payers and providers. To make a sale we have to be HITRUST certified. We can fall out of a deal cycle if we don’t get through a security assessment with flying colors. It’s about revenue and confidence that payers and providers have that we are built to be here for the long haul.”

[Learn more: Watch the full webinar here.]

Next Steps

If you are considering a HITRUST audit, let one of our experts show you how using the Ostendio platform to prepare for such a complex audit can also benefit your overall security program. Find out how security frameworks can support your organization's growth by scheduling a time here.