[4 min read]
Among the myriad of challenges facing the modern CISO lies the consistent need to improve data security by selecting the security framework that aligns best with your industry and organization. There’s growing pressure to ensure your organization has the right controls and security in place to ensure you are protecting your data, against the evolving cyber threats that have contributed to the rise of the average cost of a data breach.
Aligning these controls with a data security certification brings competitive benefits and demonstrates to business partners that your organization takes security seriously.
Is HITRUST right for my organization?
But where should you start with choosing a standard or certification? We’ll discuss how to determine whether HITRUST is the right certification for your organization and whether you are ready for it.
As the first SaaS-based platform to become a HITRUST Readiness Licensee, with experts holding over 30+ years of combined experience with HITRUST (including certified HITRUST CSF practitioners on staff), we are often approached to advise clients on readiness preparations for HITRUST.
Top 8 questions about HITRUST answered.
We’ve pulled together the eight most frequently asked questions about HITRUST to help you better understand the HITRUST process and to decide whether the certification is right for your organization.
1. What does HITRUST certification mean?
HITRUST certification provides third-party validation that an organization is up to date with the latest security and privacy standards, protecting sensitive data. Clients preparing for a HITRUST assessment can build their data security program and prepare for the assessment using a combination of the Ostendio platform and the HITRUST MyCSF platform. HITRUST partnered with Ostendio as the first Saas platform vendor to become a HITRUST Readiness Licensee - because the comprehensiveness of our processes and security and risk management platform maintains the integrity of the HITRUST framework.
2. Who does HITRUST apply to?
Traditionally, HITRUST certifications have been associated with the healthcare industry. Today, organizations from many industries use the HITRUST framework to demonstrate their data security programs. Companies are often required to meet multiple regulatory and industry standards such as HIPAA, ISO, PCI, and SOC. Though a HITRUST certification does not include certifications to these other standards, it does address many of their control requirements and is often accepted as a valid alternative. This makes HITRUST a desirable framework for companies that also need to demonstrate compliance with these frameworks.
3. Why get HITRUST certification?
By preparing for and submitting to a HITRUST assessment, organizations indicate to partners and clients that they follow a strict code of security and privacy standards. They understand that it is essential to protect sensitive information. Not only does a HITRUST certification enable your sales team to allay any potential third-party security concerns, but it will also raise your overall security posture in your organization by raising awareness of security controls. As a CISO, you can address risk at a boardroom level and discuss your organization's appetite for risk and build a plan to address those risks to protect your organization.
4. How much preparation time will be required?
HITRUST certification is not designed as a quick “check-the-box” audit because it is designed to provide a high level of assurance in an organization’s data security program. Rushing through or attempting to cut corners with automation of audit preparation can often lead to missing key elements or information that can result in not achieving certification. In general, most companies take 12-18 months to prepare for and complete a HITRUST audit.
By working with a HITRUST Readiness Licensee, organizations can complete a gap analysis to see where they need to complete additional work - documenting policies, conducting reviews of security operations, or implementing a SIEM, for example, before submitting for a HITRUST audit. With the Ostendio platform, every action is documented, processes are automated and an audit trail is created across the enterprise, thereby enabling organizations to schedule, track and audit activities in line with the HITRUST domains. This audit trail will save your organization time and money in preparing to be HITRUST audit-ready.
5. What is the difference between HITRUST and HIPAA?
One of the major differences between HIPAA and HITRUST is that HIPAA is a Federal law, whereas HITRUST is a framework. HITRUST integrates the requirements of the HIPAA Security Rule in its framework, along with other controls necessary to be HIPAA compliant.
HIPAA does not have a certification - no organization can say they are “HIPAA certified”. Additionally, the HIPAA Security Rule is written at a broad level and organizations often struggle with knowing how to implement and comply with its requirements. HITRUST remediates this ambiguity with a clear, prescriptive set of controls and an end goal of certification providing assurance that an organization achieving HITRUST certification has implemented controls to meet those requirements. HITRUST also claims that with their framework, you can “assess once and report many”. This means a HITRUST Certification can be used as the building block to attain other certifications and reports such as SOC 2 or NIST 800-53.
The Office for Civil Rights (OCR) is responsible for enforcing HIPAA Privacy and Security Rules, and for fining companies for data breaches as appropriate. HITRUST is a commercial framework and so failure to meet the required standard has no direct federal liability. Consequences, if any, are limited to the contractual or commercial drivers that initiated the requirement for HITRUST certification e.g. a vendor may not purchase services.
6. What is the HITRUST CSF?
The foundation of all HITRUST programs and services is the HITRUST CSF, a certifiable framework providing organizations with a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management.
7. How much will HITRUST certification cost?
Developing an effective compliance program can be demanding on resources. You need to consider a budget that includes technical and administrative expenses before attempting certification with any compliance framework, including HITRUST. The overall cost of HITRUST certification requires a significant investment. It may cost over $100k between internal preparation costs, HITRUST assessor costs, and HITRUST certification costs (including a myCSF subscription).
Direct Costs may include:
- Annual subscription to MyCSF
- HITRUST reports
- Auditor/Approved Assessor fees
- Readiness consultant fees
Indirect Costs may include:
- Employee time spent on preparing, collecting, and submitting evidence for certification, estimated at at least 1 FTE for a year
- Employee time for implementation of required controls
- Lost opportunity for work not performed
- Tools for control execution e.g. purchasing software to meet requirements should be also be considered
Helpful Hint: Allow enough time to prepare for HITRUST certification. It is not uncommon for it to take 18 months or longer to complete.
8. Can I use the information I gathered and apply it to other
certifications or standards?
Yes! An excellent benefit of conducting a HITRUST audit is that the preparation and scope of the audit are thorough. In addition, since HITRUST optionally includes control sets for multiple standards, meeting the rigors of HITRUST often means you’ll meet the requirements of other standards as well. In addition, by using a platform such as Ostendio, you can use the evidence, policies, and documents gathered for HITRUST and apply that to other standards such as SOC 2, PCI, CMMC, ISO, etc. By using the Ostendio Crosswalk feature, you can easily map evidence gathered from one standard to another saving you time and money in your preparation for multiple certifications.
Get started on your HITRUST journey
By reading this far you are already doing some of the prep-work by researching HITRUST and learning more about the work involved. Your next step should be to speak with an expert to evaluate what security certification or standard is right for your business. You will also need boardroom support for such a project because it will require employee time and a significant budget. There are notable benefits to a HITRUST certification including establishing a detailed data security program, which in turn will make your organization more efficient, and displaying your commitment to data security and compliance to potential customers.
Talk to an Ostendio HITRUST expert about your options or ask any additional HITRUST-related questions. Ostendio is built for serious security professionals.