Q&A with an Ostendio HITRUST practitioner
As busy security professionals, CISOs can feel overwhelmed by the growing number of certifications, frameworks, and regulations they must keep track of. Adding HITRUST certification to the mix can be a daunting task, but it doesn’t have to be. HITRUST certification benefits organizations by providing third-party validation that an organization is up to date with the latest security and privacy standards, protecting sensitive data. It shows potential clients and vendors that your organization takes data security seriously and can be a significant competitive advantage.
If you have already decided that a HITRUST certification could be the right move for your organization you probably have many questions you would like answered. We sat down with an expert, Kevin Brown, Ostendio Information Security Officer, to ask questions about HITRUST certification and get answers to some of the most commonly asked questions about this complex data security audit.
Q&A with an Ostendio HITRUST expert
1. Does HITRUST apply to my organization and/or industry?
Traditionally, HITRUST certifications have been associated with the healthcare industry. Today, the HITRUST framework can be used by organizations across many industries to demonstrate the effectiveness of their data security programs. Organizations are often required to meet multiple regulatory and industry standards such as HIPAA, ISO, PCI, and SOC. A HITRUST certification does not include certifications to these other standards, but it does address many of their control requirements and can be accepted as a valid alternative. This makes HITRUST a desirable framework for organizations that also need to demonstrate compliance with these frameworks. If you are considering multiple framework certifications, I suggest finding a tool or platform that allows you to crosswalk, or cross reference, the evidence you have gathered for one framework to the relevant control on another framework. This will save you time and money in your audit readiness preparation.
2. Why should we choose a HITRUST certification?
By preparing for and submitting to a HITRUST assessment, organizations indicate to partners and clients that they follow a strict code of security and privacy standards. Not only does a HITRUST audit enable your sales team to allay any potential third-party security concerns, but it will also raise your overall security posture within your organization by raising awareness of key security controls. As a CISO, you can address risk at a boardroom level, discuss your organization's appetite for risk and build a plan to address those risks to protect your organization.
3. Who can perform a HITRUST readiness assessment?
A HITRUST readiness assessment should be completed by a certified HITRUST Readiness Licensee. By using an authorized readiness licensee you can be sure that they have been fully trained by HITRUST in the methodology used for this complex audit. By working with an authorized licensee you can be assured that your preparation is thorough and you are ready for the full audit.
4. How long does it take to get HITRUST ready and HITRUST certified?
Generally, most companies take 12-24 months to prepare for and complete a HITRUST audit. The primary reason? HITRUST certification is not designed as a quick “check-the-box” audit. It is designed to provide a high level of assurance in an organization’s data security program. Rushing through or attempting to cut corners with automation of audit preparation can often lead to missing key elements or information that can result in not achieving certification.
By working with a HITRUST Readiness Licensee, organizations can complete a gap analysis to determine where they need to complete additional work - documenting policies, conducting reviews of security operations, or implementing a SIEM, for example, before submitting for a HITRUST audit.
5. What is the difference between HITRUST and HIPAA?
One of the major differences between HIPAA and HITRUST is that HIPAA is a Federal law, whereas HITRUST is a framework. HITRUST integrates the requirements of the HIPAA Security Rule in its framework, along with other controls necessary to be HIPAA compliant.
HIPAA does not have a certification, and no organization can claim they are “HIPAA certified”. Additionally, the HIPAA Security Rule is written at a broad level and organizations often struggle with knowing how to implement and comply with its requirements. HITRUST remediates this ambiguity with a clear, prescriptive set of controls and an end goal of certification providing assurance that an organization achieving HITRUST certification has implemented controls to meet those requirements. HITRUST also claims that with their framework, you can “assess once and report many”. This means a HITRUST Certification can be used as the building block to attain other certifications and reports, such as SOC 2 or NIST 800-53.
The Office for Civil Rights (OCR) is responsible for enforcing HIPAA Privacy and Security Rules, and for fining companies for data breaches as appropriate. HITRUST is a commercial framework and so failure to meet the required standard has no direct federal liability. Consequences, if any, are limited to the contractual or commercial drivers that initiated the requirement for HITRUST certification e.g. a vendor may not purchase services.
6. Do I need HITRUST or a SOC 2 report?
Choosing a framework is an important element of any data security program. We always recommend that clients speak with their preparer to decide on the right framework for their organization, industry, and budget. It will also depend on your readiness and timeline for the work. You may find that a SOC 2 report will be sufficient or a good starting point for your security journey. Our key recommendation is to select a GRC or Security and Compliance tool that allows access to multiple frameworks so you can scale your security program to multiple frameworks as your experience and maturity level increase.
7. What is the HITRUST CSF?
The foundation of all HITRUST programs and services is the HITRUST CSF, a certifiable framework providing organizations with a comprehensive, flexible, and efficient approach to regulatory/standards compliance and risk management. Clients preparing for a HITRUST assessment can build their data security program and prepare for the assessment using the HITRUST MyCSF platform while operationalizing their security program on the Ostendio platform.
8. How much will HITRUST certification cost?
Developing an effective compliance program can be demanding on resources. You need to consider a budget that includes technical and administrative expenses before attempting certification with any compliance framework, including HITRUST. The overall cost of HITRUST certification requires a significant investment. It may cost over $100k between internal preparation costs, HITRUST assessor costs, and HITRUST certification costs (including a myCSF subscription).
Direct Costs may include:
Annual subscription to MyCSF
Auditor/Approved Assessor fees
Readiness consultant fees
Indirect Costs may include:
Employee time spent on preparing, collecting, and submitting evidence for certification, estimated at at least 1 FTE for a year
Employee time for implementation of required controls
Lost opportunity for work not performed
Tools for control execution e.g. purchasing software to meet requirements should also be considered
Helpful Hint: Allow enough time to prepare for HITRUST certification. It is not uncommon for it to take 18 months or longer to complete.
9. Can I use the evidence I gather for HITRUST and apply it to other certifications or standards?
Yes! An excellent benefit of conducting a HITRUST audit is that the preparation and scope of the audit are thorough. In addition, since HITRUST optionally includes control sets for multiple standards, meeting the rigors of HITRUST often means you’ll meet the requirements of other standards as well. In addition, by using a platform such as Ostendio, you can use the evidence, policies, and documents gathered for HITRUST and apply that to other standards such as SOC 2, PCI, CMMC, ISO, etc. By using the Ostendio crosswalk feature, you can easily map evidence gathered from one standard to another saving you time and money in your preparation for multiple certifications.
How to get ready for HITRUST
By reading this far you are already doing some of the prep-work by researching HITRUST and learning more about the work involved. You can also visit the HITRUST website where there is an informative section with their most frequently asked questions.
Your next step should be to speak with an expert to evaluate what security certification or standard is right for your business. You will also need boardroom support for such a project because it will require employee time and a significant budget. There are notable benefits to a HITRUST certification including establishing a detailed data security program, which in turn will make your organization more efficient and show your commitment to data security and compliance to potential customers.
Talk to an Ostendio HITRUST expert about your options or ask any additional HITRUST-related questions. Ostendio is built for serious security professionals.