HITRUST. A term becoming increasingly popular in the healthcare arena. But what exactly is HITRUST? And what’s involved in becoming HITRUST certified?
HITRUST, or the Health Information Trust Alliance, is an industry-driven set of regulations, used to standardize on a common, certifiable framework to benefit both vendors and covered entities.
On the official HITRUST website, it states that it “was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges.”
HITRUST itself is not a framework. Rather, the HITRUST Alliance is the organization who created and maintains the Common Security Framework (CSF), by which healthcare entities map their security and compliance programs. The CSF, currently in version 7, is divided into 19 different domains, and 135 specific controls. By outlining a specific set of criteria, it can be easier to prove that you can reach and maintain HITRUST certification, whereas reaching and maintaining HIPAA ‘compliance’ can often be open to interpretation.
What are the key elements of HITRUST?
HITRUST requires that a company must operate an effective corporate security and privacy program. Prerequisites for HITRUST include having conducted an industry standard risk assessment. Ostendio helps organizations get ready for HITRUST through the adoption of our MyVCM cybersecurity and information management platform. Ostendio’s MyVCM takes organizations through a proprietary implementation methodology that allows them to build up the evidence required to commence the HITRUST certification process.
This step is optional, and it requires you to gain access to the myCSF platform and upload all documentary evidence. Costs are approximately $2,500 for 90-day access to the myCSF Tool and $3,750 for submission and scoring. This does not take into account any internal time required to upload the evidence.
This requires support from an approved HITRUST assessor, who will typically charge anywhere between $30,000-$175,000. There are several parts to this process. A HITRUST assessor will help you understand what evidence is required, work with you to set your baseline configuration, and assist you with uploading the evidence. Additional costs include continued access to myCSF for as long as the process takes if longer than 90 days. Access to the myCSF platform can only be purchased for a minimum of 3 months, with both monthly and annual options after that. Once access to myCSF is lost so is your data. Ostendio works with a number of certified HITRUST assessors, who can offer reduced fees because of the efficiencies the MyVCM platform provides to the process.
Once all the necessary information has been uploaded for verification, it can be submitted for certification by HITRUST. This costs about $3,750 and it requires continued access to myCSF until certification is complete.
Importantly, all the costs quoted above assume you already operate a mature information security framework and have everything you need to start the HITRUST process. If you have gaps, these will need to be addressed in advance and this can add to the overall cost of the process.
HITRUST certification lasts for 24 months, but you will still need to undertake annual reviews and can lose your HITRUST certification during this time if you are not maintaining the policies and procedures you were initially assessed against.
To be HITRUST certified, you need to provide more than just current and relevant policy and procedure documentation. You need to be able to provide evidence that you are operating in accordance with these policies and procedures. Typically, this will take the form of up to 6 months of logs and other forms of historical evidence.
Ostendio can help you prepare for this process and help you work with your HITRUST assessor. Our MyVCM platform will allow you to track and manage all your HITRUST certification documentation and relevant operational activities such as data access audits, training, document compliance, etc. MyVCM not only becomes your cybersecurity and information platform, it also builds collects and maintains all the evidence required to obtain and maintain certification to HITRUST.
HITRUST CSF Certification is a rigorous and lengthy process. When compared with a HIPAA audit, the burden of proof rests with the organization trying to achieve certification. Achieving HITRUST certification takes a significant amount of time and resources – and a sizeable budget.
If you are ready to start the HITRUST certification process, or you would like to learn more about how Ostendio can help you manage your security and compliance programs, contact us and one of our experts will be happy to answer any questions you might have.
Not sure where to start?
The NIST Guide can help. We can also provide you with a free copy of Ostendio’s password policy, as an example. Just contact us at firstname.lastname@example.org.
Avoiding the Hidden Pitfalls of Security Audits
In this webinar, see the 5 most common pitfalls of security audits and learn how you can avoid them with the power of MyVCM CrossWalk Assessments.