HITRUST is a non-profit organization that helps the healthcare industry control data protection standards. It’s similar to HIPAA, but instead of being written and implemented by the federal government, HITRUST is regulated by a group of healthcare professionals.

HITRUST is a way for the healthcare sector to self-regulate security practices while also fixing some of HIPAA’s shortcomings and providing a PCI-like enforcement system for businesses to adopt. Read more


Why is HITRUST important?

For a variety of factors, HITRUST is critical to the healthcare industry:

In the United States, HITRUST is the most widely used security device in the healthcare industry. It sets an industry-wide standard for handling Business Associate compliance.

HITRUST is updated daily. The framework is updated daily to keep healthcare organizations up to date on new regulations and security threats. It is the most frequently updated security framework in use, with periodic updates and annual audit revisions. This ensures that those who follow the CSF work tirelessly to ensure that their safety is maximized.

Some large payers need HITRUST. On February 8, 2016, five major healthcare payers assured their business associates that they would comply with the HITRUST Common Security Framework within two years. As a result, companies must consider “what HITRUST entails” and “what changes will we need to make to achieve and maintain certification.”


Why is HITRUST Certification more expensive than other security certifications?

One must factor in the detail-oriented approach, thoroughness, and dependability.

A thorough examination

Depending on the company’s risk profile, a single HITRUST assessment may include up to 400 control criteria. This is in addition to the three forms of protection required by HIPAA regulations, the 12 PCI DSS compliance standards, COBIT’s five domains, 37 processes, and the 80-100 included in a SOC 2 audit.

The fact that HITRUST CSF blends these and other regulatory standards into a single, overarching risk management and enforcement program is one of the most tangible benefits of the framework. It brings together information management, financial services, technology, and healthcare standards. As a result, businesses will streamline their enforcement processes, resolve security concerns in all sectors, and reduce the time and expense associated with maintaining compliance with multiple standards.

Detail-oriented approach

Each control in your organization’s assessment must be reported, assessed, checked, and verified by an accredited external assessor before being evaluated by HITRUST. In addition, each control is assessed using the HITRUST Maturity Model, which has five levels.

Throughout this phase, an average of 1.5 hours per control is spent, with the number of controls assessed varying depending on the organization’s size, risk profile, and scope. In most cases, 2,000-2,500 separate data points are examined. The HITRUST CSF certification process covers a lot more ground than any other security evaluations.


The HITRUST CSF system was created to give enforcement programs more structure and continuity. Recent enhancements have also sought to increase scoring accuracy over time and between internal and external assessors.

HITRUST has strict standards for the assessor firms and experts involved as part of its commitment to solid assurance. Firms must apply for and receive approval from HITRUST to conduct assessments and services related to the CSF Assurance Program, and they must work hard to retain that status.

Certified CSF Practitioners (CCSFP) are HITRUST Approved External Assessors responsible for assessing and validating security controls. HITRUST CCSFPs have extensive IT enforcement and auditing experience. To become accredited, they must complete a training course, pass an exam, and then retain their certification by regular refresher courses. HITRUST helps organizations by providing qualified personnel and ensuring the evaluation and certification process is accurate through this service.


The HITRUST Certification Fee


If you’re looking for a ballpark figure, the best guess will be $50,000 to $200,000, not including ongoing recertification costs. However, the range is so wide that it is ineffective for your business.

It depends on the assessment’s reach and the organization’s size, the state of its information system, and the steps taken to plan for a HITRUST assessment.


What exactly is included in this price?

Costs directly related to:

– The HITRUST MyCSF® gateway and services are made available.

– Companies can take a readiness assessment and rating it

– Conducting a difference analysis, administering and rating a validated evaluation

Indirect costs incurred as a result of:

– Employee time spent on participation,

– Security data recording and updating,

– Initial setup,

– Developing corrective action plans and remediation initiatives,

– Assistance locating and submitting necessary documents, and

– Other services provided by the HITRUST Approved External Assessor.

HITRUST Certification won’t be easy

Many business associates will find it challenging to obtain HITRUST CSF certification because the vast majority will be unprepared and caught off guard. This is due to the fact that many organizations, especially smaller vendors, lack the resources to complete HITRUST CSF Certification. Organizations must not only meet the CSF criteria, but a third party must also audit them before being approved, and they must be recertified every other year.

Any incident of Breaches after HITRUST Certification?

Anthem, a HITRUST-certified company, was hacked, which resulted in a breach impacting nearly 80 million individuals.

While HITRUST released a statement in its defense that “the healthcare payer did not have a breach in any system or area of the organization that was within the scope of its HITRUST CSF Certification,” some security experts did question the significance “what did it mean to be HITRUST certified?” given the scale and sheer magnitude in the numbers.

Is HITRUST worth the investment?

When it comes to HITRUST certification, several businesses are taken aback by the cost. In reality, one of the most common gating factors is the cost of assessment and assessor services. From an investment point of view, HITRUST certification’s importance becomes more evident when viewed it as a medium or long-term commitment. Still, one must also assess the cost to your business and think about the returns.

Many of the customers are hesitant to invest in HITRUST because they are afraid of failing. It is not, however, a pass/fail situation.

When considering HITRUST CSF® certification, one of the first questions small and mid-sized companies have  how much it will cost?” It’s a serious problem, and it’s well-founded. Budgets are often tight, and data protection is an important investment. And the resources required and time for certification could be telling.

When clients ask for HITRUST® certification in a specific time period, the advice given is “take it slowly”.

The cost might be too steep for small and medium enterprises, and HITRUST might be perceived more in cost. For enterprises, HITRUST Certification could be seen as an investment rather than an expense. So, it depends.

So, what about the SMEs? Are there no alternatives?

HITRUST certification, according to some security experts, is no guarantee of a strong security policy. They also point out that businesses will consider a variety of other viable security frameworks.

As alternatives to HITRUST, several other organizations have security governance frameworks like the National Institute of Standards and Technology and SOC Reports – SOC 1, 2, and 3 Form 1 and 2 and ISO 27001 Certification.


databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

databrackets is accredited to ISO/IEC 17020 by the American Association for Laboratory Accreditation (A2LA) for Cybersecurity Inspection Body Program (Certificate Number: 5998.01).

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001  for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

To learn more about the services, please visit www.databrackets.com.

No comment yet, add your voice below!

Add a Comment

Your email address will not be published.