Is HITRUST Worth The Investment?

HITRUST certification helps healthcare companies to effectively manage information risk. It is worth it if is considered an investment rather than a one-time cost.

Blog banner image databrackets is HITRUST worth it?

What is HITRUST?

HITRUST, or Health Information Trust Alliance, is a non-profit organization that uses the ‘HITRUST approach’ to help the healthcare industry control data protection standards and effectively manage data, information risk, and compliance. It’s similar to HIPAA, but instead of being written and enforced by the federal government, HITRUST is regulated by a group of healthcare professionals.

HITRUST is a way for the healthcare sector to self-regulate security practices while also fixing some of HIPAA’s shortcomings and providing a PCI (Payment Card Industry)-like enforcement system for businesses to adopt. HITRUST is a recommended framework trusted by many larger healthcare companies, health networks, and hospitals to manage risk along with other frameworks.


Why is HITRUST important?

In the United States, HITRUST is the healthcare industry’s security framework getting adopted primarily in hospitals It sets an industry-wide standard for handling Business Associate compliance. For a variety of reasons, HITRUST is slowly getting adopted in the healthcare industry along with other certifications:

HITRUST is updated daily to keep healthcare organizations up to date on new regulations and security threats. It is the most frequently updated security framework, with periodic updates and annual audit revisions. This ensures that those who follow the HITRUST CSF(Common Security Framework) work tirelessly to ensure their safety.

Some large payers need HITRUST. On February 8, 2016, five major healthcare payers assured their business associates that they would comply with the HITRUST CSF within two years. As a result, companies must consider “what HITRUST entails” and “what changes are needed to be made to achieve and maintain certification.”

HITRUST Certification has the strictest requirements with high-risk data that can demonstrate that an entity is a leader in compliance because they have the certification to back it up.

Is HITRUST worth it?

HITRUST Certification won’t be easy.

Many business associates will find it challenging to obtain HITRUST CSF certification because the vast majority may be unprepared and caught off guard. This is due to the fact that many organizations, especially smaller vendors, lack the resources to complete HITRUST CSF Certification. Organizations must not only meet the CSF criteria, but a third party must also audit them before being approved, and they must be recertified every other year.

Several businesses are taken aback by the HITRUST certification. Why?

  • Firstly, the cost of assessment and assessor services are high. Budgets are often tight, and data protection may be a substantial investment as the cost might be too steep for small and medium enterprises, and HITRUST might be perceived as more expensive. For enterprises, HITRUST Certification could be seen as an investment rather than an expense
  • Many customers are hesitant to invest in HITRUST because they fear failing
  • A company choosing to get HITRUST certified, must first adopt the HITRUST CSF (Common Security Framework) which is updated regularly with multiple versions. You need to stay on top of the update, use the right protocol and technologies to be able to use it effectively. This may be a daunting task for many companies
  • Assessment may include up to 400 control criteria and take upto 8 weeks depending on the scope and complexity of the company. This may be severely time consuming

The HITRUST Certification Fee


If you’re looking for a ballpark figure, the best guess will be $50,000 to $200,000, not including ongoing recertification costs. However, the range is so wide that it is ineffective for your business.

It depends on the assessment’s reach and the organization’s size, the state of its information system, and the steps taken to plan for a HITRUST assessment.


What exactly is included in this price?

Costs directly related to:

– The HITRUST MyCSF® gateway and services are made available

– Companies can take a readiness assessment and rating it

– Conducting a difference analysis, administering and rating a validated evaluation

Indirect costs incurred as a result of:

– Employee time spent on participation

– Security data recording and updating

– Initial setup

– Developing corrective action plans and remediation initiatives

– Assistance in locating and submitting necessary documents

Why is HITRUST Certification more expensive than other security certifications?

One must factor in the detail-oriented approach, thoroughness, and dependability.

A thorough examination

Depending on the company’s risk profile, a single HITRUST assessment may include up to 400 control criteria. This is in addition to the three forms of protection required by HIPAA regulations, the 12 PCI DSS compliance standards, COBIT’s five domains, 37 processes, and the 80-100 controls included in a SOC 2 audit.

The HITRUST CSF blends these and other regulatory standards into a single, overarching risk management and enforcement program, which is one of the most tangible benefits of the framework. It combines information management, financial services, technology, and healthcare standards. As a result, businesses will streamline their enforcement processes, resolve security concerns in all sectors, and reduce the time and expense associated with maintaining compliance with multiple standards.

Detail-oriented approach

Each control in your organization’s assessment must be reported, assessed, checked, and verified by an accredited external assessor before being evaluated by HITRUST. In addition, each control must be assessed using the HITRUST Maturity Model, which has five levels.

The HITRUST CSF certification process covers much more ground than any other security evaluation. In most cases, 2,000-2,500 separate data points are examined. Throughout this phase, an average of 1.5 hours per control is spent, with the number of controls assessed varying depending on the organization’s size, risk profile, and scope.


The HITRUST CSF system was created to give enforcement programs more structure and continuity. Recent enhancements have also increased scoring accuracy over time and between internal and external assessors.

HITRUST has strict standards for the assessor firms and experts involved in its commitment to solid assurance. Firms must apply for and receive approval from HITRUST to conduct assessments and services related to the CSF Assurance Program and work hard to retain that status.

Certified CSF Practitioners (CCSFP) are HITRUST Approved External Assessors responsible for assessing and validating security controls. They must complete a training course, pass an exam, and retain certification through regular refresher courses. HITRUST helps organizations ensure the evaluation and certification process is accurate through service.

Can you have a data breach after a HITRUST Certification?

Anthem, a HITRUST-certified company, was hacked, which resulted in a breach impacting nearly 80 million individuals.

While HITRUST released a statement in its defense that “the healthcare payer did not have a breach in any system or area of the organization that was within the scope of its HITRUST CSF Certification,” some security experts did question the significance “what did it mean to be HITRUST certified?” given the scale and sheer magnitude in the numbers.

HITRUST Alternatives

The HITRUST CSF is a certifiable and widely accepted security framework with a list of prescriptive controls to demonstrate HIPAA compliance. However, as alternatives to HITRUST, several SMEs comply with other security governance frameworks like the National Institute of Standards and Technology [NIST], HIPAA, SOC Reports – SOC 1, 2, and 3 Form 1 and 2 and ISO 27001 Certification.

NIST is a set of voluntary guidelines, and processes that companies use to reduce the risk of a cybersecurity threat. It aims to improve security and resiliency by implementing 108 security controls to achieve NIST compliance.

Many HIPAA requirements may not be understood in accordance with their intended objectives. HITRUST aims to provide an integrated and holistic approach to demonstrate compliance with HIPAA security requirements.

HIPAA is a federal law with national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Based on the certification goals and requirements of our clients, we offer alternative frameworks NIST, ISO 27001 or SOC 2 certifications. Different certifications involve different costs and levels of efforts, so it is imperative to consider your size, requirement and budget before you seek certification. IF you company falls under a broad range of industries or comes under a regulated industry, SOC 2 may be the best option. If your company processes electronic health information, HITRUST may be the better option.

Talk to us to understand your certification category and know more information

About databrackets

databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

American Association for Laboratory Accreditation (A2LA) has accredited databrackets for technical competence in and compliance with the Inspection Body Accreditation Program.

databrackets has been accredited by the American Association for Laboratory Accreditation (A2LA) as a Cybersecurity Inspection Body for ISO/IEC 17020:2012 vide its Certificate Number: 5998.01.

The Cybersecurity Inspection Body Program accreditation provides added trust and assurance in the quality of assessments performed by databrackets. A2LA’s third-party accreditation offers an independent review of databrackets’ compliance to both ISO/IEC 17020 (Requirements for the operation of various types of bodies performing inspections) as well as competence in technical program requirements for the desired scope of accreditation (I.e. SOC II, HIPAA/HITECH, PCI, etc.).

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001 Certification for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

To learn more about the services, read here.

Prepare for California Consumer Privacy Act (CCPA)

Learn what the California Consumer Privacy Act is and what it means for your business, as well as figure out what you can do to adjust for it.

California Consumer Privacy Act

California Consumer Privacy Act (CCPA) offers California consumers control over their personal information, data privacy rights, and the right to know, delete, or opt-out of the sale of personal information collected by businesses.

Definition of CCPA

CCPA is a state-wide data privacy law that regulates how businesses can handle personal data of California residents. It was introduced on January 1, 2020, and is the first law of the kind in the United States.


Who is covered under CCPA?

Any for-profit entity that does business in California and collects, sells, or shares consumer data and,

·       Has annual gross revenue exceeding 25 million, or

·       Possesses personal information of 50,000 or more consumers, or

·       Earn more than half of annual revenue by selling consumer’s personal information


How does the regulation work?

Under the regulation, Californians are allowed to sue companies for failing to prevent data breaches and prevent personal data from being misused. Californians can also opt-out of sharing their data with companies under the regulation.


CCPA requirements

To comply with CCPA, one has to:

–        Identify and classify data assets

–        Find out where the CCPA personal information is located and stored

–        Determine the risky data and check access permissions

–        Locate personal data that is stale

–        Adjust required permissions

–        Deploy role-based access controls

–        Delete stale personal data

–        Monitor personal data against threats

–        Review data permissions continually

–        Adjust protocols against cyber threats

–        Organize relevant data


Consequences and Penalties for violations

There are two types of penalties for violations:

–        Civil penalties

–        Private Right of Action

Civil penalties

Civil penalties for CCPA violation includes:

–        2500 for non-intentional violation

–        7500 for intentional violation

Any business that cures its noncompliance within 30 days of being notified does not need to pay the penalties. However, some noncompliance cannot be cured.

Private Right of Action

–        $100 to $750 per customer per incident, or actual damages whichever is greater

–        Relief that courts deem to be proper

–        Declaratory or injunctive relief


Benefits and drawbacks of CCPA


–        Greater transparency from companies

–        Customers have the right to know about all data collected about them and will be able to request this data for free twice per year

–        Customers have the right to opt-out of getting data sold

–        Customers can request the data to be deleted, can sue companies if their data is stolen, and can stand against identity theft

–        Businesses get a competitive advantage that compliance brings


–        Regulatory compliance with CCPA means businesses need to get more work done to ensure compliance

–        CCPA can be costly to businesses

–        Customers can request businesses to either completely delete their data or keep all of it, a choice which is not always the customer’s choice


Best Practices for Complying with the CCPA

The best practices for CCPA compliance are:

–        Create an internal privacy framework that lays out how you will comply with CCPA

–        Do more with less data, by minimizing the data you collect, store, use and transmit

–        Automate compliance tools for data mapping tools, data protection, managing consent

–        Be specific about the posture of your internal and external privacy

Additional Resources for Further Investigation

Refer to the original CCPA link to get additional details about CCPA regulations.



Conforming to CCPA standards does not have to be much of a hassle. Databrackets is here to help. Our experts and consultants can help you get a cost-effective CCPA readiness assessment, so you can focus on profitability rather than wasting your time on understanding the ins and outs of CCPA to the core. Schedule a consultation with us today!

What do you need to know about SOC 2 certification?

Logo of SOC

SOC 2 Certification

SOC 2 (System and Organizations Controls) compliance can encompass everything from how your system runs, how you update job descriptions, how customer data is stored in the cloud, to how you onboard new hires.

SOC 2 certification ensures and gives the confidence to your customers that you secure your data and protect their privacy at all costs. It is no wonder that SOC 2 certification has emerged as one of the most sought after standards. It is an auditing procedure that is unique to each organization but essentially needs to comply with one or more trust principles and administered by AICPA.

SOC 2 certification trust principles

SOC 2 certification process includes the criteria for managing customer data based on security, availability, confidentiality, processing integrity, and privacy.

  • Security – deals with how the system is protected against access and theft
  • Availability – deals with the accessibility of the systems, services, and products of the organization
  • Processing Integrity – deals with how goals are achieved by the system
  • Confidentiality – deals with the confidentiality of the organization’s intellectual properties
  • Privacy – deals with the collection, usage, storage, retention, disclosure, and disposal of customer data


SOC 2 Certification Process

The SOC 2 certification process involves the following steps:

  • Decide the trust principles that you need to audit

The mandatory criterion for SOC 2 certification is security. The other trust principles are identified after collaboration with stakeholders.

  • Pick the right report

There are two types of SOC 2 audit reports; Type 1, which describes if a system meets the trust principles, and Type 2 which checks the operational effectiveness of the systems against the trust principles. Pick the right report that meets your needs.

  • Define the scope

Determine what you will test for and why. The scope usually depends on your reason for carrying out the audit, i.e. either you are carrying out the certification for vendor management, internal corporate governance, vendor management, or regulatory oversight.

  • Carry out self-assessment

Self-assess your system against the chosen security principles before actually hiring professionals to carry out the formal audit.

  • Undergo a formal SOC 2 audit from a Certified Public Accountant (CPA)

A normal SOC 2 audit is carried out by CPA by carrying out employee interviews and assessing paperwork, screenshots, or logs.

  • Receive a SOC 2 report

The final step in the SOC 2 certification process is getting the final SOC 2 report that measures how well your system stands against the set security standards.


SOC 2 Certification Checklist

Before you start the SOC 2 certification process, there are a few things which you can follow regularly to make the process smoother:

  • Create an organizational culture of security
  • Revoke access rights of former employees
  • Manage access rights of current employees by creating users with unique access rights, centralizing user management, and monitoring user access
  • Follow data retention best practices according to industry standards
  • Automate and document every change by using centralized logging facilities provided by cloud solutions, version control systems like Github, or ticketing systems like Jira.
  • Implement correct procedures to deal with common vulnerabilities and exposure
  • Create policies and procedures best on industry best practices, and follow them to the core


SOC 2 Certification Cost

The typical SOC 2 certification cost for Type 1 report is typically 15,000 to 20,000 USD, while that for a Type 2 report can range from 25000 to 30000 USD.


Why SOC 2 Certification?

SOC 2 certification is on the verge of becoming the most sought after certification because of customer demands. Customers need proof of the fact that you protect your data from unauthorized access and theft. Additionally, in the long run, the price of getting SOC 2 certification is nothing when compared to being affected by a breach (average $3.86 million). SOC 2 can prove to be a protective measure that makes your organization more secure, hence avoiding costly breaches.

Needless to state, SOC 2 certification gives you a competitive advantage, peace of mind, and valuable insights into your organization’s security. Hence large companies like AWS, Microsoft, and other companies are SOC 2 certified. Getting SOC 2 certified is difficult, but the burden does not need to fall into you.

Databrackets can come to the rescue, and relieve you of the hassle of SOC 2 certification. We have certified security and privacy professionals who work in collaboration with partner CPA firms to help you meet your compliance needs with ease and with lower costs. Schedule a consultation with us today!