Is HITRUST Worth The Investment?


HITRUST is a non-profit organization that helps the healthcare industry control data protection standards. It’s similar to HIPAA, but instead of being written and implemented by the federal government, HITRUST is regulated by a group of healthcare professionals.

HITRUST is a way for the healthcare sector to self-regulate security practices while also fixing some of HIPAA’s shortcomings and providing a PCI-like enforcement system for businesses to adopt. Read more


Why is HITRUST important?

For a variety of factors, HITRUST is critical to the healthcare industry:

In the United States, HITRUST is the most widely used security device in the healthcare industry. It sets an industry-wide standard for handling Business Associate compliance.

HITRUST is updated daily. The framework is updated daily to keep healthcare organizations up to date on new regulations and security threats. It is the most frequently updated security framework in use, with periodic updates and annual audit revisions. This ensures that those who follow the CSF work tirelessly to ensure that their safety is maximized.

Some large payers need HITRUST. On February 8, 2016, five major healthcare payers assured their business associates that they would comply with the HITRUST Common Security Framework within two years. As a result, companies must consider “what HITRUST entails” and “what changes will we need to make to achieve and maintain certification.”


Why is HITRUST Certification more expensive than other security certifications?

One must factor in the detail-oriented approach, thoroughness, and dependability.

A thorough examination

Depending on the company’s risk profile, a single HITRUST assessment may include up to 400 control criteria. This is in addition to the three forms of protection required by HIPAA regulations, the 12 PCI DSS compliance standards, COBIT’s five domains, 37 processes, and the 80-100 included in a SOC 2 audit.

The fact that HITRUST CSF blends these and other regulatory standards into a single, overarching risk management and enforcement program is one of the most tangible benefits of the framework. It brings together information management, financial services, technology, and healthcare standards. As a result, businesses will streamline their enforcement processes, resolve security concerns in all sectors, and reduce the time and expense associated with maintaining compliance with multiple standards.

Detail-oriented approach

Each control in your organization’s assessment must be reported, assessed, checked, and verified by an accredited external assessor before being evaluated by HITRUST. In addition, each control is assessed using the HITRUST Maturity Model, which has five levels.

Throughout this phase, an average of 1.5 hours per control is spent, with the number of controls assessed varying depending on the organization’s size, risk profile, and scope. In most cases, 2,000-2,500 separate data points are examined. The HITRUST CSF certification process covers a lot more ground than any other security evaluations.


The HITRUST CSF system was created to give enforcement programs more structure and continuity. Recent enhancements have also sought to increase scoring accuracy over time and between internal and external assessors.

HITRUST has strict standards for the assessor firms and experts involved as part of its commitment to solid assurance. Firms must apply for and receive approval from HITRUST to conduct assessments and services related to the CSF Assurance Program, and they must work hard to retain that status.

Certified CSF Practitioners (CCSFP) are HITRUST Approved External Assessors responsible for assessing and validating security controls. HITRUST CCSFPs have extensive IT enforcement and auditing experience. To become accredited, they must complete a training course, pass an exam, and then retain their certification by regular refresher courses. HITRUST helps organizations by providing qualified personnel and ensuring the evaluation and certification process is accurate through this service.


The HITRUST Certification Fee


If you’re looking for a ballpark figure, the best guess will be $50,000 to $200,000, not including ongoing recertification costs. However, the range is so wide that it is ineffective for your business.

It depends on the assessment’s reach and the organization’s size, the state of its information system, and the steps taken to plan for a HITRUST assessment.


What exactly is included in this price?

Costs directly related to:

The HITRUST MyCSF® gateway and services are made available.

Companies can take a readiness assessment and rating it

Conducting a difference analysis, administering and rating a validated evaluation

Indirect costs incurred as a result of:

Employee time spent on participation,

Security data recording and updating,

Initial setup,

Developing corrective action plans and remediation initiatives,

Assistance locating and submitting necessary documents, and

Other services provided by the HITRUST Approved External Assessor.

HITRUST Certification won’t be easy

Many business associates will find it challenging to obtain HITRUST CSF certification because the vast majority will be unprepared and caught off guard. This is due to the fact that many organizations, especially smaller vendors, lack the resources to complete HITRUST CSF Certification. Organizations must not only meet the CSF criteria, but a third party must also audit them before being approved, and they must be recertified every other year.

Any incident of Breaches after HITRUST Certification?

Anthem, a HITRUST-certified company, was hacked, which resulted in a breach impacting nearly 80 million individuals.

While HITRUST released a statement in its defense that “the healthcare payer did not have a breach in any system or area of the organization that was within the scope of its HITRUST CSF Certification,” some security experts did question the significance “what did it mean to be HITRUST certified?” given the scale and sheer magnitude in the numbers.

Is HITRUST worth the investment?

When it comes to HITRUST certification, several businesses are taken aback by the cost. In reality, one of the most common gating factors is the cost of assessment and assessor services. From an investment point of view, HITRUST certification’s importance becomes more evident when viewed it as a medium or long-term commitment. Still, one must also assess the cost to your business and think about the returns.

Many of the customers are hesitant to invest in HITRUST because they are afraid of failing. It is not, however, a pass/fail situation.

When considering HITRUST CSF® certification, one of the first questions small and mid-sized companies have  how much it will cost?” It’s a serious problem, and it’s well-founded. Budgets are often tight, and data protection is an important investment. And the resources required and time for certification could be telling.

When clients ask for HITRUST® certification in a specific time period, the advice given is “take it slowly”.

The cost might be too steep for small and medium enterprises, and HITRUST might be perceived more in cost. For enterprises, HITRUST Certification could be seen as an investment rather than an expense. So, it depends.

So, what about the SMEs? Are there no alternatives?

HITRUST certification, according to some security experts, is no guarantee of a strong security policy. They also point out that businesses will consider a variety of other viable security frameworks.

As alternatives to HITRUST, several other organizations have security governance frameworks like the National Institute of Standards and Technology and SOC Reports SOC 1, 2, and 3 Form 1 and 2 and ISO 27001 Certification.


databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

databrackets is accredited to ISO/IEC 17020 by the American Association for Laboratory Accreditation (A2LA) for Cybersecurity Inspection Body Program (Certificate Number: 5998.01).

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001  for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

To learn more about the services, please visit

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

databrackets Compliances

Many organizations are turning to certification authorities and security standards/frameworks for demonstrating privacy and security best practice adherence of customer data, compliance with regulatory bodies, and building trust with partners/customers. There are several standards, frameworks, and guidance that helps organizations bring a structured approach to cybersecurity.

databrackets with the help of its partners and consultants has complied the important standards/frameworks for security in the industry based on practical aspects for considering or adopting those standards. We also pulled some data from Google Trends to understand more about customers’ interest in the compliance/cybersecurity standards:

Comparing NIST, ISO 27001, SOC 2 and other Security Standards and Frameworks
Google Trends search interest in different security standards/frameworks


A quick summary of each of the standards/frameworks used in our comaprison:

NIST Security Guidelines: NIST security standards are based on best practices from several security documents, organizations, and publications, and are designed as a framework for federal agencies and programs requiring security measures. In addition, several non-federal agencies are adopting these guidelines to showcase the adoption of authoritative security best practices guidelines.

ISO 27001:ISO 27001, on the other hand, is less technical and more risk-based standards for organizations of all shapes and sizes. ISO/IEC 27001 is widely known, providing requirements for an information security management system (ISMS), though there are more than a dozen standards in the ISO/IEC 27000 family. Using them enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.

SOC 2 Type 1 or 2: SOC 2 reports covers controls of a Service Organization Relevancy to Security, Availability, Processing Integrity, Confidentiality or Privacy.
These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

FedRamp: The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables agencies to rapidly adapt from old, insecure legacy IT to mission-enabling, secure, and cost effective cloud-based IT.

HITRUST: HITRUST stands for the Health Information Trust Alliance. HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance to HIPAA requirements based on a standardized framework.

Cloud Security Alliance: The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of Yes/No questions a cloud consumer and cloud auditor may wish to ask of a cloud provider to ascertain their compliance to the Cloud Controls Matrix (CCM).

Shared Assessments: Shared Assessments provides the best practices, solutions and tools for third party risk management with the mission of creating an environment of assurance for outsourcers and their vendors. 


NIST Stds, ISO 27001, SOC 2 and Other Framework Comparisons

Key Features NIST Standards ISO 27001 SOC 2 Other Standards/Frameworks (including FedRamp, CSA, HITRUST, Shared Assessments, etc.) Notes
Certification Not Applicable Yes Yes Yes Need to engaging certifying bodies/approved vendors
Approach Control-based Risk-based Controls-based Maps to other standards Technical and general controls
Principle Control Families Information Security Management Systems Trust Services Criteria & Ethics Depends Platform specific controls are not covered by the standards/certification bodies
Certification Method Self Authorized Third-party Authorized CPA Firms Third-party vendors Certification bodies require accreditation
Best Suited For All Service Org. Service/Product Companies Service/Product Companies Increasingly customers/marketplace requires some sort of certification
Popular in … US Federal/Commercial International US Companies US ISO 27001 standard seems to be more popular globally
Customer Acceptance Not Widely Accepted Preferred Preferred Depends Refer to Google Trends graph: In order of acceptance ISO 27001, SOC 2 and other certifications
Duration Point-in-time Point-in-time 6-month period(Type 2) Point-in-time Surveillance audit is in place for most of the certifications
Audit Frequency Not Applicable Every Year Every Year to 18 months Depends Minimum of 12 to 18 month period
Cost $$ $$ $$$ $$$ HITRUST certifications cost in the north of 50k+

The above table is the most simplified representation of many of the standards and it may not accurately portray the individual standards/framworks.

databrackets specializes in assisting organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platformawareness training, policies, and procedures and consulting expertise, our customers and partners are meeting the growing demand for data security and evolving compliance requirements more efficiently.