By Brian Selfridge, Partner, Meditology Services 

Aligning and certifying with the HITRUST CSF is one of the most efficient means of demonstrating compliance and building an effective security program, but like all security initiatives, it comes at a cost that can vary widely across organizations.

There is a magic balance to strike between IT security spend and value that consists of equal parts art and science. Our organization, Meditology Services, has seen many healthcare organizations attempt this journey and have compiled some quick insights that can help your organization limit the cost associated with obtaining HITRUST certification.

With respect to the scientific approach to achieving cost-effective certification, look to engage HITRUST subject matter expertise early in the process. Whether conducting self-assessments or getting external help for formal readiness or gap assessments, it is essential to ask the right questions and collect the appropriate documentation to support certification. All too often, we see organizations getting half way through the process and realizing that they need to double back and rework certain areas to align with expectations of assessing organizations such as HITRUST. Get the Assessors engaged early on with your organization’s HITRUST efforts to avoid burning budget on rework.

Assigning internal resources to the HITRUST certification initiative also proves to be a critical success factor for streamlining the process and reducing spend. Having a reliable internal point of contact involved throughout the process helps to facilitate the interactions among the various control owners, leaders, and assessors. A dedicated point of contact also results in having a team member on staff who is experienced with the HITRUST assessment and certification process to carry the torch after the assessors are gone.

When it comes to the art of saving on certification, be smart about reducing scope to manageable levels to ensure the certification process is both achievable and cost-effective. Limiting scope to key systems, applications, and business units can keep cost under control and demonstrate progress to leadership in a shorter timeframe. It is always possible to circle back at another time and look to certify additional applications or systems in the environment, but showing a quick win at a reduced cost can help to satisfy internal stakeholders and third party business relationships without breaking the bank up front.

Another artful technique is to be prudent in choosing where to spend time, energy, and funds on remediation activities for non-compliant areas. Not every organization needs to procure a quarter million dollar software solution to tackle fundamental security controls. Many areas can be tackled by a combination of low-cost tools, manual processes, and formalized procedures. Look for ways to automate controls over time, but do not let the desire for the latest and greatest tools slow down or add cost to the certification process. Finding an experienced partner that has helped other organizations navigate cost-effective remediation can also save you significantly by benefiting from the successes and mistakes of other entities.

The HITRUST certification process addresses compliance requirements, but is also designed to help organizations build sustainable security and risk management programs. A successful certification assessment should be executed with the objective of not only addressing HITRUST control and documentation requirements, but in such a way that it supports the development of a robust security program that is built to last.

High performing organizations know how to balance the art and science of cost-effective IT security spend. Engage HITRUST subject matter experts early in the process, assign dedicated internal resources, limit scope, and find the right partners to guide you through HITRUST certification quickly and cost effectively.

Brian Selfridge is a Partner with Meditology Services and is responsible for leading the IT Risk Management practice dedicated to providing privacy and security services specifically for the healthcare industry. He has over 13 years of experience including serving as the CISO of a large healthcare provider.