By Tom Glaser, Practice Lead and Security Assessor, RSI Security
“Why did we ask the IT security auditor to cross the road? … Because that's the way we did it last year!”
The value of the framework you choose comes down to determining your Return on Investment. Many organizations have discovered that the value generated by the HITRUST CSF surpasses what other frameworks can deliver. In this blog, we examine the value of a HITRUST Certification to validate how well your security program protects sensitive data.
In response to the increasing challenges of validating security posture, the HITRUST CSF framework is designed to be an assess-once process that addresses the requirements of a wide variety of major security frameworks. While HITRUST may require a greater up-front investment than other frameworks, it addresses multiple compliance requirements making the investment well worth it.
My Key Takeaway Regarding HITRUST: If there is one thing that HITRUST does better than other options, it’s the ability to accelerate through discussions with customers and stakeholders around data security assurances and managing risk. HITRUST brings a level of rigor with a certification that carries a strong reputation. That means when answering information protection inquiries, you can provide the short answer: “We're HITRUST Certified!”
Being HITRUST Certified is extremely beneficial because it allows:
By starting the HITRUST process, you generate an immediate return on your investment—even before you achieve full validation.
NOW THAT YOU KNOW THE VALUE OF A HITRUST CERTIFIICATION, let’s address the other side of the ROI equation, which looks at the required investment. Internally, you will need to draw resources from across your organization, including IT staff, compliance and risk management teams, and a person to coordinate the assessment project. Depending on the maturity of your existing program, expect your resource team to put in 20-30 hours per week for up to 2-3 months.
External costs are also a factor, including an outside assessor firm to guide you through the process. In addition, while the HITRUST CSF framework is available for qualifying organizations to download at NO CHARGE, you will need to purchase a HITRUST MyCSF SaaS subscription for processing and reporting, along with a validated assessment credit from HITRUST.
Other direct and indirect costs include the additional tools you may need to meet the standards your security controls will be evaluated against during HITRUST Certification. In many cases, remediation work and additional budget allocation may be required to address identified gaps.
While total costs vary for each organization, there is no doubt that pursuing HITRUST Certification requires a commitment. However, the short-term and long-term benefits of improving information security and satisfying customer assurance requests more than outweigh the costs.
HITRUST offerings include the Basic Current-state (bC) Self-Assessment, the Implemented 1-Year (i1) Validated Assessment, and the Risk-based 2-Year (r2) Validated Assessment. While the bC does not offer a certification, it does provide a strong starting point for implementing HITRUST and buys time for an organization to let stakeholders know they are working towards certification. The i1 provides a good balance of effort and level of assurance for any organization that wants certification, but is not prepared, or does not need, to go through a the more extensive r2 Assessment. The r2 provides the highest level of assurance for situations with greater risk exposure due to data volumes, regulatory compliance, or other risk factors. Both i1 and r2 offer Readiness Assessments that allow your assessor to help you evaluate your security controls against HITRUST criteria to understand program strength and which gaps you need to remediate.
To Learn More and Compare the HITRUST Assessment Portfolio.
By using the right HITRUST Assessment along with the CSF framework and the HITRUST Approach, you’re proactively showing how seriously your organization takes information security while addressing information protection across your entire ecosystem. At the same time, you’re creating peace of mind for yourself and internal stakeholders that the organization is doing everything to protect sensitive digital assets. With everyone on edge about the possibility of a data breach and the significant consequences, that’s a priceless Return on Investment!
To get started with HITRUST, eligible organizations are invited to download the HITRUST CSF Free of Charge.
Follow HITRUST on X.
Follow HITRUST on LinkedIn.
Tom Glaser is Practice Lead and Security Assessor for RSI Security, a trusted advisor firm dedicated to helping organizations achieve cybersecurity risk-management success. Tom has been a technical consultant and information security professional for over 20 years—specializing in compliance and risk analysis. Tom is a member of ISACA and is an expert on a range of common security frameworks, including HITRUST, NIST, ISO 27002, PCI DSS, CIS CSE, HIPAA, and more. His professional certifications include CISA, CISM, HITRUST, PCI, and PMP.