The Cost of HITRUST® Certification: Why It’s Worth It

We hear it all the time. It’s one of the first things that small and mid-sized businesses ask when they are considering HITRUST certification. “How much does it cost?” It’s a big concern, and it’s valid. Budgets are always tight and information security is a critical investment.  

When clients come to us seeking HITRUST® certification in a set time frame, we advise them to approach it gradually. HITRUST certification is absolutely worth it. And when viewed as a long-term goal, rather than a short-term obligation, it is both achievable and more cost-effective. 

IMPORTANT UPDATE: HITRUST Drops the ‘CSF’ and Provides New Certification Options for Businesses.

The Cost of HITRUST Certification 

If you’re looking for a number, my most realistic estimate would be $50,000 – $200,000, not including ongoing costs for recertification. But that range is so wide that it is not very helpful for your organization. In order to make the best financial and operational decision, you are probably looking for a more precise estimate. And of course, you don’t really want to hear the answer, “it depends.” 

Unfortunately, that is true. It depends on the scope of the assessment, as well as the size of the organization, the state of its information system, and the measures it has taken to prepare for a HITRUST assessment. 

What is included in this cost? 

Direct costs for: 

• Access to the HITRUST MyCSF® portal and resources, 
• Performing and scoring a readiness assessment, 
• Carrying out gap analysis, 
• Performing and scoring a validated assessment. 

Indirect costs related to: 

• Employee time involved in engagement, 
• Recording and updating security data, 
• Initial configuration, 
• Developing corrective action plans, and 
• Remediation efforts, 
• Assistance identifying and submitting the necessary documentation, and 
• Other services by the HITRUST Authorized External Assessor. 

Why Does HITRUST Certification Cost More than Other Security Assessments? 

In short, because it is comprehensive, rigorous, and highly reliable.  

Comprehensive 

We regularly see an average of 400 control requirements involved in a single HITRUST assessment, depending on the organization’s risk profile. This is more than the three types of safeguards required by HIPAA rules, the 12 requirements for PCI DSS compliance, the five domains and 37 process covered by COBIT, and the 80-100 included in a SOC 2 audit. 

One of the most tangible advantages of the HITRUST framework is the fact that it combines these, and other, regulatory standards into a single, overarching risk management and compliance program. It combines standards from the information security, financial service, technology, and healthcare industries. As a result, companies are able to streamline their compliance processes, address security issues in all the industries that they operate in, and optimize the time and cost of ensuring compliance with multiple standards. 

Rigorous 

Each one of the controls included in your organization’s assessment has to be documented, analyzed, tested and validated with the help of an authorized external assessor, and reviewed by HITRUST. Plus, each control is evaluated according to the five-level HITRUST Maturity Model. 

I estimate that we spend an average of 1.5 hours per control throughout this process, and the number of controls assessed varies according to the size of the company, risk profile, and scope. We usually look at 2,000-2,500 different data points. When compared to most other security assessments, the HITRUST certification process, simply covers a lot more ground. 

Reliable 

The HITRUST framework was specifically designed to add more structure and consistency for compliance programs. Recent updates have also aimed to further improve scoring consistency among internal and external assessors and over time.  

As part of its commitment to solid assurance, HITRUST also has stringent requirements for the assessor firms and professionals involved. Firms must get approved by HITRUST to carry out assessments and services associated with the HITRUST Assurance Program and they have to work to maintain that status. 

HITRUST Authorized External Assessors, who have the important role of testing and validating security controls, are Certified CSF Practitioners (CCSFP). HITRUST CCSFPs are experienced in IT compliance and auditing, they must complete a training course and pass an exam to become certified, then maintain their certification with annual refresher courses. This is another way that HITRUST provides organizations with trained resources and ensures the assessment and certification process is reliable. 

Certification as an Investment, Not a Cost 

Many organizations get sticker-shock when they first start researching HITRUST certification. In fact, the price often associated with assessment and assessor services is one of the top gating factors. But, that’s really the wrong way of looking at things. If we switch things around, and consider HITRUST certification a medium or long-term investment, and an ongoing process of improvement, rather than a one-time cost, the value becomes clearer. 

Rather than asking what HITRUST certification is going to cost your business, ask “what will we get in return for our investment?”  

Getting on track to HITRUST certification, means investing in a robust, comprehensive risk management program. It means focusing on designing strong policies and procedures, and implementing them effectively. It means getting rid of the overlap of basic steps required for multiple regulatory standards. It means working with knowledgeable, well-trained assessors.  

HITRUST Certification Is Not a Pass/Fail Process.  

So many of our clients are worried about investing in HITRUST and fear failing along the way. But, it’s not a pass/fail situation. The HITRUST Approach is a continual process that promotes ongoing improvement. When first approaching HITRUST, we aim for attainable objectives. First, we might work toward just the readiness assessment. Next, we could tackle a validated assessment. Later on, we could go for certification when that is within reach.  

It’s absolutely possible for an organization that is new to HITRUST to obtain certification in 18 – 24 months. But remember, we can also use smaller assessments as attestation that your company is working towards certification in the meantime. And this could satisfy contractual compliance obligations. 

Save the Date for our New Webinar Coming out in Feb. 2021: HITRUST FAQs. 

Assurance Without Anxiety – I.S. Partners, Certified HITRUST Assessors 

In keeping with our motto, I.S. Partners wants to make the HITRUST certification process easy for you. Contact I.S. Partners to start building a plan for success. 

About The Author

Robert Godard

Robert is a Principal with I.S. Partners, LLC’s Business Process/Advisory Services practice in Horsham, PA. Robert has conducted a variety of Financial Statement Audits for a range of industries such as banking, healthcare, payroll, employee benefit plans (Pension, Health and Welfare), Unions and Construction.

Robert’s specialty is in audits of IT Controls and Infrastructure, Financial Statements, SOC 1 and SOC 2 audits, HITRUST CSF Assessments, Model Audit Rule (MAR), including evaluating business process as well as IT General Controls surrounding the reporting of financial information. He also has experience with analyzing Health Insurance information from AmeriHealth, Blue Cross Blue Shield, Express Scripts and Delta Dental. Additionally, Robert has performed audits for Construction and Special Tax related credits (Historical Tax Credits). He has prior work experience using ISSI, Great Plains and Peach Tree.

Prior to joining I.S. Partners, LLC, Robert was employed with Novak Francella in the Financial Statement Audit division, where he worked as an associate on external audit engagements in accordance with GAAP and DOL requirements.

Robert has a Bachelor of Science degree in Finance and Accounting from LaSalle University, Philadelphia, PA.