With a 320% year over year increase in cyber attacks, the healthcare industry is increasingly a target for hackers. HITRUST CSF is an advanced system of controls created to address the demands for data security in healthcare.
Let's discuss why HITRUST is important, and how much it costs.
Why HITRUST Certification?
From a marketing standpoint, it’s a chance to differentiate yourself. It's a prestigious achievement valued by the industry. Being certified tells potential customers that your information security program is of the highest caliber, and that protected health information (PHI) in your possession will be safe.
In addition, many payers and providers are requiring their vendors to be HITRUST certified, which is why obtaining certification can be crucial for your business growth and can increase your potential for sales.
To be clear, the HITRUST Common Security Framework (CSF) is intellectual property owned by the HITRUST organization. You can download it for educational or research purposes, but you must go through a paid HITRUST certification process if you want to implement the system.
Let’s dive into how much it costs.
First, let’s calculate direct costs. This means the fees to HITRUST and fees to the assessor. At the beginning of the process, the assessor will determine your risk profile based on how you answer around 50 questions focused on your organization and data. Your risk profile will then determine how much time and money HITRUST will cost you.
On the low end, for a small company with a lower-risk profile, the fee to HITRUST will be range from $6K to $15K and the fee to the assessor will be around $30K. On the high end, for larger organizations with a higher risk profile, this will be much higher. The total for direct costs range from about $40K to more than $150K.
Now, let’s talk about indirect costs, such as the opportunity cost of the time and productivity that is lost when employees focus on HITRUST instead of their regular day jobs.
Based on your risk profile, you are going to be required to implement anywhere from 400 controls to over 1,800 controls. Proving compliance with each control will take around 30 minutes to one hour, each, give or take. This means that for a smaller, lower-risk company, HITRUST will require around 200 hours. For a large, higher-risk company, it will require around 1,350 hours. If each employee, focused on HITRUST, gets paid $100 an hour, then the indirect cost of HITRUST, on the low end, is $20K and on the high end it’s $135K.
That means that the total cost of HITRUST for organizations, including direct and indirect costs, ranges from around $60K to over $285K. Keep in mind, you have to get recertified every 2 years, with a mini-assessment scheduled each intervening year.
HITRUST and Public Cloud
If you leverage public cloud infrastructure like AWS and Azure, you can accelerate the HITRUST certification process, because compliance in the cloud is a shared responsibility with the Cloud Service Provider (CSP). The CSP is responsible for ensuring that the infrastructure components are compliant, while you, the cloud customer, are responsible for implementing the HITRUST controls that pertain to securing your data and workloads in the cloud.
Sharing responsibility with the CSP means you can inherit some HITRUST controls. So any policies that pertain to securing the physical data centre become boxes you can automatically check off – drastically speeding up the HITRUST process.
Accelerate Your HITRUST Journey With Cloudticity
The Cloudticity Oxygen™ platform allows you to inherit or partially inherit over 200 HITRUST CSF controls. So let’s say you’re a company with a low-risk profile required to implement 400 controls – the work needed to achieve HITRUST just got cut in half.
Oxygen also helps you save time and money by providing out-of-the-box policy enforcement solutions. This alleviates you of the need to build these solutions yourself or buy expensive tools. This will also help you maintain your compliance posture continuously, making recertification much easier, later down the road.