With a 320% year over year increase in cyber attacks, the healthcare industry is increasingly a target for hackers. HITRUST CSF is an advanced system of controls created to address the demands for data security in healthcare.
Let's discuss why HITRUST is important, and how much it costs.
Why HITRUST Certification?
There are few accreditations valued more in healthcare IT than HITRUST CSF – and few more difficult to achieve. From a business standpoint, it’s a chance to differentiate yourself. Being certified tells the market that your information security program is of the highest caliber. If your business is certified and your competitors are not, you will beat them out 9 out of 10 times. It also provides ease during third-party security approval processes and can accelerate your sales cycles by making the CISO your ally instead of your skeptic.
In addition, many payers and providers are requiring their vendors to be HITRUST certified, which is why obtaining certification can be crucial for your business growth and can increase your potential for sales.
From a compliance perspective, it consolidates compliance activities from multiple regulations that would otherwise be separate tasks. It makes managing HIPAA requirements easier and allows companies to more efficiently stay up to date with the changing regulations.
Let’s dive into how much it costs.
First, let’s calculate direct costs. This means the fees to HITRUST and fees to the assessor. At the beginning of the process, the assessor will determine your risk profile based on how you answer around 50 questions focused on your organization and data. Your risk profile will then determine which HITRUST controls you have to attest to and subsequently how much time and money HITRUST will cost you.
On the low end, for a small company with a lower-risk profile, the fee to HITRUST will be range from $6K to $15K and the fee to the assessor will be around $30K. On the high end, for larger organizations with a higher risk profile, this will be much higher. The total for direct costs range from about $40K to more than $150K.
Now, let’s talk about indirect costs, such as the opportunity cost of the time and productivity that is lost when employees focus on HITRUST instead of their regular day jobs.
Based on your risk profile, you are going to be required to implement anywhere from 400 controls to over 1,800 controls. Proving compliance with each control will take around 30 minutes to one hour, each, give or take. This means that for a smaller, lower-risk company, HITRUST will require around 200 hours. For a large, higher-risk company, it will require around 1,350 hours. If each employee, focused on HITRUST, gets paid $100 an hour, then the indirect cost of HITRUST, on the low end, is $20K and on the high end it’s $135K.
That means that the total cost of HITRUST for organizations, including direct and indirect costs, ranges from around $60K to over $285K. Keep in mind, you have to get recertified every 2 years, with a mini-assessment scheduled each intervening year.
How the Public Cloud Accelerates HITRUST
If you leverage public cloud infrastructure like AWS and Azure you can accelerate the HITRUST certification process because compliance in the cloud is a shared responsibility with the Cloud Service Provider (CSP). The CSP is responsible for ensuring that the infrastructure components are compliant, while the cloud customer is responsible for implementing the HITRUST controls that pertain to securing your data and workloads in the cloud.
Sharing responsibility with the CSP means you can inherit some HITRUST controls. So any policies that pertain to securing the cloud infrastructure become boxes you can automatically check off – drastically speeding up the HITRUST process.
Accelerate Your HITRUST Journey With Cloudticity
The Cloudticity Oxygen™ platform, our proprietary managed cloud solution, allows you to inherit or partially inherit 357 HITRUST CSF controls. (As mentioned earlier, your HITRUST assessor will determine which controls your company needs to attest to during the risk assessment). So let’s say your company is required to implement 600 controls and you can inherit 300 of those from Cloudticity – the work needed to achieve HITRUST just got cut in half.
Oxygen also helps you save time and money by providing out-of-the-box policy enforcement solutions. This alleviates you of the need to build these solutions yourself or procure and buy expensive tools. This will also help you maintain your compliance posture continuously, making recertification much easier later down the road.
To learn more about how Cloudticity can help you cut the cost, time and complexity of HITRUST certification download the white paper, Accelerate & Simplify HITRUST Certification with Cloudticity. Or schedule a free consultation to learn more.