If you’re thinking about embarking on your HITRUST Common Security Framework (CSF) certification process, you’re probably wondering how much it’ll set you back. It’s an important consideration and, frankly, may force a decision not to certify your organization’s security controls against the HITRUST CSF.
I think it’s critical to make the case for an informed decision for HITRUST certification. Whether you decide to get HITRUST certified or not ought to depend on many factors, one of which is the direct and indirect HITRUST certification costs.
In this article, I’ll outline some projected costs and strategic considerations for obtaining HITRUST certification. Ultimately your organization will determine whether or not the certification process is right for it, but you’ll be armed with the information you need to set your case up for success.
- Overview of HITRUST Certification
- Factors that Affect HITRUST Certification Costs
- Breakdown of HITRUST Certification Costs
- Real-Life HITRUST Examples
- Tips for Reducing HITRUST Certification Costs
- Costs of HITRUST Certification vs Benefits
- Find the Right HITRUST Consultancy Fast
(NOTE: If you’re considering HITRUST certification, our free tool below matches you with a top-rated HITRUST consultancy that can meet your needs and budget.)
Overview of HITRUST Certification
The HITRUST Common Security Framework is one of the few certifiable security frameworks in existence. What that means is that there’s a governing body, the Health Information Trust Alliance, that sets standards to manage information security risks via the HITRUST CSF and provides oversight over compliance with those security controls. In short: when you achieve HITRUST CSF certification, it means that you’re independently verified and validated to have a certain level of environmental security data protection in place.
Originally, HITRUST CSF certification was geared toward the healthcare industry to show a certain level of safeguards over Protected Health Information. The main selling point of the HITRUST CSF was that compliance with it could be certified, while Health Insurance Portability and Accountability Act (HIPAA) compliance could not be. (See our article on HIPAA vs HITRUST for more.)
HITRUST CSF certification is more than that, though. It’s a proven effective tool for more than just healthcare organizations, it’s an effective tool for all organizations. The HITRUST CSF contains crosswalks to other industry-standard security frameworks and is one of the few certifiable frameworks for all industries.
Factors that Affect HITRUST Certification Costs
There are a few scoping factors that can impact HITRUST CSF certification costs. I’ll cover some here, but this isn’t intended to be a comprehensive list. There may be other factors that impact your costs to obtain HITRUST certification.
Factor #1: Organizational Size
It seems obvious to say that the larger the organization, the more expensive the cost of HITRUST certification. There’s not always a 1:1 correlation there, but largely that’s the case. If your organization is larger, the infrastructure or processes you’re looking to certify will likely be more expansive. You’ll also have more controls apply to your organization.
That being said, if you can minimize the breadth of application of the HITRUST framework, say by isolating the certifiable environment, you can minimize the costs to obtain certification.
Factor #2: Infrastructure Size
As highlighted under Cost Factor #1, your infrastructure is the target of HITRUST CSF certification. The less you have to evaluate, the lower the direct costs.
If you have a small environment to begin with, then the HITRUST assessment will be less expansive and therefore less expensive. If you can isolate the certifiable environment from a larger environment, then you may also be able to mitigate costs.
If, however, you cannot isolate the environment to be certified either logically or physically then the scope of the assessment may be significant. The question I like to ask is: will security breaches in one part of the environment impact another directly? Where the answer is “yes” then you’re looking at a potentially expansive assessment process and scope.
You should also note that when the answer is “no” that doesn’t mean that you’ll be able to restrict scope. Ultimately, you and your assessment vendor will need to agree on an appropriate scope to meet your needs.
Factor #3: Sensitive Data Stores
If you want to get HITRUST certified, you probably have one or more sensitive data stores. You may be one of many healthcare vendors working for one or more healthcare providers who handle protected and private health information. You may be a provider who exchanges personal health information or otherwise handles protected health information on the order of thousands or millions of records a year. You may also be a financial institution, government contractor, or SaaS solution provider that has an interest in protecting sensitive data.
The volume and scope of your sensitive data stores may define the size of your covered infrastructure. If you chose some but not all of those sensitive data stores and downstream processing infrastructure, you may be left with customers asking why you’re not evaluating your entire environment.
Factor #4: Essentials Assessment
In January 2023, the HITRUST Alliance launched the HITRUST e1 Essentials assessment. The purpose of the HITRUST e1 assessment is to provide a measure of baseline security controls against the HITRUST certification requirements expressed in the HITRUST standards. It evaluates organizational information security controls in 44 different control areas to give an expectation of organizational security posture.
This can be run as a primary step in the journey towards HITRUST CSF certification. It can be run as a self-assessment, and frankly, that’s what I’d recommend. You want to understand what the HITRUST CSF framework is before proceeding too far down HITRUST assessments and this gives you the ability, at your own pace, to learn about the HITRUST controls and think about scalable security controls that will help with subsequent security assessments.
Even if you decide at this point that HITRUST certification is too much and you don’t want to get HITRUST certified, going through the HITRUST e1 assessment process can be helpful for security programs. Even meeting the baseline Common Security Framework controls will provide a level of risk management and data security that may not have been present before, and according to the HITRUST website, provides a good starting point to meet evolving consumer expectations with respect to security risks.
Factor #5: Readiness Assessment
Whether or not you conduct a Readiness Assessment may expand either your direct costs or indirect costs. Also known as a HITRUST i1 assessment, the Readiness Assessment can be performed before the HITRUST CSF Validated Assessment, also known as the HITRUST r2 assessment.
The HITRUST Readiness Assessment (sometimes called a HITRUST gap assessment) covers the same scope as a validated HITRUST assessment and benchmarks HITRUST compliance against the full HITRUST framework. It’s a great opportunity in a lower-pressure environment to benchmark how HITRUST-compliant you are and gather any necessary documentation as evidence for your certification.
The difference is that the HITRUST i1 Readiness Assessment can be performed as a self-assessment. The great thing about that is that a self-assessment doesn’t really have a direct cost in terms of dollars. It does, however, have a direct cost in the form of time and indirect costs in staff salaries. That being said, it helps build expertise internally on the same rigorous process that will be used during the HITRUST r2 validated assessment.
You can run a readiness assessment with a HITRUST external assessor in lieu of a self-assessment. The benefit is that you can hire a firm that’s done these kinds of risk assessments before to gauge your security compliance. The downside is that you’re essentially paying twice for HITRUST assessments: once for the i1 Readiness Assessment and again for the r2 Validated Assessment.
Factor #6: Physical Presence
The HITRUST CSF is broken down into levels depending on the volume of business, number of records, or number of beds (harkening back to its healthcare industry foundations). For healthcare institutions looking to become HITRUST CSF certified, one or more on-site comprehensive audit(s) are a significant portion of the cost for certification. Some vendors will leverage a sampling, while others may want to perform on-site evaluations for all major care sites.
Depending on which level you fall into and why, your physical presence will impact the cost of your certification process. For example, if you’re in the manufacturing sector, then you may be required to have onsite inspections of manufacturing facilities. If you’re entirely digital and remote, then you don’t have a physical presence to evaluate and assessors likely won’t visit staff homes.
Factor #7: Level of HITRUST Compliance
One of the reasons you perform a HITRUST CSF e1 or i1 assessment is to see how many controls you comply with before embarking on the formal HITRUST CSF r2 Validated Assessment. When you progress to the HITRUST CSF r2 assessment, you have 90 days to provide evidence to support that you’re HITRUST compliant.
In that way, the three HITRUST assessments build on each other and set you up for success. That also means a lot of financial and temporal investment in improving your risk management and information security programs to align with what’s required for HITRUST CSF certification. Still, if you’re serious about HITRUST CSF certification, you’re already resigned to making that investment. That investment, in turn, will pay dividends in quality security and data risk mitigation.
Breakdown of HITRUST Certification Costs
Most organizations are looking at spending tens of thousands to low hundreds of thousands of dollars on a HITRUST external assessor to conduct the HITRUST certification process.
Trying to predict HITRUST cost can vary widely depending on how much each of the listed cost factors (and others) come into play.
Your HITRUST certification process can be very inexpensive if you’re a small digital healthcare industry service provider with a remote workforce and a slim presence in the cloud. In that case, there’s not a lot on your HITRUST compliance checklist and you’ll likely be able to demonstrate HITRUST compliance without a lot of effort.
Conversely, you could be a multinational healthcare industry player with healthcare organizations on most continents, healthcare executives in as many, and numerous actionable compliance programs managing against hundreds of laws to maintain information security and privacy compliance. In that situation, you may be pursuing one or more validated assessments to the tune of millions of dollars to become a certified HITRUST organization.
The journey to get HITRUST certified can cost tens of thousands to millions of dollars depending on size, scope, and the maturity of risk management and information security controls. From what I’ve seen in the healthcare industry, millions of dollars would be a substantial outlier.
Real-Life HITRUST Examples
There aren’t a lot of direct examples of what it costs to become HITRUST CSF certified. A lot of times, organizations don’t want to make their HITRUST CSF Validated Assessment process public. That includes negotiated terms, the assessment process itself, and the findings.
The negotiation terms can be covered by a non-disclosure agreement or legal privilege. In the former case, the negotiation terms (money and obligations) can provide a competitive advantage for the organization or the assessor. In the latter case, the contents of the scope of the assessment and assessment itself can become relevant in litigation based on identified gaps.
Consequently, organizations disclose that they are HITRUST CSF-certified. They may also, under certain circumstances, disclose some of the gaps they have.
Unfortunately, that means there’s not a lot of real-world data on the costs of becoming HITRUST certified and what the HITRUST compliance journey looks like outside of assessment vendor representations and articles like this that generically speak to the process and costs.
Tips for Reducing HITRUST Certification Costs
If you want to become HITRUST CSF certified, you’ll want to engage multiple vendors as part of your requisition process. Each will have a different approach to its Validated Assessment of HITRUST compliance, some of which may work better for your organization than others.
You’ll also be able to compare costs. Typically, the cost will be structured as a flat fee with hourly rate supplements. Those supplements could be individual by title or blended. While you may be forced to go with the cheapest option, I’d recommend also considering the scope of the assessment and quality of post-audit support as part of the selection process.
Pay close attention to the scope of the Validated Assessment to ensure it accurately matches what you intend to have HITRUST CSF certified. You may not want onsite walkthroughs if you have a fully remote workforce. Alternatively, you may not want to include infrastructure isolated from the infrastructure you hope to certify in the Validated Assessment.
Costs of HITRUST Certification vs Benefits
HITRUST certification tells your Board, Executive Leadership Team, Partners, and Clients that you’ve achieved a verifiably high level of security and risk management. There are few other tools that will accomplish the same goals–certainly not without a substantial amount of additional context and information.
Not being HITRUST certified may complicate certain relationships, especially as Third Party Risk Management, or TPRM, quickly grows as a domain. You may be asked to answer questionnaires or provide information to support your compliance representations. HITRUST certification won’t completely obviate that, but will let you reference a certification that likely meets most objectives of an industry-standard TPRM risk assessment.
That being said, you don’t strictly need to be HITRUST certified. No law or regulation requires it, though compliance with many can be supported by it.