Companies seeking a comprehensive solution to their compliance and cyberdefense needs should look no further than the HITRUST Alliance’s Common Security Framework (CSF). A revolutionary document, the CSF collects the controls from several regulatory frameworks and combines them into a comprehensive infrastructure any company can adopt to improve its defenses. And the first step toward the airtight protections the CSF provides is the HITRUST self-assessment questionnaire. Let’s take a look.
Breakdown of HITRUST Self-Assessment Costs
It may be possible for a company to self-assess for as little as $6,250 dollars at the lower end of the cost spectrum. Access to the required MyCSF tool costs $2,500 dollars, and the report itself costs another $3,750 dollars. But these are far from the only expenses for most companies.
In the sections below, we’ll break down everything there is to know about all relevant costs, including:
- The immediate sticker prices of self-administered HITRUST CSF security assessment
- Other costs associated with HITRUST self-assessment (compared to external)
- Requirements for full HITRUST CSF compliance, regardless of method
- The ultimate benefits of certification, verification, and compliance
By the end of this blog, you’ll know precisely how much self-assessment costs and what resources and professional assistance are available to you.
HITRUST Self-Assessment Questionnaire Costs
Companies who utilize internal solutions for HITRUST CSF security assessment can expect to save money compared to companies who use external solutions. But that doesn’t mean internal solutions are cheap.
First and foremost, there are two main direct and immediate prices to consider:
- Subscription to the MyCSF toolkit is required, and it costs $2,500 dollars per 90 days
- Note: the assessment process generally takes well over 90 days to complete, which means you are likely to be on the hook for multiple MyCSF subscriptions
- Submission and scoring of the self assessment report costs a flat fee of $3,750 dollars
In addition, your personnel tasked with HITRUST CSF responsibilities will need to devote most of their working hours to assessment. This means staffing wages are part of the direct costs associated with CSF self assessment.
MyCSF: What Does the Sticker Price Get You?
At a base cost of $2500 dollars per 90 days, MyCSF subscription is an expensive direct cost of self-assessment. However, many companies find that the subscription is worth the price regardless of whether the assessment is internal or external. Why?
Your subscription to MyCSF offers features, including:
- Corrective Action Plans (CAPs) for patchwork, centralized for ease of access
- Customized assessments, tailored to your company’s exact needs and means
- Previews and tracking for visibility before, during, and after CSF assessment
- Dynamic respondent questions, aggregating and weighting to your preference
- Powerful data visualization and analytics, easily navigable via user dashboards
- In-depth benchmarking against populations and any other factors you select
- Mapping and reporting across compliance frameworks (HIPAA, HITECH, etc.)
- Quality assurance, including frequent updates to ensure seamless, functional UI
- Robust API and integration with GRC and all other relevant assessment tools
All these tools will help you check every box in your HITRUST self-assessment checklist. Your company can also sign up for a year-long MyCSF subscription for $10,000 dollars if you have fewer than 25 employees or $32,500 dollars if you employ more than 25 individuals.
Other HITRUST Self-Assessment Costs
These direct costs of HITRUST self assessment are relatively high. However, companies also need to factor in several indirect cost vectors related to the time it takes to reach assessment and the potential costs of not making any compliance efforts.
Touched on above, the timeline for CSF compliance can be quite long. According to Healthcare Weekly’s guide to HITRUST Certification, companies can expect to spend about four months to complete everything needed. However, this figure assumes the company is well prepared and ready for assessment. By their count, initial preparation for evaluation can take up to eight weeks, then processing itself can take months to finish, assuming everything goes smoothly.
Across all those weeks and months, costs for MyCSF subscription add up — and so do salaries and wages paid for the over 400+ hours it can take for self assessment.
Another major consideration has to do less with outright costs and more with potential savings. Depending on your industry, you may already need to comply with one or more frameworks that HITRUST encompasses. Neglecting these responsibilities can lead to penalties and huge costs associated with actual cybercrime attacks.
In this light, self-assessment is a bargain, especially compared to external assessment.
Self vs. External Assessment: What’s Right for You?
As expensive as self assessment can be, third-party assessment from an Authorized External Assessor is typically costlier. For instance, companies can expect to pay anywhere from $60 thousand to $150 thousand dollars, depending on your business’s size and nature.
In some cases, these exorbitant fees are necessary; your company may need to achieve full Verification or Certification, which requires third-party verification. The other primary forms of assessment and compliance, outside of self-assessment, break down as follows:
- Validated Assessment – Submitting a HITRUST CSF Validated Assessment Report leads to HITRUST CSF Verification or 2-year Verification with high enough scores
- Interim Assessment – For Verification to meet its full 2-year term, companies must also complete an Interim Assessment at or before the end of the first year of Certification
- Bridge Assessment – Companies struggling to meet deadlines for recertification, especially due to COVID-19, may extend their window through the Bridge program
Depending on the level of assurance your company requires, you may never need to pay for external validation. By doing so, you ensure the highest level of security for your personnel, clientele, and all stakeholders.
Requirements for Full HITRUST Certification
Performing a HITRUST self assessment isn’t enough to grant Certification. Even at the level of self-assessment, reporting on practices is not enough. You need to implement key aspects of the risk management frameworks constituting the HITRUST approach.
The HITRUST approach to data protection and risk management operates on four cyclical steps:
- Identify and define risks – Implementing comprehensive threat and vulnerability management, including robust third-party risk assessment and root cause analysis
- Specify proper controls – Analyzing data from third-party risks and internal threats, then determining which controls are most apt to resolve conflicts as they arise
- Implement safeguards – Putting proper controls into action, including mobilizing personnel and incident response systems to mitigate attacks and events in real-time
- Assess, report, correct – Auditing systems both at rest and in practice, reporting on gaps and patches, and taking corrective action to prevent and mitigate future risks
The key to accomplishing all four steps is implementing the entire matrix of controls laid out in the HITRUST CSF, v.9.4.1. In total, there are 14 “Control Categories,” distributed into 49 “Objective Names” and then 156 “Control References.” There are also control specifications that apply differently, depending on the company. Let’s take a closer look.
CSF Categories, Objectives, and References
Self-assessment is costly because the requirements for compliance are vast, deep, and varied. Here’s a breakdown of the Categories, Objectives, and References to offer a picture of the complexity:
- Category 0.0: Information Security Management – Requiring oversight, planning, and execution of security systems and programs (one Named Objective, one Control Reference)
- Category 0.1: Access Control Security – Restricting access to information through access credentials and limited sessions (seven Named Objectives, 25 Control References)
- Category 0.2: Human Resources Security – Specifying practices for recruitment, hiring, and maintenance of personnel (four Named Objectives, nine Control References)
- Category 0.3: Risk Management Policy – Defining protocols for threat and risk monitoring, analysis, and mitigation (one Named Objective, four Control References)
- Category 0.4: Security Policy – Providing structure for the development, maintenance, and implementation of security policies (one Named Objective, two Control References)
- Category 0.5: Information Security Organization – Specifying protocols for collection, storage, and analysis of security data (two Named Objectives, 11 Control References)
- Category 0.6: Regulatory Framework Compliance – Defining approaches to fulfilling legally required compliance requirements (three Named Objectives, 10 Control References)
- Category 0.7: Asset Management Security – Defining protocols for personnel, as well as proper classification and maintenance (two Named Objectives, five Control References)
- Category 0.8: Physical and Environmental Security – Restricting access to individual endpoints as well as their environments (two Named Objectives, 13 Control References)
- Category 0.9: Communications and Operations Security – Securing wireless and other networks for communications traffic (10 Named Objectives, 32 Control References)
- Category 0.10: Information Systems Management – Controlling development, acquisition, and maintenance of systems (six Named Objectives, 13 Control References)
- Category 0.11: Security Incident Management – Governing response to and recovery from cybersecurity incidents in real time (two Named Objective, five Control References)
- Category 0.12: Business Continuity Management – Optimizing recovery of business operations during or after incident resolution (one Named Objective, five Control References)
- Category 0.13: Privacy Security Practices – Specifying basic principles to guide organizational approach to security (seven Named Objectives, 21 Control References)
As noted above, merely implementing these controls is not the only requirement for compliance. The same holds whether the assessment is self-assessed, verified, or certified. Given the volume, complexity, and diversity of implementation, there is nothing simple about it. Still, compliance benefits outweigh the costs, especially when considering one cybersecurity attack’s sizable financial toll.
Benefits of Full HITRUST CSF Compliance
Despite the costs and challenges outlined above, many companies find that leveraging the CSF is well worth the price. Whether self assessing or targeting external Validation or Certification, your company will benefit from the robust protections the HITRUST CSF framework provides.
One key factor in the cost-benefit analysis is the sheer power of HITRUST, balanced with incredible flexibility. The CSF encompasses controls that safeguard the largest companies most attractive to cybercriminals. But these controls are also scalable to the exact specifications of any company, making them equally apt (and attainable) for small businesses and tech startups.
Another major factor to consider is the efficiency of regulatory compliance. This is closely related to a scalability factor. Many lucrative opportunities await businesses willing to expand their horizons and seek contracts with healthcare providers or even government agencies. However, with these lucrative opportunities come significant compliance burdens. That’s why HITRUST CSF compliance streamlines all your compliance requirements into one central set of controls.
Given these advantages, HITRUST compliance is well worth the cost — at any price point.
Reduce Costs with HITRUST Advisory Services
To help companies achieve HITRUST compliance, at all levels, RSI Security offers a suite of dedicated HITRUST CSF advisory services. These services include:
- Facilitation of self-assessment, as well as authorized Certification or Verification
- Unofficial gap assessment, as well as official Bridge and Interim Assessments
- Mapping of HITRUST CSF controls across all other regulatory frameworks
- Marketing of CSF credentials to impress, attract, and reassure clients
RSI Security is the ideal compliance advisory partner for companies looking to lock in HITRUST Certification protections. Our talented team of experts has helped companies of all industries and sizes safeguard their digital assets for over a decade. We can help you plan your cybersecurity architecture and implement it. Then, we’ll help you monitor for threats and respond to incidents as they occur.
Recap: the sticker prices of hitrust self-assessment questionnaires may seem straightforward, but these are hardly the only factors to consider. There are also other costs involved with self-assessment, all of which need to be analyzed in light of the benefits full verification provides. To minimize costs at all levels of HITRUST implementation, contact RSI Security today.
Download Our HITRUST Compliance Checklist
Assess where your organization currently stands with being HITRUST compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.