Good results don’t necessarily come cheap.
When it comes to the technical infrastructure that manages data within the healthcare industry, it not only needs to be highly useful for approved personnel like doctors and pharmacists, but it also needs to be kept very safe at the same time. In other words, data on these systems need to be both highly secure and highly accessible. It’s a little easier said than done.
The ten biggest healthcare data breaches in 2018 ended up costing major sums of money and compromising millions of patient data records. Breaches in the healthcare space are rising because cybercriminals are gluttons for other people’s data, and hospitals retain loads of it.
Breaches here are expensive, not only costing literal money but sacrificing patient trust and otherwise leaving their vulnerable details exposed. Healthcare organizations recovering from a breach or other cyberattacks can only take decisive action because to sit idly by would let the situation dissolve into a crisis.
Hacker methodologies evolve every day, but those implementing mindful cybersecurity can stay farther ahead of the bad guys than they might think. They only need to take an active, tactical mindset to anticipate what bad actors might be doing to take advantage.
HITRUST compliance is a premium expense.
It’s a more robust set of requirements than many other standards and frameworks, and compliance here demonstrates some maneuvers that are a cut above. Many organizations seeking SOC 2 compliance will have 80-100 controls tested. But a typical HITRUST validated assessment can have as many as 400 control requirements. The controls to address those requirements can be assessed at maturity up to five levels deep.
That could mean an assessor has to look at 2,000-2,500 data points to complete a valid assessment — it’s a rather thorough examination, and it comes with a price tag attached. HITRUST certification fees have risen as the CSF evolved to become more complex.
Know your direct and indirect costs.
Direct costs are literally about the money you spend — how much cash leaves the company pocketbook — while indirect costs are harder to quantify. They’re mostly about the abstract costs of time to get up and running. You should also consider the time spent between each audit to address specific issues and to solidify different compliance and infosec programs. These things fundamentally contribute to the overall cost of compliance.
At the low end of the direct costs, you can expect to spend between $60,000-$120,000 in fees to the HITRUST organization and your auditor or assessor, but larger businesses may have to pay much more. Assessors can help you understand what evidence is required, set the baseline configuration and assist with uploading the necessary documentation.
Assessor firms themselves pay a fee to HITRUST each year to maintain their status. Those HITRUST-validated assessment fees range from $40,000 a year to $250,000 a year, depending on the factors associated with the assessment.
Companies wanting to check themselves out without a third party involved can spring for a self-assessment. It costs around $2,500 for 90 days of access and certification takes longer than 90 days. Companies can also pay a little more for continued access to MyCSF. After those 90 days, access is available by the month or year. And as soon as you lose access to MyCSF, all that data disappears with it. Make sure your anticipated direct costs account for keeping that data on hand as long as you need it.
Finally, it will cost $3,750 to submit and score your application.
But not all costs are related to money. Indirect costs are mostly about the time it takes to get where you’re going. They’re a little bit harder to quantify. You can expect that it will take about 400 man-hours of work to complete a HITRUST certification. Calculating this against the hourly loaded rate of all the employees involved in the process will give you a strong approximation for what you’ll pay for all that time spent.
This isn’t only about time spend conducting an audit, but also about the time spent between each audit to address issues and turn them into actionable compliance programs. This isn’t necessarily covered in the HITRUST assessment, but it will contribute to the overall cost of compliance.
While it’s possible to get a free version of the CSF framework, you can’t determine which implementation level is necessary for each of the requirements unless you purchase access to the myCSF tool. This is because it’s all part of HITRUST’s proprietary information that you must pay to access in the first place — as you create an assessment object within the tool and answer the scoping factors, the tool will determine the implementation level for each requirement.
You can err on the side of implementing the highest level for each control from the publicly available CSF, but do you want to stand the chance of spending thousands to implement an unnecessary system or process to become HITRUST certified? Surely not!
HITRUST certification is expensive because it brings increased certainty to the uncertain world of cybersecurity. Businesses that demonstrate their security compliance so publicly are effectively voting for what they value. RSI Security is an authorized HITRUST CSF Assessor and is ready to help you get started on your compliance journey today.