The ultimate guide to HITRUST CSF® Certification: Timelines, Fees & Process

HITRUST CSF® is a certification required by organizations that handle Protected Health Information. HITRUST’s mission is to establish a holistic approach for the healthcare industry to manage information security risks.

HITRUST stands for Health Information Trust Alliance. It’s a combination of different security standards in the healthcare industry, including HIPAA, HITECH, PCI, COBIT, NIST, and FTC.

In 2017, the average cost of a healthcare data breach was $380 per record, not to mention the loss of reputation and trust in the brand. Just a single breach could end your business for good.

HITRUST is the gold standard compliance framework in the healthcare industry. HITRUST is responsible for creating the “Common Security Framework”, the most widely applied security framework in the USA.

This article will explain all you need to know about HITRUST including:

• What it means to be HITRUST compliant
• Who must be compliant HITRUST
• Why HITRUST is great for everyone, not just the company getting compliance
• How to get HITRUST certified

Let’s get to it.

What Is HITRUST Compliance?

HITRUST is a non-profit organization that created and maintains the Common Security Framework ie the CSF.

According to their website, “the HITRUST CSF was developed to address the multitude of security, privacy and regulatory challenges facing organizations. By including federal and state regulations, standards and frameworks, and incorporating a risk-based approach, the HITRUST CSF helps organizations address these challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.”

Here’s the HITRUST Common Security Framework:

• Includes, harmonizes and cross-references existing, globally recognized standards, regulations, and business requirements, including ISO, NIST, PCI, HIPAA, and State laws.
• Scales controls according to type, size, and complexity of an organization.
• Provides prescriptive requirements to ensure clarity.
• Follows a risk-based approach offering multiple levels of implementation requirements determined by specific risk thresholds.
• Allows for the adoption of alternate controls when necessary.
• Evolves according to user input and changing conditions in the industry and regulatory environment on an annual basis.
• Provides an industry-wide approach for managing Business Associate compliance.

The growth of technology in the health industry relies on security and compliance. Payers and providers must make sure their digital products are built and deployed with the highest security measures in mind. Without the CSF, HIPAA compliant digital products can often be difficult to implement.

HIPAA requirements can sometimes be vague, which is why the CSF helps clarify what a software team can or cannot do. For example, HIPAA may use wording like ‘reasonable & appropriate’ protections but it may not necessarily say how it defines ‘reasonable.’

This is where HITRUST certification comes into place, rationalizing the diverse set of regulations and standards into a single overarching security framework, namely the CSF. This allows organizations to tailor their security controls to their own specific business sector and regulations.

HITRUST is the most dynamic security standard offering certifications in the United States today. As the healthcare industry and technology evolve over time, the CSF adapts.

The hierarchy of the framework is constructed similarly to ISO 27001/27001. It consists of 14 control categories that contain 46 control objectives. These categories map to 149 system controls. Within each of the 149 controls, there are up to 3 implementation levels must be met for each risk factor, such as regulations and management.

In total, there are 845 requirements ruled every company creating software for the healthcare/ pharma industry must follow.

Who Must Be HITRUST Compliant?

Any company that creates, accesses, stores, or exchanges personal health information must be compliant with the HITRUST Common Security Framework. This includes companies and organizations such as hospitals, insurance companies, pharmacies, healthcare vendors and physician offices.

Over 84% of health plans, organizations and business associates use the CSF, making it the most widely adopted security framework in the industry.

If you choose not to get HITRUST certified, do so at your peril. HITRUST is the future so it’s advised that you get it as soon as you can.

Reasons To Get HITRUST Certified

Lower Cyber-Related Risks

Furthermore, Allied World U.S., the first company to consider preferred terms and conditions based on the HITRUST CSF standards, stated:

“The HITRUST CSF framework and CSF Assurance methodology, the key components of the HITRUST CSF Assessment program, will enhance its underwriting program in terms of efficiency, consistency and accuracy, allowing it to better align the effectiveness of an organization’s security controls with cyber insurance premium levels. The review also concluded that organizations that had obtained a HITRUST CSF Certification posed lower cyber-related risks than those organizations that have not. The comprehensiveness and improved risk reporting enabled by the HITRUST CSF and the CSF Assessment summary scores in place of many of the standard information security application questions create a more streamlined application process.”

HITRUST Certification Is Required

According to Health It Outcomes, in 2016 only five healthcare payers issued letters to their business associates, explaining the need to be HITRUST-certified within two years.

In 2019, more than 90 payers and other healthcare industry companies require their third-party service providers (business associates) to become HITRUST certified.

Being HITRUST-certified Reduces Time Dedicated To Audits

HITRUST compliance significantly reduces the time and cost it takes to put almost all requirements from multiple regulations into one place to help identify risk and maturity.

This enables you to view and track security and compliance matters from a central location. This ensures you don’t run into any issues when a secondary audit, for example, PCI, is required.

Repeatable Process

The HITRUST CSF acts as a roadmap for risk management processes, making them repeatable so everything can be done correctly each time.

The whole process is then documented so businesses that need to protect patient data or other sensitive information can benefit from following its guidelines.

If for some reason you lose employees, you don’t need to go and reinvent the wheel. Just have your new employee follow the documented process applicable to everyone else within your company.

You Stand Out From The Rest

A HITRUST certification gives your brand a competitive edge over your competitors. Today’s consumers are very much aware of cybercrime and data privacy, with most being too cynical to believe an organization’s marketing claims of data protection.

However, if you are HITRUST-certified, you can leverage your credibility and prestige to potential customers.

Why IT Providers Must Get Certified Now

The number of incidents of personal information being exposed and the private health information being seen by those not authorized is going up.

Security Magazine reported that hackers attack a computer system every 39 seconds and that non-secure usernames and passwords we use that give attackers more chance of success.

In fact, even the US State Department has to block thousands of hacking attempts every day. Despite their best efforts at keeping them out, cybercriminals still manage to get access by adapting their methods to avoid being detected.

As businesses grow, they are more likely to become a target of criminal activity.

In terms of digital healthcare, in particular, startup funding for digital healthcare is expected to double in the US over the next three years, growing from $3.5 billion in 2014 to $6.5 billion by the end of 2017, according to a recent Accenture study. Accenture explains that the growth in these types of startups will largely be driven by evolving consumer expectations.

How Long Does It Take To Get HITRUST Certified?

Short answer: approximately 4 months from when a company begins the HITRUST certification process.

The hardest part for an organization is to get ready for the third-party audit (this takes the longest amount of time!). This means reviewing/implementing all required processes.

The initial self-assessment takes between 2-8 weeks to complete depending on the size and complexity of the organization and the scoped environment, and it can take an additional 6 weeks for the validated assessment to be processed and certification awarded by HITRUST.

Usually, once a firm is ready for the assessment, it takes firms up to 3-4 months to complete the full assessment.

Firms must get assessed and HITRUST recertified every year. This is because data management and risks increase over time so it’s essential for all IT vendors to stay up to date with the latest and greatest security measures.

However, the assessment becomes quicker and easier to complete after a company undergoes the first HITRUST certification protocol.

How IT Companies Get HITRUST Certified

These are the 4 steps to get HITRUST Certified:

Step 1: Self Assessment Of Internal Operations

HITRUST requires IT vendors to run effective security, privacy and risk management programs.

The HITRUST certification process begins with an on-site comprehensive audit with the assistance of third parties (one example is Coalfire) to decide what assessment an IT company must undergo. Because HITRUST CSF is quickly becoming an industry standard, auditors may have proprietary auditing processes.

How long and how expensive the certification process would be is determined by how many and which of the 19 HITRUST domains, 135 system controls, and 700+ potential requirements apply to a specific IT business operating in the healthcare space.

We break down the costs involved a bit later on in this article.

Step 2: Implement The CSF

The second step in the HITRUST certification is for an IT company to produce documentation, such as policies, risk assessments and technical configurations to be assessed against the CSF.

This can take a couple of months for the first assessment, and shorter spans for additional audits, but it will vary based on the full scope of each company’s audit.

From here, the CSF must be validated by the assessor which will take a further few weeks to complete. They will then assist you with uploading the documentation to the HITRUST Alliance via the MyCSF portal.

Step 3: HITRUST Certification

Once you upload all documentation online, the HITRUST Alliance must then audit your work and conclude whether the HITRUST standards were met and if all appropriate documentation has been filed.

Your IT company needs to be able to provide evidence that you are operating in accordance with these policies and procedures but your auditor/assessor can help with this.

Once this step is complete and your organization passes the inspection, they will issue a HITRUST CSF certificate.

Step 4: Repeat

Since this is an annual task, you will need to repeat the process at the same time next year. You must undertake annual reviews for the policies and procedures you were initially assessed against, otherwise, you may lose your HITRUST certification.

How Much Does HITRUST Cost?

The cost of HITRUST certification is split up between direct and indirect costs.

Direct Costs

Direct costs include fees to the HITRUST organization and to your auditor/assessor. For SMEs, this can cost between $30,000 – $175,000 but can be a lot higher for larger businesses. Assessors can help you understand what evidence is required, set the baseline configuration and assist with uploading the necessary documentation.  

The self-assessment itself costs around $2,500 for 90 days access.

If certification takes more than 90 days, additional costs include continued access to MyCSF. You can only pay for access to MyCSF for a minimum of three months. After this, there are monthly and annual payment options. As soon as you lose access to MyCSF, all data is lost so it’s vital that you factor these direct costs too.

Finally, the submission and scoring of the application costs around $3,750.

Indirect Costs

Indirect costs relate to the cost of employees and the time spent between each audit to address the issues and turning them into actionable compliance programs. Even though this isn’t covered in the HITRUST assessment, it will contribute to the overall cost of compliance.

It will take around 400 man hours of work to complete a HITRUST certification so you can calculate this against the hourly loaded rate of the employees who will be involved in this process.  

HITRUST Is Great For Everyone

Healthcare organizations have seen a lot of data and security breaches over the past few years.

According to Protenus, 112 million records were breached in 2015.

While this decreased to 23.7 million and 5.6 million in 2016 and 2017 respectively, these are still high numbers.

When an organization is HITRUST certified, anyone in the healthcare industry will know what it means; their systems are secure and take important risk management measures. The CSF allows everyone who is certified to go through the same rigorous process.

Healthcare executives should now know:

• What is HITRUST compliance 
• The benefits of being HITRUST compliant
• The process and costs of becoming HITRUST compliant

HITRUST keeps all personal, health and other sensitive information safe and keeps bad companies that don’t care about compliance well away.