Should you get a HITRUST certification?
Given the title of this article, you might assume the answer is “no.”
And that would traditionally be my advice – except for the fact that you may not have a choice. If one of your customers demands you get HITRUST, you must get HITRUST or risk losing your customer.
But I do not believe HITRUST is good for the businesses that pursue it, or rely on it for security compliance.
HITRUST is, however, very good for HITRUST!
What is HITRUST?
HITRUST can refer to three related entities or frameworks:
1. The HITRUST Cybersecurity Framework (CSF) – a cybersecurity compliance certification framework.
2. The HITRUST Alliance, a non-profit organization that manages the CSF.
3. HITRUST Services Corporation, a for-profit company that accredits HITRUST CSF auditors and sells services, content, and tools, to support the HITRUST CSF.
HITRUST’s For-Profit Structure
In order to pursue HITRUST Certification, companies must at-minimum purchase a MyCSF subscription from HITRUST Services Corporation. The subscription provides access to both the MyCSF SaaS platform (more on the tool later) and the control list and mappings of the framework itself. The HITRUST Services Corporation also accredits the third-party auditing firms that perform HITRUST certification audits.
This is a different arrangement than that of AICPA and ISO for their SOC 2 and ISO 27001 standards respectively. Both not-for-profit organizations manage their framework, like HITRUST Alliance, but SOC 2 is freely available, while ISO 27001 is purchasable by anyone for a small (~$200) one-time fee.
The AICPA also provides accreditation to accountants who then perform SOC 2 audits. For ISO 27001, various independent governmental and non-profit accreditation boards worldwide accredit the auditing firms.
And neither the AICPA nor ISO create mandatory, paid-for tools for companies pursuing their frameworks!
As a result of this structure, HITRUST profits from everyone in its ecosystem, auditing firms and companies pursuing the certification alike.
Although the HITRUST arrangement isn’t concealed, they are not entirely transparent about it. Their structure diverges from the industry norm, which can lead to difficult choices—prioritizing profit over the integrity of the framework and the overall experience for organizations.
HITRUST’s Cost (and Low ROI)
HITRUST is an extremely high-cost cybersecurity certification to pursue. Despite this, few companies outside of the healthcare industry rely on it for vendor risk management and validation purposes. HITRUST was originally founded as the Health Information Trust Alliance to focus on the healthcare industry, so it has some market penetration there but it has been trying to expand to other industries.
Cybersecurity compliance has largely been a market-driven practice. There is a business case to get a SOC 2 or ISO 27001 because B2B customers want to see proof that their vendors are running a decent cybersecurity program. Sometimes, it is contractually required. The more customers that want a given compliance framework, the greater the ROI.
HITRUST is one of the most expensive frameworks to pursue. It requires much more preparation work, control implementation, and paperwork than SOC 2 or even ISO 27001. As a result, the labor required for preparation and audits are much higher than other frameworks, which dramatically drives up the pricing.
| MyCSF Subscription | Preparation | Audit (Annual) |
| $7,500 – $30,000 | $100,000 – $200,000 | $30,000 – $180,000 |
Note: HITRUST has multiple certification levels; cost will vary.
HITRUST, while costing a lot, is not nearly as accepted as SOC 2 or ISO 27001.
Do your HITRUST customers, collectively, provide more than at least $150,000 in revenue per year?
Some companies might be better off giving up on one HITRUST-demanding customer contract rather than getting certified to keep it!
If you have many customers that want to see HITRUST, then obviously the ROI ends up making more sense.
HITRUST Makes You Use MyCSF Software
As part of the HITRUST certification workflow, companies are required to use HITRUST’s proprietary SaaS tool, MyCSF. This software is not baked into an assessor’s fee either – it is a separate software managed by HITRUST itself.
While MyCSF now supports integrations with popular compliance tools such as Vanta and Drata, there is no avoiding the software or subscription entirely. When using an external tool, you can use their workflow and they send the data into MyCSF for you.
Is the tool good?
I don’t think so. Most of the folks I’ve spoken to don’t think it’s good either. It forces you to structure your workflows around it, rather than supporting your workflows. If you want to use a different workflow, you have to buy a separate Governance, Risk, and Compliance (GRC) software tool.
There’s obviously a convenience for HITRUST auditors to have a standardized tool to audit from, but that convenience is not shared for customers. It is as if HITRUST charges customers to follow THEIR workflow.
HITRUST is Not Risk Based
“But Rob, HITRUST r2 is called the Risk Based level!”
Well, it’s not risk based in my book!
The HITRUST CSF has approximately 1,000 controls. Thankfully, organizations are not required to implement all 1,000 controls. They are required to implement a selection of controls based on the auditor’s assumption of risk, based on a short cybersecurity questionnaire.
The controls they derive for the final implementation list are not especially risk-based in my opinion. Generally, many controls are tied to program documentation.
HITRUST is Paperwork Heavy
One of the worst parts of ISO 27001 is that it requires a ton of paperwork and documentation – tasks which make certifying your company easier for the auditor but don’t otherwise add value to your business or cybersecurity program.
HITRUST takes that problem and makes it worse.
Look at the scoring criteria for your paperwork. It reminds me of the tables from the 1st edition of Dungeons and Dragons, only even harder to read!
Screenshot pulled from this video.
Conclusion
HITRUST is expensive, requires a rigid GRC program, and operates in a manner inconsistent with the rest of the industry. I don’t believe that many organizations are better off for HITRUST existing, except for HITRUST itself.
Other frameworks exist that would not require duplicated work. Auditors can include HIPAA controls as part of a SOC 2 audit, and include a statement attesting to compliance (or non-compliance) with HIPAA.
If you can avoid getting HITRUST certification, then you should!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.
