20 Due Diligence Questions about the HITRUST Certification

A thought to start this article: the single biggest decision your organization will make regarding cyber and information risk management is…how your organization will conduct cyber and information risk management …

There seems to be a bit of a discussion underway about whether a HITRUST Certification creates value for organizations that is greater than the amount of time and out-of-pocket expense that is incurred to receive one… and whether it actually serves in any manner as a solid foundation for an organization’s cyber and information risk management program.

We are often asked about this HITRUST “controls checklist-style” certification.  I honestly struggle when asked about it and try hard to live by the old saying, “If you don’t have anything nice to say, don’t say anything at all.”  I try.

I also always try not to be against anything.  Let’s just say: I’m very much for the globally recognized, more widely adopted, recently healthcare industry validated NIST approach to cybersecurity risk management.  In collaboration with NIST, the Office for Civil Rights and the Office of the National Coordinator recently completed a cross-walk of the HIPPA Security Rule to the NIST Cybersecurity Framework.  Minimally, it’s further validation of the NIST Cybersecurity Framework, if not further declaration of it as a ‘standard of care’. 

I’d recommend sticking to the NIST approach as are all the organizations in the other 15 National Critical Infrastructure sectors besides the Healthcare and Public Health Sector.  HITRUST appears to be a closed, proprietary and quite expensive commercial offering.  It was adopted by and is being pushed by the payer community – on my, look where it landed Anthem, CareFirst, Excellus and Premera, among others.

Our recommended NIST approach may be found in our recently published white paper Harnessing the Power of NIST | Your Practical Guide to Effective Information Risk Management.  For more information on the NIST Cybersecurity Framework, please see: Framework for Improving Critical Infrastructure Cybersecurity. 

Before we turn to the due diligence questions we believe organizations should pose when considering the HITRUST Certification, we present some interesting articles and posts you may wish to consider reading:

HITRUST Certification Articles/Posts

And, now, for those seeking to make a good decision about their compliance and cybersecurity process, please feel free to use this starter set of questions.  And, please send me yours and I’ll add them to the list.

HITRUST Certification Key Due Diligence Questions 

  1. Will HITRUST Certification help make my organization compliant with the HIPAA Privacy, Security and Breach Notification Rules?
  2. Will HITRUST Certification prove that my organization has met the HIPAA Risk Analysis Requirement?
  3. Will HITRUST Certification prove that my organization has met the HIPAA Risk Management Requirement?
  4. Does HITRUST Certification create an information risk management program for my organization?
  5. How much will it cost my organization per year to maintain a HITRUST Certification? How much “extra” infrastructure, services and/or personnel do I have to add to meet the Certification requirements? How many hours of effort will it cost my organization?
  6. Does HITRUST Certification ensure I won’t be breached or hacked?
  7. Does OCR accept HITRUST Certification?
  8. Why would my organization not use the NIST Cybersecurity Framework?
  9. Since HITRUST is only applicable to only one of the 16 critical infrastructure sectors, wouldn’t it make more sense to stick with theNIST Cybersecurity Framework, which applies to all 16 sectors and, therefore, will be receive industry-wide and government support?
  10. Has the OCR and ONC endorsed the HITRUST Certification, as they have the NIST Cybersecurity Framework?
  11. Now that HHS has mapped the HIPAA Security Rule to the NIST Cybersecurity Framework, is there a reason to have another framework beyond the NIST Cybersecurity Framework?
  12. The HITRUST Alliance claims that one can adopt the NIST Cybersecurity Framework through the HITRUST model; even if this is true, are those costs of a proprietary, closed model justified and necessary to adopt the public and open NIST Cybersecurity Framework?
  13. On what internationally recognized specific risk assessment methodology (e.g., NIST SP800-30, ISO2700x, COBIT, etc.) is the HITRUST Certification based?
  14. Had Anthem, CareFirst, Excellus and Premera received their HITRUST Certifications at the time of their breaches?
  15. Will HITRUST Certification indemnify me from OCR action?
  16. Will HITRUST Certification reduce my cyber liability insurance premiums?
  17. Will HITRUST Certification meet SOC2 audit requirements?
  18. Will HITRUST Certification meet ISO27000 certification requirements?
  19. Will HITRUST Certification improve my security posture?
  20. Have HITRUST Certified entities experienced security breaches?
  21. What are the advantages of a privately-owned, for-profit security framework, as distinct from the publicly available NIST Cybersecurity Framework and approach?
  22. How will HITRUST secure the very detailed security information about my organization that I must submit to them?
  23. As a Business Associate, is my organization specifically required to get HITRUST Certification?
  24. Financial solvency-wise, should we place our bet on a commercial, for-profit entity with limited adoption or on the US Government?

OK, OK – I know there are more than twenty (20) HITRUST Certification due diligence questions.  Our interested readers have suggested a few more!

Privacy, Security and Compliance Risk Management Resources Available to You

Clearwater Compliance offers best-in-class HIPAA Privacy, Security and Breach Notification and cybersecurity software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Register for one of Clearwater’s complimentary webinars on information risk analysis and risk management basics and get to grips with these issues and more.

Series Navigation<< CEO-to-CEO: Lead by Changing the Conversation

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.