Whenever I encounter someone who is in charge of becoming HITRUST certified, I’m almost always asked, “How much can we expect to pay?” This can be a difficult question to answer, simply because there are so many factors involved in receiving a quote.
For example, it really depends on which type of HITRUST framework you are trying to become certified in, so read this blog to discover what your projected HITRUST cost may be.
There are three types of HITRUST assessments you should know about. These include:
HITRUST e1 Assessment (Essentials): This assessment covers basic cybersecurity hygiene, is suitable for lower-risk organizations, and offers valuable assurance with less effort.
HITRUST i1 Assessment (Implemented): This assessment balances assurance and efficiency based on curated controls and streamlines recertification.
HITRUST r2 Assessment (Expanded Practices): This assessment has comprehensive control requirements, the highest assurance, and is adaptable to specific needs, ideal for organizations with significant risk exposure.
The amount of work you want to outsource also influences the price you will pay. Read this blog to discover how you can use the new HITRUST Price Range Calculator to get an estimate of your HITRUST cost.
How does outsourcing work influence the price of my HITRUST assessment?
SecurityMetrics works with Privaxi, a readiness assessment project team, to offer specialized HITRUST readiness support, depending on your assessment type.
Whoever you choose to partner with for your HITRUST certification, make sure that they offer:
Tailored solutions to meet your specific requirement needs
Excellent communication with close collaboration between the readiness assessment project teams and assessors
Technical guidance and assistance from expert HITRUST auditors
What is the HITRUST Process?
Your HITRUST process will largely depend on who you choose to partner with and which assessment you are certifying for. The general process for SecurityMetrics employees includes:
Understand Your Data: Define your scope, including documenting where data enters, exits, and rests in your environment.
Purchase MyCSF Portal: Purchase the MyCSF Portal from HITRUST and create an account. Once purchased, notify SecurityMetrics.
Determine Controls: HITRUST determines controls that need to be validated based on information in your MyCSF Portal. Scoping the factors to determine HITRUST Controls that apply to your organization occurs when you are seeking the r2 assessment. The e1 and i1 assessments have predetermined controls selected by default.
Coordinate the Assessment: Work with SecurityMetrics to determine which of your locations need to be assessed.
GAP Analysis: Review control requirements and evaluate current technologies, policies, and procedures that are currently in place.
Remediation: Based on the results of the GAP analysis, coordinate to address the missing items (e.g., technologies, policies, and procedures in place) to be compliant with the control requirements.
Get Expert Advice: SecurityMetrics offers consulting to help you evaluate where your controls stand regarding the HITRUST scoring rubric.
Validation and Verification: Your controls will be checked to see if they are in place and given an initial score. Submit the assessment for SecurityMetrics verification.
Submission and HITRUST Verification: SecurityMetrics submits your verified evidence and submits the assessment for HITRUST verification.
HITRUST CSF (Common Security Framework) Certification: HITRUST can review your Assessment for Certification; if you qualify, HITRUST will approve that you are HITRUST CSF Certified and issue a report.
Continued Compliance: HITRUST requires that an R2 assessment be performed once every two years (with an interim assessment at the one-year mark). E1 and i1 assessments need to be done annually
.svg)
