I’ll say this in the most un-intimidating voice I can muster: Completing a HITRUST assessment for the first time is a big challenge. Whether you’ve been maintaining a strong cybersecurity program for years, or you’re just getting started, it’s a heavy lift because of the uniqueness of the assessment. Because of this, it’s imperative to perform due diligence when selecting your HITRUST assessor.
Put simply: You want to do more than just a Google search for a “HITRUST Assessor” or pick whichever company has the most “professional” name. There are two major things we recommend looking for (at minimum) when choosing a HITRUST assessor.
This is two-fold. First, how long has the organization been HITRUST-certified? You can easily view this on HITRUST’s site by clicking the company’s logo and noting the “Date Effective” on the pop-up. Unsurprisingly, companies who have been HITRUST-certified for longer periods of time likely have more experience with the framework and the process of auditing against it.
Second, how many HITRUST assessments has the organization performed? Does the company use “HITRUST-certified” as marketing clout? Or, are they truly in the trenches performing these rigorous audits on a regular basis?
Here’s why that’s important: Under version 9.1, an organization could have anywhere from 276 to 500 (or more) baseline statements generated as part of their assessment. Because the HITRUST CSF is so extensive, assessments against it are more likely to run smoothly when performed by a firm with an extensive track record as opposed to one with less experience. So, does the organization have previous clients to provide as references? Can you reach out to those previous clients and inquire about their experience?
2. Speed and Price of Audit
Beware of anyone who says they can perform a HITRUST audit quickly (or cheaply). HITRUST is not just a stamp of approval or a nice certification to put on your website. It’s a deep dive into the entirety of your information security program.
Any organization that promises to make quick work of this substantial task is likely not being entirely truthful. In that same vein, any organization that claims to be able to complete this process cheaply is throwing a red flag.
Because the assessment process is so intensive, it requires personnel with a high level of expertise (read: these people don’t work for cheap) to work for extended periods of time (again, not cheap) on the project. On the flip side, there’s no guarantee that the most expensive organization will be the one with the most expertise or experience. Your goal is to find a balance of expertise and experience with a price point that works for your company.
In general, use common sense. You get what you pay for. I recommend against trying to cut corners on such an extensive project. While it is a big challenge, obtaining a HITRUST certification is one of the best things you can do for your organization’s cybersecurity program. Make sure you partner with an organization who doesn’t just want to issue a report, but who wants to help you create a stronger foundation of cybersecurity for your organization.