There was one main point that kept coming up in a couple of formats -
"Our company needs to get HITRUST for [ insert strategic / business / non-security related reason], but I don't want to spend the budget and get a certification for the sake of a certification, is this framework really worth the effort?"
Fair question. We similarly started our HITRUST journey when a Fortune 50 came knocking and we wanted to win that deal.
- Is the deal off the table? Yes.
- Did we do our diligence and decide HITRUST was a highly strategic decision for our company? Yes.
- Did we have the same question when we were vetting it out? Yes.
Here's the conclusion we had, while there are many enormous benefits once your company achieves its HITRUST certification, the biggest one is still the core competency of the certification - a validated security and privacy infrastructure.
The shiny logo on your sales deck is icing on the cake for a program that prides itself on a focusing on assessing risks and then implementing the correct controls, not just implementing controls for the sake of achieving compliance some arbitrary framework. These are real risks, updated regularly, with real controls to keep your business secure. In our opinion, with the amount of industry leaders (in healthcare and beyond) that are adopting the HITRUST CSF, the day is quickly approaching where HITRUST will be a requirement to sit at the table. More importantly, it may just provide the answers you've been looking for to validate your security standards.