Looking to get HiTrust certification underway early next year. We're a health technology company. Anyone have experience with this and able to offer some guidance and recommendations?
Paul: It's not our choice. We are being forced into becoming HiTrust certified by our health insurance customers.
HITRUST is not worth the money in my opinion. Sure it is further evidence that you're aware and making efforts to manage cybersecurity risks, but it's not a guarantee, and you'll still be required by buyers to complete a risk assessment regardless of any certification you hold. HCOs know that HITRUST is a moment in time measurement and by the time it is complete it is out-of-date. Like other steps you take to build trust with buyers, you may decide to do it anyway, like a Penetration Test, a SOC2 report, etc., even though none of these things are sufficient to satisfy buyers on their own.
Buyers are looking for the effort you are making, not perfect scores. You can use a risk assessment tool like Censinet for free, to get a clear understanding of the things HCOs care about regarding your risk posture. Managing risk is an ongoing, real-time process, not a one-and-done certificate. Go ahead and spend $60K on a HITRUST certificate if your buyers are demanding it, otherwise spend it on actually improving your risk posture. Document your plan and improvements so buyers can see that you make a continuous effort to keep them secure.