At Datica, we’ve written extensively about the cost of HITRUST. The truth is, it’s an expensive process — not just the first time you do it but on an ongoing basis. To maintain a HITRUST Certification takes a lot of people hours and real dollars for 3rd party assessors and to HITRUST itself. That said, there is a clear ROI with leveraging HITRUST as your anchoring compliance framework.
In the past, we have only considered the external ROI of HITRUST which, for Datica at least, meant differentiation in the market, speed to close and implement new deals, and a general trust factor that would typically be reserved for larger organizations. A recurring topic of discussion at the HITRUST conference last month was the different forms of ROI for HITRUST, with internal ROI being discussed at length by many organizations, large and small. I quickly came to realize that the ROI for HITRUST is just as much internal as it is external.
Let me explain in the context of Datica.
At Datica, we built our initial compliance program, from policies through implementation (link to academy post on maturity model), for healthcare and specifically to meet HITRUST CSF controls. This was five years ago. We’ve since leveraged the HITRUST CSF for SOC2 and most recently GDPR assessments. As the HITRUST CSF has matured, our compliance posture has matured along with it. And the entire process of working with HITRUST has shaped all of our internal activities, from product to marketing and sales.
To fully appreciate the internal ROI we get from HITRUST, the example of our new product design and development serves to highlight how HITRUST permeates all areas of Datica. We decided in 2017 to develop a new product based on Kubernetes. We did this because the market was increasingly interested in Kubernetes and the offerings from cloud providers like AWS were not covered under a BAA (currently none of the major Kubernetes services available are HITRUST Certified except for Datica’s). In developing our Kubernetes roadmap, we started with a list of HITRUST controls we had to meet to comply with our policies and certifications. We then used this set of controls to ensure we implemented the proper technology around Kubernetes — networking, backup, IDS, container security, certificates, etc. The product requirements, based on HITRUST, were unambiguous to our product and engineering teams, and it was a light lift for our security and compliance people to sign off.
Even our sales and marketing people leverage the HITRUST maturity model to differentiate our products from our competitors in the market.
Other examples are the recent free guides we published on how to secure common managed cloud databases to comply with HITRUST. The specific HITRUST controls are listed with each step. Here is the AWS RDS guide.
HITRUST trickles down to all people at Datica. It takes away the subjective “the security officer says this,” and instead provides a published set of controls. This is hard to quantify with a dollar value but it is a significant ROI. What is interesting is that these examples, and this theme, were repeated time and time again at the HITRUST conference.
Looking forward, we are aligning our internal compliance structure and compliance operations even more around HITRUST. We are currently in the process of re-writing our policies and procedures (look for an announcement with new open source tools soon) and we are doing it with each compliance action and activity mapped to specific HITRUST controls. We are doing this to give us a constant set of guardrails and to ease the burden, both to us and our assessors, of our annual HITRUST assessments.