HITRUST has issued an interesting third-party report on the ROI of a HITRUST certification. It focuses on quantifiable and qualitative outcomes such as ROI, operational efficiency, business growth, and risk reduction. As an external HITRUST assessor with many years of experience with HITRUST and many completed assessments, it piqued my interest, and I wanted to share some thoughts on the document.
Key HITRUST ROI Findings from the Whitepaper
The third-party study, issued by Enterprise Strategy Group (ESG), had several key findings that were particularly interesting. They found, via a variety of factors, that a HITRUST certification has a 464% Modeled ROI, based on a combination of increases in operational efficiency, a lowered risk of breach or fines for non-compliance, revenue enablement, and decreased costs in Cyberinsurance.
While the report and common sense say this is a generalization, there’s no doubt in this assessor’s mind that in some cases, this can be completely true. While I’m not able to add statistics or hard numbers or cite my clients specifically, I can certainly detail what I’ve seen and what I’ve been told by the clients who return, year after year, to recertify.
For clarity, the study, as commissioned by HITRUST and conducted by ESG, assumes a mid-sized organization with $20m in annual revenue, 100,000 PII records, and a $5m cyberinsurance policy. This fictional company received a HITRUST r2 certification, covering 50 systems, through its modeling. I work with clients both this size and smaller, so I’ll speak to the more universal benefits I’ve seen across organizations this size and significantly smaller.
Primary Benefits of HITRUST Certification
The three big drivers cited by the report, which closely echo what I’ve personally experienced as an external assessor, are Business Growth, Risk Reduction, and Operational Efficiency.
Business growth is the number one ROI contributor according to the study, and I can’t help but agree. When I engage a new client for a HITRUST assessment, I hear “we want to be more secure” or “we want to make sure we’re responsible with our customers’ data,” but most often I hear “We have a potential client that requires it” or “We’re contractually obligated.” HITRUST is becoming a go-to certification within the healthcare ecosphere, primarily, but other industries as well. I see large providers, insurance and hospital networks, issuing a simple mandate – “Our service providers must be HITRUST certified.” Simply, a HITRUST logo on a website and a sales conversation that can say “Yes, we’re HITRUST certified” opens new prospects and even new markets.
Risk reduction is where this assessor thinks the HITRUST CSF and the certification get their primary value. While listed secondary to business growth by ESG, I like to start conversations with new clients with the simple question, “What would a breach mean to your organization?” I hear several answers. “We’d get fined” and “We’d lose clients,” but I also hear the one that makes this so important to me, “We might as well send everyone home and lock the doors. There’s no coming back from the financial and reputation damage it would cause.” The HITRUST CSF in each of its iterations (e1, i1, and r2) is curated to address real-world threats and minimize exposure. HITRUST has a great video on this; their research has shown that less than 1% of HITRUST certifications experience breaches. Simply, a HITRUST assessment with a quality assessor will discover and report on the true state of your security infrastructure.
Operational Efficiency is an inherent function of the HITRUST CSF, as it was built with an eye towards existing frameworks and is an attempt, frequently successful, to work in the intersectionality of those disparate frameworks. In some industries, HITRUST can replace multiple other assessments, providing a single annual certification process to ensure the majority of HIPAA, SOC 2, and even NIST or PCI controls have been met.
Why This HITRUST ROI Publication Resonates With Me
The report is verbose and comprehensive, and matches my real-world experience in terms of the true value of being HITRUST certified. The model company represents a common size and scope of an assessment. The attempts to put a value on difficult-to-quantify benefits feel accurate and unbiased.
The report echoes, simply, what this assessor has observed in dozens of clients. HITRUST can have immense value to an organization in certain industries at a certain phase.
External Assessor’s Critical Analysis
I’m not trying to trumpet HITRUST’s findings, so I do want to make a couple of points that I think are relevant in a critical and thoughtful reading of this report.
First and foremost, the report is clear that the research was funded by HITRUST. While I don’t assume, nor expect, nor even observe bias, this is always worthy of consideration in any report.
Second, the model company is in the healthcare space, an industry where HITRUST has the strongest and most established presence. While I’ve seen it applied and personally observed the benefits in industries with no tie to healthcare, the ROI is likely the highest in the healthcare industry. I would, and do, make the case that it’s a good foundation for security in any industry, but I wouldn’t be comfortable saying “this ROI is typical in your environment.” Less regulated industries may not feel the full value of the business generation or risk reduction ROI in a purely financial sense.
Finally, there are some assessments, audits, and/or certifications for which the HITRUST report simply cannot be substituted, and this will always limit the ROI from Operational Efficiency. Anywhere FedRAMP, PCI compliance, or CMMC assessments are mandatory per legislation or regulatory control, the HITRUST CSF can aid the efficiency of these assessments, but, of course, it cannot substitute. This doesn’t represent “not ROI” as much as “potentially less.”
Final Thoughts: Is HITRUST Worth the Investment?
I’m skeptical by nature; I don’t think that trusting people are drawn to being an auditor. I didn’t approach this report with open-hearted trust. But with the few caveats I mentioned, this report simply tells me what I’ve already observed: The HITRUST assessment and the resulting certification have value in many areas, and can be a key part of not just your information security approach, but your business development.
As Linford & Co is a HITRUST External Assessor Organization, we can help if you want to know more about how a HITRUST certification might help your business. Feel free to contact us to arrange a consultation or with any additional questions you may have about our HITRUST Audit & Certification services.
Brian has over 2 decades of experience in System Administration and Information Security, having worked at all levels of Government (City, County, State, and Federal) and with companies ranging from startup to Fortune-20. He transitioned to auditing in 2018 and has delivered audits and attestations as varied as SOC 1 and 2, HITRUST, FISMA, FERPA, PCI, CSA-star and HIPAA. With Linford and Co, he focuses primarily on HITRUST and SOC 2.