SaaS providers can reduce HITRUST certification costs with HITRUST Inheritance Program
Vendors who use the Software as a service (SaaS) distribution model have enjoyed considerable success in the healthcare marketplace. A challenge that they face is increased scrutiny from customers – hospitals, health insurance companies, pharmaceutical companies, and others – and their insistence on effective security programs.
Increasingly, buyers are demanding third-party validation in the form of SOC 2, ISO 27001, and HITRUST audits.
The HITRUST certification has become the gold standard for major health insurers for their third-party security management programs. Among U.S. hospitals, the SOC 2 remains the most widely used form of third–party assurance for their vendors. However, hospitals are increasingly preferring or demanding HITRUST audits of their vendors. Many SaaS providers, many of whom are smaller, struggle to afford the high costs of compliance with HITRUST.
HITRUST CSF Inheritance Program
The HITRUST CSF Inheritance Program allows a SaaS vendor to reduce HITRUST compliance costs by inheriting the compliance of their hosting, cloud, and service providers. A cloud provider, for example, can fulfill hundreds of HITRUST control requirements, which can be inherited by their SaaS customers, whose HITRUST compliance costs can be dramatically reduced. All three of the major cloud providers – Amazon Web Services, Microsoft Azure, and Google Cloud Platform – have achieved HITRUST certification.
SaaS companies can take control inheritance further by using a HITRUST certified Managed Security Service Provider (MSSP). For example, MSSPs such as Cloudticity, Armour, and Logicworks, offer an additional layer of services on top of AWS, such as log & event management, file integrity monitoring, and patch monitoring. When a SaaS company uses one of these HITRUST certified MSSPs, they can inherit even more controls, further reducing their HITRUST compliance costs.
HITRUST compliance costs include the following:
- Pre-Audit: SaaS companies need to enhance their security and compliance programs by enhancing their written policies and procedures, acquiring security technologies which may be necessary, and operationalizing the new procedures. HITRUST fees must also be paid to use the HITRUST CSF.
- Audit Costs: Once preparation has been complete, the SaaS company undergoes the formal HITRUST audit. The costs in this phase involve the SaaS company’s internal costs of working with the auditor plus the fees of the auditor.
- Ongoing Costs: To maintain HITRUST certification, SaaS vendors must continue execution of all required controls. This almost always involves increased labor costs and typically some third-party vendor costs.
In conclusion, by leveraging the HITRUST Inheritance program, SaaS vendors who desire HITRUST certification can reduce pre-audit costs, audit costs, and ongoing costs by using both a cloud/hosting vendor who is HITRUST certified and a MSSP who is HITRUST certified. As is typically the case, the devil is in the details. Specifics should be negotiated in a Service Level Agreement (SLA). Organizations that need assistance can reach out to Eagle Consulting Partners for assistance with vendor selection, negotiation of the SLA, and HITRUST certification.
Read more about HITRUST here: