HITRUST is not a small investment. The size of your company does impact the overall cost and effort to adopt HITRUST but, regardless of size, HITRUST takes considerable time and money. HITRUST should be viewed as an investment. An investment that will create an ROI only if leveraged over time and in a proactive way. We've seen, and experienced personally, situations in which the value of HITRUST is not maximized.
Coordinating efforts across all teams, including teams like Marketing and Sales that are not usually involved in HITRUST assessments, is important to take advantage of your HITRUST Certification. To get the word out, and address questions for multiple groups, developing an internal presentation on HITRUST is a good first step. There is no HITRUST training for employees (other than this course I guess) so a simple presentation to set an internal baseline of company knowledge is a good first step. Beyond that, activities should be specific to functional groups.
Below are some example activities and ways to help you take advantage of HITRUST and leverage your HITRUST investment. It's important to note that all of these can be applied to any type of security certification or report.
In today's world, there is a huge and growing focus on security and privacy. Checking the box is simply not enough. HITRUST, with its rigor, specificity, mapping to so many frameworks and regulations, can help turn security into an asset for your company. But sales and marketing teams need to understand how to leverage it.
While leveraging HITRUST normally includes ways to use HITRUST for marketing and sales, one of the most valuable aspects of HITRUST is realized internally. HITRUST is more prescriptive than most (maybe all) compliance frameworks. It is also clearly structured and intuitive once you have a little bit of experience with it. HITRUST helps to remove out ambiguity for people making day to day decisions that impact sensitive data.
A common language, namely the CSF, can be used across the entire company. This is more powerful than you’d think. Compliance has it’s own parlance and when there’s ambiguity between terms and definitions, it can cause serious problems. The language of HITRUST is a powerful asset if adopted internally. It is also easier to pass this language to new employees when there’s turnover and new hires.
One of the lessons in this HITRUST course covers shared responsibility and HITRUST CSF inheritance. The focus of that lesson is on inheritance of controls from cloud providers, which is inheritance of external controls from 3rd parties.
Another form of inheritance is internal inheritance. This is especially valuable for larger companies or companies with multiple products. In these instances, certain controls in the HITRUST CSF can be inherited across teams and products.
Increasingly, compliance is being reported as a form of status update to the board. Once the board has been educated on HITRUST, reporting on compliance by using the HITRUST CSF provides a structured approach for discussing compliance issues and tracking progress using HITRUST maturity ratings and corrective action plans (CAPs).
HITRUST needs to be proactively communicated internally to ensure companies get an ROI for their HITRUST investment.