Picking up on the theme from a few days ago, let's tell another story about a time I went head to head with an MCO and lost: HITRUST Certification.
You might be beginning to think all I did was lose these arguments. I won more than I lost, but like a lot of things in life, the losses are where real interesting things were learned.
In 2018 an MCO we were working with required us to get HITRUST Certification. At that point in time we weren't under any certification (SOC-2, ISO, etc...). I didn't really know where to start. Future articles will be written to provide other lessons learned from this process, but let's start with the first question I asked but could find very little answers on: how much will HITRUST Certification cost?
You'd think that answer would be readily available and easy to answer. Neither is true. Initial costs are tough to answer because it depends on where you are starting from. Ongoing costs will fluctuate every other year depending on whether you are doing a validated assessment or interim assessment.
One disclaimer. This is just from my experience. Size of company, complexity, and overall IT technical competency may vary. Also it should be noted that this is with no offshore outsourcing and very little (almost none) domestic outsourcing with all network, hardware, and software on premise and not in the cloud.
So let's break this down.
If you are starting from scratch with no other certifications, then I'd say you should budget around $150,000 for initial launch. This cost breaks down like this:
- Actual Certification Costs: $50,000
- Increased Testing, Risk Assessments & Controls: $90,000
- Hardware Updating: $10,000
Now if you are already doing Penetration Testing, DAST Testing, and Outside Third Party Risk Assessments, then you can knock off $50,000. Likewise, if you have relatively new firewalls (capable of NIDS), then you probably don't have to spend the $10,000 on upgrading your hardware.
So that's the initial cost, what about the ongoing? Well that depends which year it is. HITRUST does a full recertification every 2 years. In the interim years they do - you guessed it - an interim assessment. Other than that, your ongoing costs are the same. You should expect to pay between $80,000 (interim) and $120,000 (full) per year just to stay HITRUST Certified. This again covers reoccurring requirements like Third Party Risk Assessments, Penetration Testing, and DAST testing. So if that is already in your budget, subtract that out.
This of course doesn't include salaries of IT employees. We didn't need to add any employees to our operation to achieve certification, so I am not including them here in the cost. That being said, we only had three members on our IT team, which we were told from the start was going to be a real hindrance to get certified (more on that in a future post).
So there you have it. Budget about $150,000 for initial certification, and about $100,000 every year thereafter.
One last point. No one in this process is looking to achieve certification in the most cost effective way. The state of healthcare and healthcare technology is to just throw more and more money at any problem. That has always rubbed me the wrong way. This can be made all the worse if your own internal team does not have a "P&L mindset" when it comes to something like this.
If you have any questions about achieving HITRUST Certification spending the least amount of money in the shortest amount of time, we'd love to hear from you.