As we come to our 7th and final article in the HITRUST Certification series, we come to the last question: Is HITRUST Certification really necessary?
"What?!? You just spent 6 other articles espousing what it takes to go through HITRUST Certification and now you tell me it was all a waste of time?" Not exactly, but more on that in a second.
If you do some light research on the topic, you will find there are quite a few objections to the Certification. The most thoughtful in my opinion is Kamal Govindaswamy's in his three separate write-ups.
He does a better job detailing all this than I ever could. They are worth the read. But the TL/DR version of his articles is that HITRUST Certification is:
- too complex to be beneficial
- extremely costly and those funds should be used for actual security
- isn't really an industry standard beyond the 5 companies that created the Alliance.
And you know what? He is absolutely, 100% correct.
I would never advise anyone to start with HITRUST Certification. Truthfully, I would never advise anyone to start with any certification. The starting point should always be get the right Technology Executive, get the right team and structure, and get the right systems in place that are incredibly secure and enable growth. Only years later should certification enter the conversation.
So why spend this much time on this topic?
The first time I went through the HITRUST Certification process, our assessor asked us right off the bat: "Why are you doing this?"
My honest response: "Because one customer is making us, another is implying they will make us, and those two contracts alone are worth [insert 8-figure number]."
His last response: "You are jumping to the hardest and most complex one. Jumping from no certifications (i.e. ISO 27001 or NIST) to HITRUST will be difficult."
Now especially after reading Kamal's article, don't mistake "hardest and most complex" with best. But here's the truth: when you work in healthcare, there are a lot of things that are forced on you that you may not agree with or may not even think are beneficial. Honestly, your opinion doesn't really matter.
This is not a position I am usually comfortable with. This is certainly not a position I advocate. But it is a position I recognize as a reality. That reality usually drives one of two common mistakes from the Technology Executive.
They ignore it. Usually at the peril of future contracts or less lucrative ones. This is what I call the "Defensive IT Executive" response. If one takes this they should be prepared to either work for a non-growing company or be looking for another job. Both situations are unacceptable.
Or, they go all in. And I mean all in. This is what I call the "Industry Reputation Executive" response. This individual is usually more worried about their industry reputation than the health and effectiveness of the organization. This is the person who thinks HITRUST Certification should be the largest priority of the entire organization and everything is viewed through that lens. This is dangerous because your costs will skyrocket and your innovation will grind to a halt.
The way to avoid this mistake. Strategically use demands like HITRUST Certification when contractually appropriate to further growth, but at the same time do so in the most cost effective and least organization altering way possible.
As we have said throughout this series, if you find yourself having to go through HITRUST Certification, or something like it, it certainly helps to be on a platform that has gone through it before. We'd love to chat about this, give you an unbiased and fair interpretation of your situation, offer some advice, and discuss how Vy Healthcare ERP can help you no matter what your healthcare needs are.