top of page

HITRUST: A Self-Policing, Profit-Driven Entity Exploiting Borrowed Standards

All organizations and industries rely heavily on standards and certifications to ensure compliance and protect sensitive information. Among these myriad standards, HITRUST has positioned itself as a prominent player, especially in the healthcare sector. However, a closer examination reveals a troubling reality: HITRUST is not the paragon of integrity it claims to be. Instead, it operates more like a self-policing, profit-driven entity that leverages borrowed standards to print money at the expense of genuine security.

The Lack of Oversight: A Self-Policing Entity

One of the most concerning aspects of HITRUST is that it is not subject to oversight by any authoritative body. Unlike other standards organizations, which are typically governed or accredited by independent entities to ensure their validity and fairness, HITRUST operates autonomously. This lack of external oversight raises significant questions about its legitimacy and the impartiality of its certification processes.

Borrowed Standards: ISO 27001, SOC2, and NIST

HITRUST touts itself as a comprehensive framework designed to manage risk and regulatory compliance. However, this framework is essentially a patchwork quilt of pre-existing standards such as ISO 27001:2005, SOC2, and NIST. Rather than developing original content, HITRUST has cherry-picked elements from these well-established standards to create their Common Security Framework (CSF).

While there's nothing inherently wrong with utilizing proven frameworks, the issue arises when HITRUST presents these borrowed standards as their unique creation, all the while charging exorbitant fees for certification. This deceptive practice not only undermines the credibility of HITRUST but also casts a shadow over the integrity of the original standards from which it borrows.

The Profit Motive: Printing Money Under the Guise of Security

At its core, HITRUST appears to be more focused on generating revenue than on genuinely enhancing security. The certification process is costly, and companies seeking HITRUST certification must pay substantial fees for assessments, remediation, and continuous monitoring. These fees flow directly into HITRUST's coffers, creating a lucrative business model that capitalizes on organizations' desires to demonstrate compliance.

Moreover, the perpetual need for recertification ensures a continuous revenue stream for HITRUST. Companies must undergo regular assessments and updates, all of which come with additional costs. This cycle of dependency turns HITRUST into a money-making machine, rather than a genuine advocate for improved security practices.

Conclusion: Questioning HITRUST's Role in the Industry

In summary, HITRUST's lack of oversight, reliance on borrowed standards, and profit-driven motives raise serious concerns about its role in the security and compliance landscape. While it may offer some value in helping organizations navigate complex regulatory environments, its practices ultimately undermine its credibility and the trust organizations place in its certification.

As stakeholders in industries reliant on robust security standards, it is incumbent upon us to critically evaluate the entities we trust to safeguard our data. HITRUST, as it currently operates, falls short of the mark. We must demand greater transparency, oversight, and integrity from the organizations that claim to protect our most sensitive information. Until HITRUST addresses these fundamental issues, it remains a questionable player in the world of data security and compliance.

41 views0 comments


bottom of page