top of page

HITRUST in Healthcare Security – A Wolf in Sheep’s Clothing?

Cybersecurity and compliance have become essential pillars for the healthcare industry. Ensuring that sensitive patient information is protected while meeting regulatory standards is no easy task. This is where HITRUST, a widely recognized certification "organization", comes into play. But, is HITRUST truly the guardian of healthcare security, or is it more like a fox guarding the hen house? This blog will unravel the complexities surrounding HITRUST, its pricing model, and why its push for legislative adoption raises some red flags.

The Role of HITRUST in Healthcare

Understanding HITRUST

HITRUST, short for the Health Information Trust Alliance, was established to provide a comprehensive framework for managing information security in the healthcare sector. Its Common Security Framework (CSF) combines various standards, including HIPAA, ISO, and NIST, into a single overarching certification.

HITRUST has undoubtedly played a significant role in auditing the healthcare industry. By offering a unified standard, it simplifies the daunting task of navigating multiple compliance requirements. For many healthcare organizations, obtaining HITRUST certification signifies a robust commitment to data security.

However, this very convenience comes with a hefty price tag, which leads us to question whether HITRUST is truly beneficial or just capitalizing on the compliance needs of healthcare entities.

The Genius Profit Model of HITRUST

A Revenue-Based Pricing Structure

One of the most contentious aspects of HITRUST is its pricing model. Unlike other frameworks, the cost of HITRUST certification is tied to an organization's revenue. This means that larger organizations pay significantly more for the same certification, irrespective of their actual security posture or needs.

This revenue-based model might be seen as a way to ensure affordability for smaller entities, but in reality, it often prices small to medium-sized businesses out of the market. These organizations may then struggle to meet compliance requirements without the HITRUST badge, potentially jeopardizing their reputation and customer trust.

Intermediaries and Assessors

The costs don't stop at the certification fee. HITRUST mandates the use of certified assessors and intermediary reports, adding layers of complexity and expense to the certification process. These assessors, while ensuring a degree of standardization, also contribute to the escalating costs, making HITRUST certification an even more exclusive endeavor.

Furthermore, the reliance on third-party assessors can sometimes lead to inconsistencies in the certification process, undermining the very objective of having a unified security standard.

The Downside of HITRUST’s Push for Legislative Adoption

Lobbying for Legislative Adoption

On June 6th, HITRUST made a bold move by lobbying the US government to halt revisions to HIPAA and instead adopt the for-profit HITRUST CSF as the national healthcare security law. This proposal, if accepted, would eliminate the need for continuous updates to existing regulations and replace them with a single, privately held framework.

While this may sound efficient on paper, it raises several ethical and practical concerns. Allowing a for-profit entity to dictate national security standards could lead to conflicts of interest and compromise the integrity of healthcare regulations.

Historical Comparisons

To put things into perspective, consider the controversy that would ensue if other industries adopted similar practices. We wouldn't allow a single individual, such as Donald Trump, to unilaterally revise tax laws. Nor would we permit the NRA to draft unchecked gun reform policies. The same scrutiny should be applied to HITRUST's attempts to shape healthcare security legislation.

The Importance of Balanced Legislation

The Need for Independent Oversight

For healthcare security regulations to remain effective and fair, they must be subject to regular review and updates by independent bodies. This ensures that they keep pace with technological advancements and evolving threats. Relying on a single, profit-driven framework like HITRUST CSF could stifle innovation and fail to address emerging security challenges adequately.

Cost Implications for Small Businesses

Adopting HITRUST CSF as a national standard could further marginalize small to medium-sized healthcare providers. These entities already face significant financial pressures, and adding the burden of an expensive certification could drive many out of business. A balanced approach to regulation should consider the diverse needs and capacities of all industry players, not just the largest and most profitable ones.


HITRUST has undoubtedly contributed to the advancement of cybersecurity and compliance within the healthcare sector. Its unified framework simplifies the complex landscape of regulatory requirements, offering a valuable tool for organizations striving to protect sensitive patient information.

However, the inherent flaws in its pricing model and the recent push for legislative adoption warrant closer scrutiny. While HITRUST certification can be beneficial, it should not become the sole arbiter of healthcare security standards. Instead, a balanced approach that includes independent oversight and considers the needs of smaller businesses is essential for fostering a secure and inclusive healthcare environment.

If you're a healthcare professional, IT security expert, compliance officer, executive, or legislator, it's crucial to stay informed about the evolving landscape of healthcare security. Explore further resources, engage in discussions, and advocate for fair and balanced regulations that prioritize the best interests of the entire industry.

Together, we can ensure that healthcare security is not left in the hands of the fox but is guarded by a collective commitment to excellence and integrity.

See HITRUST's petition here:

4 views0 comments


bottom of page