I've hyped HITRUST, but the standard has issues.

Here are the top 3 objections I've encountered:

1. It's expensive

Unlike SOC 2, which you can download for free, or ISO 27001, which is ~$150, implementing HITRUST via myCSF is mandatory and much costlier.

External assessments are also generally pricier than SOC 2 or ISO 27001 audits.

From a business perspective, though, VALUE is more important than cost.

And no other compliance framework has demonstrated ROI comparable to HITRUST's:

-> 25% insurance premium discount for r2 certification

-> 0.59% breach rate for certified companies in 2024

2. myCSF is clunky

Because you are locked into HITRUST's software platform, you need to deal with it regularly.

With that said, you can:

-> Manage policies/evidence in Vanta (my partner)

-> Create reports for different frameworks easily

-> Export results via API

Another cost of doing business, but there is definitely room for improvement.

3. The standard is complex and prescriptive

ISO 27001 is high-level, e.g. it requires selecting "appropriate information security risk treatment options, taking account of the risk assessment results."

And all Annex A controls are optional (with justification).

HITRUST, however, mandates specific controls.

Some practitioners even copy the wording directly into their policies and procedures to ensure compliance.

While restrictive, this approach reduces uncertainty during assessments.

And makes comparing HITRUST assessments in an "apples-to-apples" manner much easier.

BOTTOM LINE

To the HITRUST folks out there (with whom I haven't coordinated this post) - you guys are great.

A StackAware prospect recently (and correctly) described it as the "godfather" of security standards.

My goal is to improve it through public conversation (which is in my self-interest, as a Readiness Licensee).

To everyone else - what do you think about these HITRUST issues?