Over the past five years, we have seen organizations increasingly adopt third-party risk management as part of their security programs. Frequently driven by compliance requirements (e.g., HIPAA and PCI), third-party due diligence has also become an integral part of every best practices standard or framework.
Younger or smaller companies selling into established security organizations often find due diligence requests overwhelming at a time when they are just building their own security programs. And while most organizations feel the burden of this process regardless of their size or maturity, they rarely capture the full internal costs associated with the endeavor. Specifically, this includes the opportunity cost of the time employees spend responding to due diligence requests demanded by customers, partners, investors, and other important third parties.
In this article, we examine what your organization might be able to achieve by adding rigor to your security program and mitigating the demands of due diligence by pursuing a HITRUST certification.
Calculate the Internal Cost of Your Due Diligence Efforts
Currently, if you’re doing business with a healthcare provider, business associate, or payor organizations, there is nothing that “grants” HIPAA Compliance—even if you have a SOC 2, Type 2, or PCI Attestation of Compliance.
When responding to due diligence requests, your company will likely be asked to submit a wide range of information to prospective clients or partners that might include your security policy, a risk assessment, a penetration test, your SOC/PCI reports, a rigorous Request for Information (RFI), and/or responses to a detailed online survey. The common thread is that every request is different, so there is no easy way to respond. For the most part, these requests require a senior technical person or executive to participate in the process.
Based on feedback from our clients, we created a sample breakdown of the annual cost of addressing a single average due diligence request. We assume the response requires a senior technical person, an information security analyst or network engineer, and a database or marketing person. As demonstrated below if your organization responds to 100 requests per year, your internal labor costs are estimated to be between $60,000 to $65,000 per year conservatively.
HITRUST certifications are not trivial to achieve, nor are they inexpensive. The external cost of achieving your HITRUST Certification is likely to be an average annual cost of $60,000 to $70,000. This figure does not include client investment in the process, which is estimated to cost companies an additional $4,500 to $7,500 annually, bringing the grand total to a minimum of $65,000 to $78,000 per year. So, why pay even more?
Evaluate Your Opportunity Cost
The internal labor cost of your HITRUST certification is certainly lower than the internal cost of answering varied, frequent due diligence requests year after year. In our example, we’re comparing $60,000 vs. $5,000 or 950 hours vs. 95 hours of internal human capital.
But that’s too simple—and maybe not compelling enough—since internal resources are a sunk cost and not an outside expense. This is when you need to ask your team, “What could we do if we had that time back?” Could you:
- Add one more product release cycle per year?
- Release a new product a month or two earlier?
- Use these resources to onboard new clients faster and thus invoice sooner?
- Accelerate the sales cycle and close deals faster?
- Compete more favorably with competitors who are not certified?
- Improve the job satisfaction of the employees required to respond to requests and/or prevent employees from leaving because of it?
The possibilities, while not endless, are fascinating to ponder.
Protect Your Business
If business acceleration as a result of HITRUST certification still isn’t enough, consider these additional benefits:
- The HITRUST Common Security Framework (CSF) maps the controls from numerous compliance standards, laws, and frameworks together including international and privacy. As your footprint, business model, and solutions set grows or changes, organizations can adapt the certification to include these new controls.
- The HITRUST certification process is heavy on policy and documentation, forcing organizations to put governing documents in place. The assessment itself ensures these documents are fully implemented in your framework.
- HITRUST-certified companies come away with confidence about where they stand with respect to their security posture. They also have a firm understanding of next steps.
- Organizations have the option to achieve a SOC or NIST certification as a byproduct of the HITRUST process.
Agio Healthcare is here to guide your organization through the HITRUST process with our unique, effective, and programmatic approach to cybersecurity and compliance initiatives. Call us for a scoping conversation with a HITRUST Assessor.