I think there are pros and cons of HITRUST certification.
On one hand, it does indeed have documented standards, and provides something for organizations to work towards and be audited against. On the other hand, especially for covered entities, an OCR audit (or actual breach) would not distinguish between whether the organization is HITRUST certified or not.
Said another way, it couldn't hurt, but we generally don't recommend it to clients who aren't otherwise interested in it. The last thing that we want to suggest is something that might provide a false sense of security.
Frankly, while certainly not trying to bite the hand that feeds, I think compliance standards are sort of a racket. Every year at conferences like DEF CON, there are presentations like "completely owning a PCI compliance network!" Even following each rule, if the purpose of security is to pass an audit instead of to genuinely secure information, there will be problems. HIPAA, for its lack of actual certification, at least is generic enough to request real security controls be put in place.
I'd rather have my information at an organization that cares about security instead of one trying to pass compliance standards.
Yes, good points. On the other hand, it makes things easier to point to a standard in lieu of answering security surveys with hundreds of questions, not always the same, from different prospective clients on a weekly basis. A certified standard would streamline this process. But, maybe that's why organizations each have their own survey in order to really gauge how well the org cares about security.
On one hand, it does indeed have documented standards, and provides something for organizations to work towards and be audited against. On the other hand, especially for covered entities, an OCR audit (or actual breach) would not distinguish between whether the organization is HITRUST certified or not.
Said another way, it couldn't hurt, but we generally don't recommend it to clients who aren't otherwise interested in it. The last thing that we want to suggest is something that might provide a false sense of security.
Frankly, while certainly not trying to bite the hand that feeds, I think compliance standards are sort of a racket. Every year at conferences like DEF CON, there are presentations like "completely owning a PCI compliance network!" Even following each rule, if the purpose of security is to pass an audit instead of to genuinely secure information, there will be problems. HIPAA, for its lack of actual certification, at least is generic enough to request real security controls be put in place.
I'd rather have my information at an organization that cares about security instead of one trying to pass compliance standards.