Why Do Insurance Companies Care about HITRUST Certification from Their Vendors?

HITRUST is an organization created in 2007 that holds businesses in the healthcare industry accountable for fulfilling their legal requirements for web and digital security. HITRUST created a framework called the Common Security Framework (CSF) for businesses to follow in order to ensure their compliance. 

CSF is an accumulation of 845 local, national, and global regulations and security standards required for web and digital security. These standards include HIPAA, HITECH, PCI, COBIT, NIST, FTC, and more. Because these regulations can sometimes be vague in their descriptions, CSF is invaluable to organizations that want to make sure that they are compliant. CSF will help decipher the requirements of these regulations and show the organization how to implement them. 

HITRUST certification is the most extensive certification that a business could possibly acquire. It is the end all be all of the digital security certifications. HITRUST certification has become synonymous in the healthcare industry with security and protection. Not only does this certification tell insurance companies that the website meets all of the necessary legal requirements, but it also tells them that the organization highly prioritizes security.

Receiving a HITRUST certification is a lengthy and arduous process. But, in becoming certified, vendors show insurance companies that they can be trusted completely.

It is the Highest Standard for Digital Security

HITRUST covers all of the essentials for digital security. There is not a single legal regulation, requirement, or standard that is not covered under a HITRUST certification. Businesses and organizations spend months auditing, revising, and re-auditing their security measures to make sure that they meet the requirements for this certification.

By working with a vendor that is HITRUST certified, you are getting a guarantee that they meet all of the necessary standards. You also have the confidence of knowing that these vendors are frequently subject to evaluations to ensure that they have kept best practices and are up-to-date on any new developments in cybersecurity.

HITRUST Regulations Prevent Cyber Attacks

Computers connected to the internet are attacked by hackers every 39 seconds. That’s more than 2,000 times every day. If a security system does not meet the required standards, there’s a serious risk of a massive breach.

These attacks are on the rise. In the U.S., we are only becoming more reliant on technology as time goes on. It’s not uncommon now for doctors’ offices and other healthcare entities to make personal information available through apps and websites. In 2017, $6.5 billion went towards funding digital healthcare startups.

HITRUST certifications apply to all of these apps and websites. If they are certified, you can be sure that they have been meticulously audited to ensure that they are meeting all of the necessary security requirements.

These requirements are also updated frequently so that new technology and cyber-hacking strategies are taken into account. Every day, hackers find new ways to get around even the most innovative security measures and gain access to personal information.

Because of the presence of this constantly changing threat, the security measures need to change just as rapidly. HITRUST certification isn’t just a badge that an organization receives and then never has to worry about again. Regular audits are performed and reviewed to make sure that sensitive information is going to be safe from the latest hacking strategies.

It Saves Money

Security breaches cost the healthcare industry millions of dollars. According to Healthcare Weekly, each record that is accessed costs the organization $380 on average. In each breach, hundreds of thousands of files could be accessed and compromised. In 2017, a total of 5.6 million records were accessed by an unauthorized person. With an average of $380/file, that’s over $2 billion that the industry overall paid in damages that year alone.

Further damages incur in lost business and expenses related to marketing campaigns to repair the organization’s image. Once the public knows that they can’t trust an organization to keep their personal information safe, it will tarnish their view of the organization for years to come.

It’s Good for Everyone

HITRUST certification reassures insurance companies of the quality and integrity of a vendor. Insurance companies know that a certified vendor is willing to put in a lot of time and money to ensure the security of their organization.

Also, HITRUST saves money for the organizations that hold it. When they invest in their security measures, they prevent breaches that could cost them hundreds of thousands, if not millions, of dollars.

And, most importantly, HITRUST certification is also good for the consumer. The bottom line for HITRUST certification is that it protects the sensitive information of the people who visit healthcare organizations.

Ultimately, that last point should be the priority of any organization that holds private health information. If an organization is not willing to invest the time and money into becoming HITRUST certified, it should not be allowed to house such sensitive information in the first place.


When a vendor is HITRUST certified, insurance companies know that they are working with an organization that holds itself to the highest standard of security. They can be confident in the fact that they will be protected from breaches, be saved from expenses and bad publicity caused by breaches, and will serve the people to the best of their ability.

If you work for an insurance company that is considering new vendors and there are some candidates that are not HITRUST certified, you’re better off eliminating those organizations from consideration. Any organization that is not certified is not one that you should trust with sensitive information.

This article was authored by Codrin Arsene @ Digital Authority Partners

Leave a Reply

Your email address will not be published. Required fields are marked *