hitrust mycsf vs. grc tools mycsf vs. grc tools understanding the differences and total cost of...
TRANSCRIPT
HITRUST MyCSF vs. GRC ToolsUnderstanding the Differences and Total Cost of Ownership
June 2016
HITRUST MyCSF vs. GRC Tools 2
Copyright © 2015 HITRUST Alliance, LLC
Introduction The HITRUST MyCSF™ is a significant leap forward in how healthcare organizations address regulatory compliance
and manage risk. Since MyCSF offers many of the features of a governance, risk and compliance (GRC) tool,
organizations may desire specifics on the differences between MyCSF and standard GRC tools.
The purpose of this document is to provide an overview of the aforementioned options and their advantages:
allowing organizations to better understand, evaluate and identify an approach that best aligns with their
environment and objectives.
HITRUST MyCSF Operating as a risk management service solution, MyCSF is the only web-based tool that cohesively integrates
the content and methodologies of the HITRUST CSF™ (CSF) and CSF Assurance Program with the technology and
capabilities of a GRC tool while permitting the customization and optimization to meet the unique needs of a
healthcare organization.
Healthcare organizations can use the tool to efficiently and effectively manage their security, compliance and risk
management programs – all in one place – as they navigate the CSF, perform assessments, manage remediation
activities, and report and track compliance. HITRUST has removed the operational burden, costs, time and risks
associated with implementation and customization of a GRC platform, allowing organizations immediate access to
the tool in addition to receiving regular updates and enhancements.
MyCSF fully integrates the controls, implementation requirements,
standards, and regulations of the CSF with the risk-based approach
designed by HITRUST, enabling an organization to customize its
view of the CSF controls to its environment, or a subset of its
environment, based on risk factors. MyCSF is the only means by
which an organization can access and utilize the CSF assessment
questionnaires for self or validated assessments. By utilizing a GRC
platform, MyCSF streamlines the execution and management of
assessments against the CSF or other certification requirements.
The assessments are complimented with robust compliance and
risk tracking, reporting, remediation management, information
security benchmarking, and a variety of add-on modules to allow
organizations using the CSF to fully manage their compliance.
Because MyCSF is fully managed and hosted by HITRUST, there is no software or hardware required and updates to
the CSF and CSF Assurance Program are automatically pushed out to users. With MyCSF, an organization significantly
reduces the resources needed to implement, synchronize, and manage a patchwork of tools not designed to function
as a whole--removing the frustration and costs associated with ongoing operations, support, and maintenance.
Managed and Secure Hardware
Dedicated Support and Maintenance Personnel
Evolving and Customized Software
Regular Content Updates
Fully Integrated and Optimized for Organizations Using the CSF
Total Cost of Ownership (TCO)
HITRUST MyCSF vs. GRC Tools 3
Copyright © 2015 HITRUST Alliance, LLC
Governance, Risk and Compliance Solutions GRC tools widely used by organizations typically cover a broader scope for privacy and security than only the
healthcare industry. Organizations will find that because GRC solutions are not limited in scope, they offer a greater
opportunity to integrate with areas outside of privacy and security, such as enterprise risk, incident management,
policy management, vendor management and business continuity management. GRC solutions may also integrate—
typically for an additional fee—privacy and security requirements outside the scope of healthcare, such as GLBA,
FFIEC, BITS or custom question sets.
Because of the flexibility and enterprise-wide nature of GRC tools, organizations looking for a broader, more
customized suite of solutions for IT governance, risk and compliance that also have the resources available to
implement and manage the tool will benefit from a full GRC offering.
Regarding healthcare privacy and security, HITRUST sub-
licenses some of its content to approved vendors. These
vendors leverage the CSF and integrate its content into
their overarching GRC solution; however, the approach and
degree of integration may vary from vendor to vendor, thus
organizations should carefully review each offering to ensure
it meets their needs. The materials HITRUST makes available
to GRC vendors include the entirety of the CSF library—the
controls, requirements, cross-references and risk factors.
Customers of GRC vendors leveraging the CSF may in-turn
gain access to this material for internal use. HITRUST does
not make available its Assessment questionnaire, which
is used for conducting streamlined risk assessments for
HITRUST certification, third party attestation, and HIPAA
and meaningful use compliance. This content, as well as the
benchmarking data, is only available through MyCSF.
While GRC solutions in general are larger in scope and
primed for organizational customization, it should be noted
that the investment and resources required to implement
and maintain these tools is significant—often requiring full-
time staff and several months to become fully functional.
Application & Content
Hardware
Maintenance
Software Updates/Customization
DedicatedPersonnel
Content Updates
Security
Hardware Updates
Visible Costs
Invisible Costs
HITRUST MyCSF vs. GRC Tools 4
Copyright © 2015 HITRUST Alliance, LLC
MyCSF and GRC Tool Comparison In general, MyCSF provides a simpler, more focused solution for accessing the CSF, conducting streamlined information
security risk assessments that address multiple standards and regulations, and managing remediation plans and other
processes. GRC tools, however, offer greater integration across the organization to get enterprise-wide views not
limited solely to healthcare privacy and security. Nevertheless, due to the focus of MyCSF and the broad scope of GRC
tools, organizations may benefit from using both solutions, leveraging the enterprise-wide integration of a GRC tool
with the tailored approach to privacy and security in healthcare available with MyCSF.
MyCSF is hosted securely in a CSF Certified data center and organizations are relieved of the responsibility to protect
and monitor their own environment. Another benefit of the MyCSF tool is that HITRUST customizes and manages the
tool with CSF users in mind, saving organizations from the struggle to set up complex workflows, import and map
regulations, and continuously update the content.
HITRUST MyCSF vs. GRC Tools 5
Copyright © 2015 HITRUST Alliance, LLC
Which is right for you? While traditional GRC tools provide tracking against a broad range of regulations, MyCSF provides a greater depth
of functionality and integration centered on the HITRUST CSF. The CSF is healthcare-specific and includes over 15
authoritative sources.
The table below provides a full comparison of the capabilities and advantages of MyCSF and GRC tools.
Capability MyCSF SMB
MyCSF Professional - Enterprise+
MyCSF Performance GRC Tool1
CSF Content Library ü ü ü ü2
CSF Assessments ü ü ü
CSF Benchmarking ü ü ü
Scoring / Maturity Model ü ü ü
Reporting ü ü
CSF Self, Validated and Certified Reports ü3 ü3 ü3
Remediation Tracking ü ü ü ü
Workflow and Notifications ü ü ü ü
Dashboards ü ü ü
Role-based Views ü ü ü ü
Support for Multiple Standards / Regulations ü ü ü ü
Configurable Questions ü
Updates (new or updated standards / regulations) ü ü ü
Enhanced GRC Capabilities ü ü
1 These capabilities are general statements and may vary between GRC vendors 2 Requires configuration and integration3 Additional fee and/or use of a HITRUST CSF Assessor required
HITRUST MyCSF vs. GRC Tools 6
Copyright © 2015 HITRUST Alliance, LLC
The table below provides a representative comparison of the costs and resources required for a small to mid-sized
healthcare organization to implement and maintain MyCSF and a GRC tool.
Per Year Total Cost of Ownership (TCO)
GRC Tool1 MyCSF Cost Savings
Hardware $4,000 $0 $4,000
Software (OS/DB) $3,000 $0 $3,000
Content$5,000 – $7,500 per Content Pack
$0$5,000 – $7,500 per Content Pack
Implementation (Labor) $15,000 $0 $15,000
Total One-Time Costs (3 Modules) $67,000 $0 $67,000
Software$40,000 – $90,000
Module/year$0
$40,000 – $90,000 Module/year
Maintenance (Labor) 1 FTE2 ($110,000) 0 FTE $110,000
Subscription Fee3 $0 $10,000 – $75,000/year $0
Total Annual Costs (3 Modules) $150,000 – $200,000 $19,500 – $100,000 $100,000 – $130,500
Annualized TCO$217,000 – $267,000/YR 1 $150,000 – $200,000/YR 2
$19,500 – $100,000$208,000 – $213,000/YR 1 $141,000 – $186,000/YR 2
1 Costs are for small to medium sized implementations. Larger implementations will be two-to-three times more demonstrating a larger cost savings 2 Represents a combination of disciplines, including support, customization, updates, etc.3 Represents modules covering assessment, correction action plan (CAP) management and exception processing
Complete pricing for MyCSF is available by contacting HITRUST at 855.HITRUST or [email protected], or
by viewing the MyCSF pricing sheet.
