The healthcare industry has always been a prominent target for cybercriminals worldwide. They can access high-value patient PHI/PII data and use it maliciously to disrupt the patient’s treatment routine and bring down uptime, which is critical. It has repercussions on patients, doctors, hospitals, and everything associated with the healthcare ecosystem.
Information security is a cause of concern for all organizations, including those that outsource key business operations to third-party vendors (eg, SaaS, cloud-computing providers). Rightfully so, since mishandled data—especially by application and network security providers—can leave enterprises vulnerable to attacks, such as data theft, extortion and malware installation. SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimum requirement when considering a SaaS provider.
1. What is SOC 2 compliance?
SOC 2 compliance is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform. Its goal is to make sure that systems are set up, so they assure the security, availability, processing integrity, confidentiality, and privacy of customer data. SOC 2 is both a technical audit and a requirement that comprehensive information security policies and procedures be written and followed.
2. Who does SOC 2 apply to?
As we mentioned above, SOC 2 applies to technology-based service organizations that store customer data in the cloud. That means it applies to pretty much every single SaaS, PaaS and IaaS organization and any organization that uses the cloud to store its customers’ information (which today is quite a few organizations). SOC 2 is one of the most common compliance requirements that technology-focused companies must meet today.
3. What does SOC 2 require?
First and foremost, SOC 2 requires that you develop security policies and procedures. These need to be written out and followed, and auditors can and will ask to review them. The policies and procedures should encompass the security, availability, processing integrity, confidentiality, and privacy of data stored in the cloud.
4. What must I monitor for SOC 2?
Meeting SOC 2 compliance means establishing a process and practices that guarantee oversight across your organization. Specifically, you want to be monitored for any unusual, unauthorized, or suspicious activity. Often this takes place at the level of system configuration and user access. You need to be able to monitor for both known malicious activity (like a common phishing scheme or obviously inappropriate access) and unknown malicious activity (like a zero-day threat or a new type of misuse). To find these “unknowns,” you must establish a baseline of normal activity in your cloud environment because this will make it clear when abnormal activity takes place. The best way to do this is with a continuous security monitoring service.
5. SOC2 for Healthcare Organizations
Healthcare organizations can now effectively assert too many of the mandated provisions of the HIPAA Security Rule by undertaking annual SOC 2 assessments by an auditor. SOC 2 was introduced with the explicit purpose of addressing the need for companies to externally validate and communicate their state of security using the AICPA’s TSC (Trust Services Criteria) as the measuring stick. TSC includes security measures such as encryption, access controls, two-factor authentication, and firewalls.
At the end of the auditing process, the SOC 2 auditor issues a report. This report provides detailed information about a service organization’s security, availability, processing integrity, confidentiality, and/or privacy controls.
Achieving SOC 2 compliance is a significant accomplishment for any service provider in healthcare. But the full value of SOC 2 can only be realized if it is built upon an effective HIPAA compliance program. One crucial difference between SOC 2 Compliance and HIPAA Regulations is that HIPAA’s requirements are not voluntary. They carry the full force of federal law, and failure to comply with HIPAA rules can expose a company to severe civil and even criminal penalties.
One of the primary reasons HIPAA was enacted was to protect the privacy and security of patient health information. HIPAA regulations identify 18 items classified as protected health information (PHI) that must be protected, whether in physical form or electronic format (ePHI). This information is generally created by covered entities such as healthcare providers, insurance companies, or healthcare data clearinghouses. When covered entities use vendors to store, process, analyze, or use PHI and ePHI, those vendors are considered to be business associates under HIPAA regulations.
The regulations require any covered entities or business associates who possess HIPAA information to be fully HIPAA compliant. It also requires business associate agreements (BAAs) to be signed before PHI is transmitted to business associates. These BAAs should clearly define the responsibilities of each party regarding the appropriate measures to safeguard protected health information and electronically protected health information. PHI is more narrowly defined than the SOC 2 “consumer data” standard. While there will likely be overlap between the two data groups, you cannot assume that SOC 2 will automatically treat PHI in a fully HIPAA-compliant manner.
One other key difference between HIPAA and SOC 2 is that there is no such thing as a “certification” of HIPAA compliance. Instead, Compliancy Group provides third-party verification to all our clients through our “Seal of Compliance” when they have successfully met all seven elements of HIPAA compliance as defined by the Department of Health and Human Services.
As incidents of cybercrime increase, forward-thinking healthcare organizations and the companies that support them are looking for ways to minimize the risk of becoming a victim of these illegal activities. SOC2 is one of the trusted frameworks to implement controls that are audited to ensure that healthcare organizations build deterrence against data breaches, ransomware attacks and cybercrimes.
About Ankit Kumar Agarwal
Ankit Kumar Agarwalis the Director of IT Delivery Services at NewWave Telecom & Technologies Inc. collaborating with some of the best minds in the industry to establish health IT interoperability standards across the United States to improve patient’s health outcomes and to reduce healthcare waste.