Why SOC 2 certification could help health systems.
A data breach can harm a health system in more ways than one.
Data breaches in healthcare have become increasingly common over the last three years. In fact, during that time period, healthcare has suffered 955 major security breaches that have resulted in the exposure or theft of 135,060,443 medical records. That equates to more than 41 percent of the United States’ population having some of their protected health information (PHI) exposed as a result of those breaches. So how can healthcare systems begin to protect its patients’ PHI as well as their personally identifiable information (PII)?
Healthcare systems should implement the appropriate security frameworks into their business operations.
Currently, there are a handful of security frameworks for healthcare organizations to consider such as HIPAA, HITRUST CSF and SOC 2 certifications. Of these certifications, SOC 2 is arguably the most comprehensive, requiring evidence that healthcare systems have successfully implemented one or more of its established Trusted Services Criteria (TSC) — security, confidentiality, processing integrity, availability and/or privacy. To achieve a SOC 2 Type 2 certificaiton, these controls must be validated as having been properly followed and working effectively over a standard period of time. It should be noted that SOC 2 controls are information agnostic — meaning it does specifically look at protected health information per se — and, thus, OC 2 certification is best when coupled with a HIPAA compliance audit.
Unlike other security-related compliance and certification initiatives, the SOC 2 certification is divided into two main phases: Type 1 is the conventional snapshot picture of an organization’s security posture to ensure all requisite controls have been properly implemented. The Type 2 phase, which is intended to “validate” the implemented security controls identified in phase 1, requires a minimum of six months to evaluate their effectiveness and the company’s compliance with the controls, as dictated by the selected SOC 2 TSCs.
The SOC 2 Type 2 certification is highly valued in healthcare technology due to the the certification process being so rigorous. But these three tips can prepare an organization to complete its journey to certification.
Before deciding on a security framework, define your healthcare organization’s business drivers to better understand the reasons why your organization is pursuing the certification. Some healthcare organizations pursue security frameworks like SOC 2 because of a patient, health system or partner requirement. Others see the certification as a competitive advantage for obtaining new patients and partners. When deciding to integrate a security framework, it is imperative for organizations to identify their business objectives ahead of time, so they can better manage the time, money, resources and expectations needed to meet their business goals.
When implementing a security framework, healthcare companies need to outline and specify the product (hardware, software, applications, etc.) and service offerings (cloud hosting, SaaS, IDS/IPS, logging, etc.) that need to be certified. In addition to outlining the product and service scope, health systems need to consider its geographic security scope — any ancillary or remote operations, as well as any company subsidiaries. In today’s digital world, the landscape of IT operations has expanded past the physical doctor’s office. Today, IT operations could include cloud-hosted, on-premise and a diverse set of enterprise IT environments, which all need to be secure in order to be certified. In fact, healthcare organizations need to also verify the security of their supply chain or the security of any services hosted by a third party when seeking high-level security certifications such as SOC 2. Outlining and defining a healthcare system’s security scope can further assist organizations in determining the duration and cost of deploying a security framework.
Before pursuing a SOC 2 certification, health systems need to have a good understanding of their organization’s security readiness and remediate any gaps they find. When evaluating your organization’s readiness, consider:
To better gauge an organization’s readiness, its is recommended to conduct a “SOC 2 Readiness (Gap) Assessment” of the organization’s in-scope products/services. These assessments can be conducted either in house or by a third party. Although more expensive, a third-party assessment can provide the needed subject matter experts who can ensure a more comprehensive evaluation. In addition to the SOC 2 required controls, it is important for health systems to establish a baseline of controls, providing a roadmap of the safeguards that need to be addressed. When deciding to implement a specific control, the decision should be based on the cost of the safeguard as it relates to the cost of the asset. The latter should not outweigh the former. (Costs are not only financial, they can also include loss of revenue, reputation, market position, competitive advantage, compliance and so on.)
Data security needs to be taken seriously and should be a high priority for healthcare organizations. Data security is not going away; rather, it is expected to expand and evolve over time. Healthcare organizations need to act promptly if they want to defend their patients, partners and systems from data threats. It is imperative that healthcare organizations research, evaluate and implement a security framework sooner rather than later.
Get the best insights in healthcare analytics directly to your inbox.