No one wants to work with an at-risk healthcare provider. If someone is looking to use your services, they want to know how secure your healthcare organization actually is. You may think that you have a secure healthcare organization, but does an auditor? With more and more healthcare security breaches being reported to the HHS, it’s more important than ever for covered entities and business associates to demonstrate their commitment to keeping protected health information (PHI) secure, providing quality healthcare services, and putting their patients’ well being first. Let’s look at how a SOC 2 audit could bring value to your organization’s reputation, marketing initiatives, and competitive advantage.

What is a SOC 2?

A SOC 2 is perfect for both covered entities and business associates that want to reassure their clients that their information is secure, available, and confidential. It’s become increasingly common for organizations to request that their vendors become SOC 2 compliant so they can ensure that the healthcare organizations they work with have strong security postures.

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. When determining which Trust Services Criteria apply to your organization, consider the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

While the responsibilities of covered entities and business associates vary, typically a healthcare organization will choose to be evaluated against the security, availability, and confidentiality categories. If a client can’t be assured that you have reliable, secure processes for securing protected health information, why would they choose to work with you?

Why Should Healthcare Organizations Include the Privacy Category?

Aside from choosing the security, availability, and confidentiality categories, it might make sense for a healthcare organization to include the privacy category in their SOC 2 audit. Consider a doctor’s office – what’s one of the first items that the receptionist hands you? A Notice of Privacy Practices. Why? You’re about to disclose personal information about your medical conditions to a medical provider, as well as provide them with other personal information like your data of birth, insurance information, and list of medications that you’re on. What if the office shares that personal information with a marketing company so it can advertise new prescriptions to you? What if they share it with a research organization that’s conducting research about treatments for your condition? What if they give that information to other medical providers who are providing services to you, or to an insurance company? That Notice of Privacy Practices must fully inform you of who your personal information will be shared with. By including the privacy category in your SOC 2 audit report, you’ll be able to ensure that your organization is handling client data in accordance with any commitments in the privacy notice as committed or agreed upon.

Benefits of SOC 2 Compliance for Healthcare Organizations

Undergoing a SOC 2 audit demonstrates that your healthcare organization is invested in providing secure services and remains committed to keeping not only your PHI secure, but ensuring that your patients receive quality healthcare services. Your reputation, business continuity, competitive advantage, branding, and most importantly, patients’ health all depend on the quality and security of your systems and can benefit from SOC 2 compliance.

The healthcare industry is based on customer trust. If a client can’t trust your services, why would they choose to use it? If a patient is victimized as the result of your lack of due diligence, what would be the impact to their health and livelihood? If your organization suffers from a data breach, the negative impact to your reputation would be a ripple effect. Once your healthcare organization has been successfully attacked and patients’ PHI has been exposed, you’ve put your organization on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, larger, educated prospects won’t want to work with you, lawsuits and fines will begin to surface, and patients could face life-threatening consequences. The continuity of your business and your patients’ well being depends on securing your systems.

On the other hand, however, if you do pursue SOC 2 compliance and achieve attestation, your healthcare organization will have a new branding tool. You can market your organization has having reliable, secure services. There are so many possible ways to incorporate your compliance into branding methodology, too. We always recommend that our clients leverage their compliance as marketing material, and we strive to help them find ways to do so.

When you partner with an auditing firm that educates you and performs a quality, thorough audit, you gain a valuable competitive advantage. Does your competition have a SOC 2 audit report? If not, you’re ahead of the game. Even if they have gone through a SOC 2 audit, was it a quality audit? You want to be educated on what a quality audit looks like so you can explain to prospects why your SOC 2 audit report holds more value than a competitor’s. Having a SOC 2 audit report from a licensed, quality-driven firm also opens you up to a whole new marketplace of prospects who are knowledgeable about security and are looking for a vendor with SOC 2 compliance.

Even with all of these benefits, you may be wondering what the penalties are of not pursuing SOC 2 compliance. These questions may help you understand the scope of implications if you don’t invest in SOC 2 compliance:

  • How would your organization’s reputation be damaged if you suffered from a data breach?
  • Would your clients stay loyal to you if they know that your healthcare organization couldn’t secure their information?
  • What future sales would you lose if your healthcare organization suffered from a data breach?
  • How are you validating that your security and privacy practices are in place and effective?
  • How happy would your competition be if you suffered from a data breach?
  • What’s your potential exposure to lawsuits if you suffered from a data breach? What fines would you pay?
  • How much would it cost to investigate a data breach and notify clients who were impacted?

While the potential loss of business from a breach far outweighs the cost of SOC 2 compliance, a breach poses potentially life-threatening consequences for patients. Isn’t that enough to pursue SOC 2 compliance? We think so. Our Information Security Specialists want to be your audit partner, your second set of eyes validating that your security and privacy practices are effective. Let’s start planning your SOC 2 audit today.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

What is the Purpose of the SOC 2 Privacy Category?

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Today, HITRUST released the much-anticipated HITRUST CSF v9.2. The changes reflect HITRUST’s effort to leverage international standards and expand adoption into new industries, such as financial services, travel and hospitality, media and entertainment, telecommunications, and startups.

Changes in HITRUST CSF v9.2

The two major changes in the HITRUST CSF v9.2 surround its shift to an agnostic framework and the incorporation of international regulatory requirements. The HITRUST CSF v9.2 extracts healthcare-specific requirements from the three implementation levels and places them in a separate industry control segment, which ensures non-healthcare entities do not see these in their assessment. Healthcare language has always been updated as a part of the agnosticizing effort. For example, terms like “business associates” have been updated to “vendors” and “PHI” has been updated to “covered information.” To expand its international reach, the HITRUST CSF v9.2 includes plain-language versions of the EU’s General Data Protection Regulation (GDPR) requirements and Singapore’s Personal Data Protection Act (PDPA).

Per HITRUST, the other notable changes in this version include changes based on feedback from the HITRUST community, miscellaneous corrections, and the restructuring of category 13.

HITRUST’s Adaptability to New Industries

The CSF began with incorporating standards from ISO, NIST, PCI, HIPAA, and COBIT to set baseline security controls with the goal of normalizing security requirements, providing clarity and consistency, and reducing the burden of compliance with these requirements for healthcare organizations. Now, HITRUST is expanding the CSF beyond healthcare.

Even as an assessor firm, we’re having to adapt how we think about the HITRUST CSF, a historically healthcare-focused framework. Industries like manufacturing, travel and hospitality, media and entertainment, or restaurants don’t have a defined, industry-accepted information security framework; HITRUST is aiming to be that catch-all information security, privacy, and risk management framework so that no organization is left unprotected. If your organization is in an industry that doesn’t have a standard controls framework, the HITRUST CSF may be exactly what you need to help your organization protect its information. By pursuing HITRUST compliance, you’re putting yourself in a better position for the future and making your organization more competitive.

Jeff Pochily, Director of Audit Operations and CCSFP, comments, “The HITRUST CSF has always been the premier framework for information security in the healthcare industry, but that’s never been the limit of its usefulness. It has always been a framework with the potential to drive a mature compliance program in any industry. With increasing frequency I find myself recommending the HITRUST CSF to my clients across industries as a reference and roadmap to building a better compliance program.”

The HITRUST CSF v9.2 is now available within the HITRUST MyCSF. If you are currently in an existing v9.1 assessment, there is no immediate impact to you unless you or your assessor firm decides that v9.2 is more appropriate to the scope and requirements for your organization.

For more information on how you can leverage a HITRUST assessment, especially in industries outside of healthcare, contact us today to start your compliance journey.

More HITRUST Resources

What is a HITRUST CSF Audit?

Preparing for a HITRUST CSF Assessment

How to Scope a HITRUST Engagement

The HITRUST CSF Assessment Process and Beyond

As vendors, managed service providers (MSP) are sought out to help entities create and maintain a strong security posture – they shouldn’t bring more risk into their clients’ environments. When organizations engage with MSPs, they want to know how secure their organization really is and will often ask that the MSP undergo a SOC 2 audit before engaging with their services. So, while you may think that your services are secure, will an auditor? Will a malicious hacker find vulnerabilities to exploit? Let’s take a look at how a SOC 2 audit could bring value to MSPs’ reputations, marketing initiatives, and competitive advantages.

What is a SOC 2?

It’s no secret that engaging with vendors increases the risks that organizations must account for, which is why more and more organizations have asked that their MSP receives a SOC 2 attestation before doing business with them. But what is a SOC 2 audit and how can it benefit an MSP? It’s simple: a SOC 2 audit is a perfect fit for MSPs that want to reassure their current and potential clients that their information is secure, available, and confidential. For MSPs that are looking to continue partnerships with their clients or gain a competitive advantage, a SOC 2 audit is a great place to start.

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s internal controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. When determining which Trust Services Criteria apply to your organization, consider the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

Typically, an MSP will choose to be evaluated against the security, availability, and confidentiality categories. If a client can’t be assured that you have reliable, secure processes for protecting the information systems they’ve entrusted you to manage, why would they choose or continue to work with you?

Benefits of SOC 2 Compliance for MSPs

When an MSP undergoes a SOC 2 audit, it demonstrates that they are invested in providing secure services and ensuring that their clients’ information security assets remain protected. MSPs’ reputation, business continuity, competitive advantage, and branding all depend on the quality and security of their systems and can benefit from SOC 2 compliance.

As a vendor, MSPs depend on trust. If a client can’t trust your services, why would they choose to use it? If your organization suffers from a data breach, the negative impact on your reputation would be a ripple effect. Once your organization has been successfully attacked and customers’ information systems exposed, you’ve put your organization on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, prospects will stop inquiring about your services, and lawsuits and fines will begin to surface. The continuity of your business depends on securing your systems and proving that you are, in fact, a secure MSP.

If you do pursue SOC 2 compliance and achieve attestation, you will have a new branding tool that will help you better position yourself as a reliable, secure MSP. There are so many possible ways to incorporate your compliance into branding methodology. We always recommend that our clients leverage their compliance as marketing material, and we strive to help them find ways to do so.

When you partner with an auditing firm that educates you and performs a quality, thorough audit, you gain a valuable competitive advantage. Does your competition have a SOC 2 audit report? If not, you’re ahead of the game. Even if they have gone through a SOC 2 audit, was it a quality audit? You want to be educated on what a quality audit looks like so you can explain to prospects why your SOC 2 audit report holds more value than a competitor’s. Having a SOC 2 audit report from a licensed, quality-driven firm also opens you up to a whole new marketplace of prospects who are knowledgeable about security and are looking for a vendor with SOC 2 compliance.

Even with all of these benefits, you may be wondering what the penalties are of not pursuing SOC 2 compliance. These questions may help you understand the scope of implications if you don’t invest in SOC 2 compliance:

  • How would your organization’s reputation be damaged if you suffered from a data breach?
  • Would your clients stay loyal to you if they know that your organization couldn’t secure their information?
  • What future sales would you lose if your managed services suffered from a data breach?
  • How are you validating that your security and privacy practices are in place and effective?
  • How happy would your competition be if you suffered from a data breach?
  • What’s your potential exposure to lawsuits if you suffered from a data breach? What fines would you pay?
  • How much would it cost to investigate a data breach and notify clients who were impacted?

The potential loss of business from a breach far outweighs the cost of compliance. Our Information Security Specialists want to be your audit partner, your second set of eyes validating that your security and privacy practices are effective. Let’s start planning your SOC 2 audit today.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

Online Audit Manager

Because of the complexity of today’s threats and the innovation of new businesses, it’s not uncommon for organizations to pursue multiple compliance goals at the same time.

Let’s say you provide IaaS solutions – you may want not only a SOC 2 attestation, but also HIPAA compliance for the healthcare clients you serve. Let’s say you’re a payment processing SaaS who needs PCI compliance and a SOC 2 attestation. When an organization is pursuing multiple compliance goals, it’s crucial to find an auditing firm who has the technology and expertise to not only streamline your process, but also use your resources in the most responsible way.

At KirkpatrickPrice, we utilize our Online Audit Manager to do so. Let’s discuss the common challenges that come along with pursuing multiple compliance objectives and the solutions we provide.

Road Blocks for Multiple Compliance Objectives

We see three common challenges when companies try to undergo multiple audits: a heavy focus on remote auditing, a steep price, and lack of expertise.

Many auditing firms simply don’t have the necessary certifications and experience to provide a wide span of information security audits. Let’s go back to the SaaS example – to gain a SOC 2 attestation, you’ll need a CPA firm that has auditors who specialize in information security. To gain PCI compliance, your audit needs to be performed by a QSA. Looking for a CPA firm that’s also a QSA firm may prove to be challenging, but you want to perform due diligence to find a qualified, experienced information security auditing firm. If not, you’ll have to work with several different firms and several different auditors, who all have different processes.

Many auditing firms market themselves as the firm that doesn’t have to waste time and money on onsite visits because of their online portal (which is actually just a document upload site). They tout “100% remote auditing” as their best feature. If you’re an organization who wants to check information security off your to-do list, these types of firms could be a good fit for you. We believe that an audit that is completely remote is actually a disservice. When we created our own portal with remote auditing functionality, we never intended to use it to make ourselves an “only remote auditing” firm. Onsite visits are needed to witness physical security controls, company culture, integrity, and to cultivate the best partnership possible. Don’t choose a firm who pushes a full remote audit.

With the development of online portals came new software providers. They offer a GRC portal as a service, but not the actual auditing. At KirkpatrickPrice, that’s not the way it works. We’re not going to charge you separate prices for an audit and for the use our Online Audit Manager.

Shane Shissler, Technical Services Manager at Anexio, put it this way:

“Other GRC products are really great, but as I was watching demos, I realized that your portal did so much of the same stuff. Your portal essentially does all of the same things and has many of the same functionalities. Companies are charging up to $5,000 a month to use their GRC software. Your Online Audit Manager is automatically granted with doing the audit; it’s included in your pricing. Not only does KirkpatrickPrice do a great job with your reports and pricing, but with that report and that audit, you also give access to your portal which maps multiple frameworks. It’s just such an added value.”

The Online Audit Manager: Multiple Audits, One Solution

When an organization asks why they should work with KirkpatrickPrice, we can’t help but talk about our Online Audit Manager. When Joseph Kirkpatrick began his career in the information security industry, he noticed a major gap: a way to perform multiple audits through a single process. Thus, our Online Audit Manager was created. KirkpatrickPrice was the first authorized company to provide multiple audits through an online portal process.

Our Online Audit Manager isn’t intended for 100% remote auditing or solely a tool to store documents. Our portal is the way our auditors, audit support staff, technical writers, and client success team interact with clients and manage the audit progress. It’s how we combine multiple audit frameworks into one audit. The portal acts as a guide through the audit control objectives, allowing each client to organize their requirements and document their process.

Steve Grzybinski, Director of Security, Compliance, and Technology at Connectria Hosting, explains;

“What used to be difficult has become easier after incorporating the KirkpatrickPrice portal into our processes. KirkpatrickPrice has made the audit process a more efficient with the tools and partnership mentality that they bring to the table. The online portal that allows us to combine all of the questions from all of the audit disciplines that we require has made this effort quicker, easier, and more engaging. The KirkpatrickPrice team has become an extension of the Connectria team throughout each exam effort. This harmonization is important for minimizing duplication of effort for any organization that must demonstrate compliance in multiple audit disciplines. Year over year, we continue to grow and improve our auditing processes. Connectria has been able to create repeatable automated processes for vulnerability management, evidence gathering, and monthly reporting after engaging with KirkpatrickPrice.”

If you’re wondering how you can meet all of your compliance goals, let us walk you through an Online Audit Manager demo and discuss your compliance plan. With KirkpatrickPrice, it may be more achievable than you think!

More Assurance & Compliance Resources

When Will You See the Benefit of an Audit?

5 Questions to Ask When Choosing Your Audit Partner

What Type of Compliance is Right for You? 10 Common Information Security Frameworks

Guide to the OAM

You deserve a compliance tool that makes your life (and audit) easier.

Whether you’re ready to start your audit, need some help preparing, or just want to manage your compliance practices, the OAM will make sure you accomplish your compliance goals. Download our guide to learn how.

Get the Guide

If you’re a start-up trying to win new clients, the dreaded security questionnaires are coming your way. Or, let’s say you’re a midsize business who’s been in business for years that’s bidding on an enterprise-level prospect – a security questionnaire request is in your future. Even we, as an information security auditing firm, are frequently asked about the security of our Online Audit Manager.

The questions may seem irrelevant, repetitive, and unreasonable. Or – maybe you know that you don’t have good answers. For start-ups, a security questionnaire may prompt the first time they’ve truly evaluated their security practices. For a midsize business, it may be a frustrating process to constantly fill out similar, but slightly custom questionnaires for every prospect. The intention behind security questionnaires, though, is a good one. Because so much responsibility lies in the hands of vendors and business partners, an organization has to complete its due diligence to protect its reputation, operability, and financial health.

Compliance from the Start

A client recently told us, “Compliance cannot be an afterthought. If you’re starting a business, please think about information security first.” We completely agree with this sentiment. A business that is driven by security and integrity will create a quality service or product.

One of our auditors, Shannon Lane, says it best. “A compliance program is usually viewed as a cost center, an impediment to business practices, and a headache that seems to get worse year after year. And yet as auditors, we know that a system built with compliance in mind isn’t usually more expensive than a faster, easier solution. A business process or IT solution is hard to change, especially once it becomes core to the enterprise and its operations. Every shortcut taken in the design process, technology solution, or internal system haunts the company forever. It’s always lurking there, waiting to interrupt just when you think you’re prepared. That’s why creating a culture of compliance throughout your organization is so important. A compliance program must be made a priority from the beginning.”

Security questionnaires are tedious, but they’re trying to determine whether you’re an organization that values security, availability, confidentiality, integrity, and privacy. Are you going to bring more risks into a prospect’s environment? Are you going to provide them with a secure service? Will you hinder their business objectives or facilitate more opportunities?

Saving Time on Security Questionnaires

It’s difficult to know whether the company sending you a security questionnaire will take stock in the answers and how much they will impact the outcome of the deal. Or – what if you refuse to answer the security questionnaire, and they still choose to work with your organization?

Many organizations adopt the approach of refusing to release any information about their security practices, even during an audit. They tend to think, “By not sharing information, we’ll be more secure. Just trust us.” It’s the ultimate security paradox. The truth is, the more you isolate yourself, the less secure you are. You never have the internal blinders removed to get a new perspective. You never get to hear new strategies based on your practices. Even AWS provides information on their compliance programspenetration testing practices, cloud security, and data privacy practices. AWS isn’t saying, “Just trust us.” They’re giving evidence of how they serve their customers best.

Alternative approaches to satisfy a security questionnaire request may include:

  • SOC 1 and SOC 2 reports contain an independent service auditor’s report, which states the auditor’s opinion regarding the description of a service organization’s systems, whether the systems were presented fairly, and whether the controls were suitably designed. As a result of the additional risks that vendors bring to their business partners, more and more organizations are asking for SOC 1 or SOC 2 attestations.
  • An FAQ on your organization’s internal security practices, summarizing your commitment to security and the actions you take to implement controls at your organization, could go a long way in demonstrating your “compliance from the start” attitude.
  • Allowing a potential business partner to review your breach notification policy, incident response plan, disaster recovery plan, or internal information security policy may be enough evidence to satisfy their request.
  • Formal risk assessments allow organizations to identify, assess, and prioritize organizational risk. By proactively undergoing a risk assessment, you may prove that you’ve evaluated the likelihood and impact of threats and have an effective defense mechanism against a malicious attack.
  • If your organization knows it’ll be filling out a lot of security questionnaires in the future, try filling out one of the many security questionnaire templates available online to formulate your answers and potentially see where your gaps are.

If you’d like more information on how to tackle security questionnaires, contact us today. We can provide many ways for your organization to demonstrate your commitment to secure practices.

More Resources

How to Read Your Vendor’s SOC 1 and SOC 2 Report

Getting Executives on Board with Information Security Needs

The First Step in Vendor Compliance Management: Risk Assessments

How Can a SOC 2 Bring Value to Your SaaS?