Why Would a Healthcare Organization Need a SOC 2?

by Sarah Harvey / January 21st, 2019

No one wants to work with an at-risk healthcare provider. If someone is looking to use your services, they want to know how secure your healthcare organization actually is. You may think that you have a secure healthcare organization, but does an auditor? With more and more healthcare security breaches being reported to the HHS, it’s more important than ever for covered entities and business associates to demonstrate their commitment to keeping protected health information (PHI) secure, providing quality healthcare services, and putting their patients’ well being first. Let’s look at how a SOC 2 audit could bring value to your organization’s reputation, marketing initiatives, and competitive advantage.

What is a SOC 2?

A SOC 2 is perfect for both covered entities and business associates that want to reassure their clients that their information is secure, available, and confidential. It’s become increasingly common for organizations to request that their vendors become SOC 2 compliant so they can ensure that the healthcare organizations they work with have strong security postures.

A SOC 2 audit addresses third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. This means that a SOC 2 audit report focuses on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. When determining which Trust Services Criteria apply to your organization, consider the following questions:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

While the responsibilities of covered entities and business associates vary, typically a healthcare organization will choose to be evaluated against the security, availability, and confidentiality categories. If a client can’t be assured that you have reliable, secure processes for securing protected health information, why would they choose to work with you?

Why Should Healthcare Organizations Include the Privacy Category?

Aside from choosing the security, availability, and confidentiality categories, it might make sense for a healthcare organization to include the privacy category in their SOC 2 audit. Consider a doctor’s office – what’s one of the first items that the receptionist hands you? A Notice of Privacy Practices. Why? You’re about to disclose personal information about your medical conditions to a medical provider, as well as provide them with other personal information like your data of birth, insurance information, and list of medications that you’re on. What if the office shares that personal information with a marketing company so it can advertise new prescriptions to you? What if they share it with a research organization that’s conducting research about treatments for your condition? What if they give that information to other medical providers who are providing services to you, or to an insurance company? That Notice of Privacy Practices must fully inform you of who your personal information will be shared with. By including the privacy category in your SOC 2 audit report, you’ll be able to ensure that your organization is handling client data in accordance with any commitments in the privacy notice as committed or agreed upon.

Benefits of SOC 2 Compliance for Healthcare Organizations

Undergoing a SOC 2 audit demonstrates that your healthcare organization is invested in providing secure services and remains committed to keeping not only your PHI secure, but ensuring that your patients receive quality healthcare services. Your reputation, business continuity, competitive advantage, branding, and most importantly, patients’ health all depend on the quality and security of your systems and can benefit from SOC 2 compliance.

The healthcare industry is based on customer trust. If a client can’t trust your services, why would they choose to use it? If a patient is victimized as the result of your lack of due diligence, what would be the impact to their health and livelihood? If your organization suffers from a data breach, the negative impact to your reputation would be a ripple effect. Once your healthcare organization has been successfully attacked and patients’ PHI has been exposed, you’ve put your organization on a path full of obstacles and fragmented security. Your reputation will be permanently changed. Clients will stop trusting you, larger, educated prospects won’t want to work with you, lawsuits and fines will begin to surface, and patients could face life-threatening consequences. The continuity of your business and your patients’ well being depends on securing your systems.

On the other hand, however, if you do pursue SOC 2 compliance and achieve attestation, your healthcare organization will have a new branding tool. You can market your organization has having reliable, secure services. There are so many possible ways to incorporate your compliance into branding methodology, too. We always recommend that our clients leverage their compliance as marketing material, and we strive to help them find ways to do so.

When you partner with an auditing firm that educates you and performs a quality, thorough audit, you gain a valuable competitive advantage. Does your competition have a SOC 2 audit report? If not, you’re ahead of the game. Even if they have gone through a SOC 2 audit, was it a quality audit? You want to be educated on what a quality audit looks like so you can explain to prospects why your SOC 2 audit report holds more value than a competitor’s. Having a SOC 2 audit report from a licensed, quality-driven firm also opens you up to a whole new marketplace of prospects who are knowledgeable about security and are looking for a vendor with SOC 2 compliance.

Even with all of these benefits, you may be wondering what the penalties are of not pursuing SOC 2 compliance. These questions may help you understand the scope of implications if you don’t invest in SOC 2 compliance:

  • How would your organization’s reputation be damaged if you suffered from a data breach?
  • Would your clients stay loyal to you if they know that your healthcare organization couldn’t secure their information?
  • What future sales would you lose if your healthcare organization suffered from a data breach?
  • How are you validating that your security and privacy practices are in place and effective?
  • How happy would your competition be if you suffered from a data breach?
  • What’s your potential exposure to lawsuits if you suffered from a data breach? What fines would you pay?
  • How much would it cost to investigate a data breach and notify clients who were impacted?

While the potential loss of business from a breach far outweighs the cost of SOC 2 compliance, a breach poses potentially life-threatening consequences for patients. Isn’t that enough to pursue SOC 2 compliance? We think so. Our Information Security Specialists want to be your audit partner, your second set of eyes validating that your security and privacy practices are effective. Let’s start planning your SOC 2 audit today.

More SOC 2 Resources

SOC 2 Academy

Understanding Your SOC 2 Report

What is the Purpose of the SOC 2 Privacy Category?

SOC 2 Compliance Handbook: The 5 Trust Services Criteria