This blog was written and produced by Courtney Nist, Senior Security Consultant CHQP, CCSFP, at FoxPointe Solutions. Looking to get in touch with Courtney? Reach out today: Courtney Nist cnist@foxpointesolutions.com.
Based on the Verizon Data Breach Investigations Report of 2021, healthcare and outsourced service providers continue to be two of the most popular targets for cyber criminals. The most common attacks occur through human error, basic web application attacks, and system intrusion. In order to reduce the likelihood of a security incident or breach from happening at your company, it is important to have attestations and assessments performed against your company’s internal controls by an independent third-party. Third party audits like a SOC 2 or HITRUST assessment are predicated upon ensuring that best practice internal controls are designed and operating effectively on a continuous basis. Some, but not all, of those best practice internal controls include:
- Logical and physical access controls over enterprise and software assets.
- Data protection controls.
- Configuration management.
- Account and access management.
- Vulnerability management.
- Penetration testing.
- Logging and monitoring management.
- Malware defenses.
- Data recovery controls.
- Infrastructure management.
- Security awareness and skills training.
- Vendor management.
- Incident response management.
The HITRUST Common Security Framework (CSF) incorporates and leverages a range of existing security requirements that service organizations must comply with under federal, state, and other governmental laws and regulations. The goal of completing a HITRUST CSF assurance program is to ensure that the protection over the sensitive information stored, processed, and handled on a daily basis remains secure. The program allows a service organization to identify how well its internal controls have been designed, through its current suite of policies and procedures, and whether they are operating effectively, through implementation testing. Additional testing is performed to evaluate whether a service organization is internally measuring, on a regular basis, the adequacy and effectiveness of all internal control implementations, as well as whether all internal controls are being sufficiently managed to ensure their success.
As the demand continuously increases for service organizations to show that they have maintained a list of certifications for potential and current customers, you may think that the HITRUST CSF assurance program appears to be a great option given its structure and design as a one-stop-shop that has the ability to test a service organization against the multiple laws and regulations that they must follow. However, while the HITRUST CSF assurance program is a highly regarded certification, some service organizations may not be ready to take it on, as it is relatively expensive and complex, and it must be completed within a 90-day window, which can be overwhelming if current staff levels do not allow for such a turnaround. Therefore, a great alternative would be for a service organization to go through the examination of a SOC 2 + HITRUST CSF report.
A SOC 2 + HITRUST CSF report is a mapping between the requirements of the HITRUST CSF and the security, availability, and confidentiality trust service criteria (TSC) categories of a SOC 2 report to provide information to user entities that a service organization’s internal controls surrounding its system are suitably designed and, if a Type 2, operating effectively to meet such standards. This option increases transparency by enabling you to communicate your company’s processes and procedures used to meet the applicable TSC as well as those it uses to meet the HITRUST CSF criteria without needing to go through a HITRUST CSF assurance program.
If your organization is interested in obtaining a SOC 2 + HITRUST CSF report, the first step is to engage with a CPA firm that specializes in SOC examinations and has experience with HITRUST CSF. Prior to jumping into the examination audit period, it is recommended to complete a SOC readiness assessment. A readiness assessment is a great step and can help you prepare for the audit period by identifying your company’s current internal controls, deficiencies, gaps, and needed remediation. In addition, auditors can help determine if this type of SOC report is right for your company to ensure that you will receive the most benefit from investing in the report and that your user entities’ needs will be met once it is completed. Other SOC report options include a SOC 1, SOC 2, and/or SOC 3 report.
FoxPointe Solutions is Here to Help
To learn more about SOC Reporting and how FoxPointe Solutions can help your organization get started, visit our SOC Reporting page or contact us today.
FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.