SOC 2 and HIPAA Certification: The Nuts & Bolts
Last month, we posted the news of our achieving SOC 2 and HIPAA compliance certification. While it is quite an involved process, certification in these areas was important to us not just to demonstrate to clients that we take data security seriously, but being compliant also opens doors for our partners to demonstrate compliance as well.
It was a complicated, lengthy, and frankly, expensive process, but certainly worth it on multiple levels. Perhaps most meaningful is that it is another example of U.S. HealthTek’s growth and its commitment to information security. We are excited about the concrete way we can now demonstrate to our clients that their data and health information is stored and processed in a secure manner, according to the highest standards of data security. In my short time here (joining in February 2023 as COO), it’s been equally the hardest and the most rewarding experience thus far. Now, let’s dive into what it took to get there.
What Are SOC 2 and HIPAA?
The System and Organizations Controls 2 (SOC 2) is a set of auditing standards that determines the security, availability, processing integrity, confidentiality, and privacy of an organization’s data systems. Some might be surprised to learn that it’s not mandatory for industry organizations, though it’s an advantage to achieve certification, as it means that the healthcare company has put in place the strongest security controls possible.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes mandatory standards for safeguarding Protected Health Information (PHI) in addition to personal data. There is overlap between SOC 2 and HIPAA, and while their objectives are different, combined they offer the highest assurances and confidence to protecting sensitive data.
For U.S. HealthTek, we decided to take this gargantuan step as part of our overall strategy of growth and expansion, which has included the steady addition of talented professionals to our team, the creation of exciting new products and services for our partners, and an increased commitment to a growing healthcare community.
The Process of Certification
The discovery process started in October of 2022, though it wasn’t until February that we fully undertook the effort. My background in project management and lab operations helped me lead the team through the process, but we leaned heavily on the technical guidance and expertise of Robert Negosian (CTO) and Brad Carney (Director of Infrastructure). To achieve these two certifications, our organization needed to demonstrate that all polices, protocols, and procedures for how information is handled were securely in place. This included having all employees understand and acknowledge these policies on an individual level as well.
We chose Vanta as our compliance management platform for automating security monitoring and preparing for the audit, as it allowed us the ability to streamline the examination process. Using that platform, it took us four months to get all our employees on-boarded through the system.
There were additional safeguards that we put in place to cover the many details and facets of information security, which can go very deep. For example, certification ensures that a company addresses the current 18 personal data points that can be used to identify an individual. This includes the obvious (name, date of birth, address, fingerprints), but also newer and ever-changing identifiers, such as facial recognition. The details behind how a data platform interfaces with customer systems, retrieves information, and hosts the data can be complex, but a deep understanding of those details reveals how important it is to have security controls in place. Ensuring that our clients are comfortable and confident in our abilities to keep their information safe is paramount to us, and so the certification process was a must-have.
The Audit Process
Once the policies were in place and all evidence of controls documented, we moved to the audit phase. A Type I audit ensures an organization has procedures and controls in place at any given point in time. A Type II audit occurs over a period of time, three months in our case, where the auditor observes the procedures/controls in action over that time period. Any new employees? Any employees leave? Any reported ‘incidents’ of any kind and how did we respond? Any HIPAA breaches?
The process was fascinating, and a little nerve-racking, but very thorough. During our “tabletop exercise,” there was a rehearsal where a fake breach was activated, and our team was carefully observed on all facets of our response. During the Type II audit we were tasked with providing evidence of a control in practice, in addition to several other real-time demonstrations of our capabilities. I’m happy to say that these were all hoops we jumped through and passed with flying colors.
Certification Success & Maintenance
Our commitment to this level of certification is significant because it demands and deserves due diligence and continuous attention. These policies need to be renewed every year, so our clients and partners know that they have the latest securities and protocols in place for their data. All new employees that join us must go through all the training and learning that our current employees have. That onboarding process includes having each employee computer monitored to make sure it has secure and up-to-date antivirus protection, an approved password manager, a secure screen lock, and that the hard disk is encrypted. It’s an involved process that goes down to even the smallest details and single individuals.
The SOC 2 and HIPAA certifications demonstrate that information data is safe and secure at the highest level with U.S. HealthTek. It’s the gold standard; and when placed in the context of all the other growth and expansion happening here – from our new services and products to our outstanding personnel – we are confident and excited about leveraging this certification on behalf of our current and future clients and partners.