SOC 2 Audits & HITRUST CSF Assessments – Introduction and Overview
As a healthcare organization – or provider of services to the broader healthcare arena – you’ve probably come across the SOC 2 HITRUST topic. After all, in today’s world of ever-growing regulatory compliance mandates, SOC 2 HITRUST is now front and center for thousands of businesses throughout North America. NDNB, one of the country’s leading provider of security and compliance audits, offers a comprehensive introduction and overview to the SOC 2 HITRUST topic.
And with HITRUST certification comes along one of the biggest questions that healthcare organizations are asking themselves: “Should we become HITRUST CSF compliant, or should I have a CPA firm perform a SOC 2 HITRUST assessment on my organization, and what’s the difference?”
Let’s examine this question – and others – in more detail.
- What is HITRUST?
- What is SOC 2?
- What are the Differences Between SOC 2 and HITRUST?
- When Combined, what is a SOC 2 HITRUST Report?
- Tips in Preparing for SOC 2 HITRUSTTips in Preparing for SOC 2 HITRUST
- The Importance of Policies and Procedures for SOC 2 HITRUST
According to https://hitrustalliance.net/, HITRUST, in conjunction with private sector, government, technology and information privacy and security leaders, has developed the HITRUST CSF, a certifiable framework that can be used by any organization that creates, accesses, stores or exchanges sensitive information.
Furthermore, the HITRUST CSF harmonizes multiple frameworks, standards, state, federal and International regulations and leading practices into a single framework. The HITRUST CSF addresses industry- specific challenges by leveraging and enhancing existing frameworks, standards and regulations to provide organizations of varying sizes, geographic operation and risk profiles with prescriptive implementation requirements and guidelines.
Lastly, the HITRUST CSF is a scalable, prescriptive and certifiable framework that harmonizes numerous standards, regulations, control frameworks and leading practices.
A large number of healthcare organizations undertake annual HITRUST compliance by having an independent, third-party auditor assess them against the prescriptive HITRUST CSF framework. Specifically, HITRUST CSF Certification requires the services of a HITRUST approved CSF Assessor organization. The result is a report with findings that can be given to customers, prospects, local/state/federal agencies, and other applicable entities.
Let’s not forget that a much-talked about press release in 2015 (http://bit.ly/2w6sS0p) for which HITRUST gained the attention of the broader healthcare industry as the HITRUST CSF framework was anticipating heavy adoption and implementation, for which this has happened. Bottom line, HITRUST CSF is the unrivaled industry leader in terms of healthcare compliance frameworks, and it’s here to stay.
SOC 2 – System and Organization Controls (SOC) – is an auditing framework put forth the American Institute of Certified Public Accountants for auditing service organizations. Vital to the SOC 2 framework are the Trust Services Criteria (TSC), which consist of the following:
- Processing Integrity
Specifically, according to the AICPA, SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems. Source: http://bit.ly/2Br0w63
More simply stated, SOC 2 audits (for which there are two – a SOC 2 Type 1 and a SOC 2 Type 2) effectively assert on whether the controls were designed properly (Type 1) and/or such controls operated effectively (Type 2) in accordance with the requirements put forth by the applicable trust services criteria and the related common criteria.
As stated earlier, there are five (5) trust services criteria (TSCs) for which services organization (i.e., your business) can assess against in a SOC 2 audit: security, availability, processing integrity, confidentiality, and privacy. The security TSC is required for the SOC 2 audits, with the remaining four deemed optional, but can be added depending on the service provided.
It’s important to remember that SOC reports are very well-known in the world of auditing, and as a result, can meet a wide-range of internal control compliance reporting for various industries. So, along comes HITRUST and now the option of having a SOC 2 HITRUST report, something that makes sense for the large number of healthcare organizations throughout North America. Let’s take a look now at what exactly SOC 2 HITRUST is.
Technically speaking, the biggest difference is that SOC 2 is an AICPA “attestation” report, whereas HITRUST is a “certification” report. More simply stated, the “attestation” aspect of SOC 2 compliance means that management (i.e., the service organization for which the SOC report is being performed on) attests to the information contained within the actual SOC 2 report. Additionally, the independent auditor (i.e., CPA firm) ultimately confirms the attestation via an opinion letter. Now, there can be different “opinions” issued by the CPA firm, such as “unqualified”, which is a clean report, or “qualified” or “adverse”, which is generally seen as an adverse or suspect report on one’s internal control environment.
As for HITRUST, again, it’s a certification, and is without question a much more detailed report when compared to a standard, baseline SOC report. The HITRUST CSF framework simply has more controls, more detail, and more overall testing requirements than a standard, baseline SOC 2. This ultimately requires more time and effort from businesses undergoing HITRUST CSF compliance – no question about it.
Keep in mind that HIRTUST has built the actual CSF framework from a variety of standards – with a heavy emphasis from ISO 27001/27002 – and the result is a set of controls far greater than a standard, baseline SOC 2.
A SOC 2 HITRUST report is essentially a SOC 2 combined with the HITRUST CSF control requirements used as the basis of an organization’s cybersecurity and information framework. To support this approach, HITRUST and the AICPA have collaborated to align the Trust Services Principles and Criteria to the HITRUST CSF, which provides standard and comparable requirements for use in SOC 2 reporting. Note that only a Certified Public Accountant (CPA) or CPA firm can issue a SOC 2 HITRUST.
Is One Better than the Other?
This really comes down to one’s reporting requirements. So, ask yourself this? Are you being required to perform an actual HITRUST CSF, or is there some degree of flexibility involved, perhaps allowing you to perform a SOC 2 HITRUST? This will ultimately determine which route to go. It’s not that one report is “better” than the other (even though the HITRUST CSF is much more comprehensive than just a baseline SOC 2 audit, but when performing a SOC 2 HITRUST, it holds up in stature against a HITRUST CSF), it’s just about reporting needs.
One of the fundamentally most important measures any service organization can do in preparing to undergo an initial SOC 2 HITRUST assessment is to perform a scoping & readiness assessment. Why? Because you’ll need to asses and identify certain scoping issues, such as what information systems, personnel, physical locations, third-party providers – and more – are in scope. Second, you’ll want to identify gaps and deficiencies within your control environment that require remediation, such as policies and procedures, technical/security misconfigurations, and more.
Hosting in Amazon AWS and Need a SOC 1 or SOC 2 Audit? Let's Talk.
One of the most fundamentally important – yet often overlooked – aspects of becoming SOC 2 HITRUST compliant is documentation. Specifically, a wide-range of information security and operational policies and procedures will need to be developed. Look, compliance is largely about documentation, so not having any meaningful policies and procedures in place spells big challenges for your SOC 2 HITRUST audit.
The solution? Let NDNB author your information security policies and procedures for you. We have years of experience writing documentation. Additionally, we understand SOC 2 and HITRUST very well, which allows us to save an immense amount of time and money on the exact documents you need.
NDNB. North America’s SOC 2 HITRUST Leaders