SOC 2 Healthcare

As incidents of cybercrime increase, forward-thinking healthcare organizations and the companies that support them are looking for ways to minimize the risk of becoming a victim of these illegal activities.

One solution that has become more popular is third-party assurance and advisory services such as SOC 2®. What does SOC 2 really mean, what is involved in achieving this status, what is the value of SOC 2 for healthcare companies, and where does SOC 2 fall short for these organizations?

SOC 2 for Healthcare – Sorting the SOCs

The first task is to decode a few acronyms. The SOC in SOC 2 stands for Systems and Controls. These voluntary compliance standards (SOC 1®, SOC 2®, SOC 3®) were established by the AICPA (American Institute of Certified Professional Accountants) as third-party audit reports to meet the needs of a broad range of users that need detailed information and assurance about the controls at service organizations, such as software-as-a-service (SaaS) companies.

SOC 1 focuses primarily on the financial controls within an organization, while SOC 2 examines the “…security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.”

SOC 1 and SOC 2 audits are further broken down into Type 1 or Type 2. Type 2 audits are much more in-depth than type one and are generally considered to be of greater value to a company and its clients. For the purposes of this discussion, all mentions of SOC 2 refer to the SOC 2 Type 2 audit.

SOC 3 reports contain the same information as SOC 2 reports, but the information is presented for a general audience rather than an informed one. SOC 3 reports can be generally distributed, unlike SOC 1 or SOC 2, which are intended for restricted audiences.

The AICPA also offers SOC for Cybersecurity, which provides services similar to their SOC 2 audits for businesses, non-profits, and other non-service organizations. SOC for Supply Chain focuses explicitly on that industry.

Let’s Simplify Compliance

HIPAA and security go hand-in-hand. Protect your business by becoming compliant today!

Learn More!
HIPAA Seal of Compliance

SOC 2 for Healthcare – Meeting the Standard

SOC 2 was introduced with the explicit purpose of addressing the need of companies to externally validate and communicate their state of security using the AICPA’s TSC (Trust Services Criteria) as the measuring stick. TSC includes security measures such as encryption, access controls, two-factor authentication, and firewalls.

An outside auditor determines whether a service organization ensures that they and their service providers securely manage customer data, using the SOC 2 standards as a guide. “Customer data” is a broad category of information that includes personal information, financial information, and other information tied to specific individuals. 

At the end of the auditing process, the SOC 2 auditor issues a report. This report provides detailed information about a service organization’s security, availability, processing integrity, confidentiality, and/or privacy controls. 

SOC 2 for Healthcare – The Value of Knowing

Achieving SOC 2 compliance is an intensive process that usually requires a significant investment of time, resources, and dollars. Depending upon the size of the organization and the complexity of its systems, the cost of the auditing process can run as high as six figures, and it may take a year to complete.

As a result, the reports provide detailed information about the actual effectiveness of an organization’s security posture, controls, and systems. It can expose potential vulnerabilities that could result in breaches. The savings realized by preventing a data breach could far exceed the cost of an audit, not to mention the value of protecting an organization’s reputation.

Security-conscious organizations prefer to work with SaaS providers that are SOC 2 compliant, and some will not entrust customer data to companies that have not earned this designation. 

SOC 2 for Healthcare – The Missing Piece

Achieving SOC 2 compliance is a significant accomplishment for any service provider in healthcare. But the full value of SOC 2 can only be realized if it is built upon an effective HIPAA compliance program.

One crucial difference between SOC 2 Compliance and HIPAA Regulations is that HIPAA’s requirements are not voluntary. They carry the full force of federal law, and failure to comply with HIPAA rules can expose a company to severe civil and even criminal penalties.

One of the primary reasons HIPAA was enacted was to protect the privacy and security of patient health information. HIPAA regulations identify 18 items classified as protected health information (