Post on 16-Mar-2018
© 2017 HITRUST Alliance.
SOC 2® + HITRUST: Understanding the Benefits
888.702.5446 | www.A-LIGN.com | info@a-lign.com
© 2017 HITRUST Alliance.
Presenter • Current member of the HITRUST Assessor
Council • Has overseen more than 1000 SOC audits • Professional designations include: • HITRUST Practitioner • Certified Information Systems Security
Professional (CISSP) • Certified Information Systems Auditor (CISA) • Certified Internal Auditor (CIA) • ISO 27001 Lead Auditor
Steve Simmons Director of SOC and Attestation Services
at A-LIGN
© 2017 HITRUST Alliance.
Agenda
• Understanding the Healthcare Compliance Landscape
• Compliance Options • Breaking Down SOC 2 for Healthcare Providers • Real-World Case Studies • Summary
© 2017 HITRUST Alliance.
The Breach Landscape
“No locale, industry or organization is bulletproof when it comes to the compromise of data.” – Verizon’s 2016 Data Breach Investigations Report
© 2017 HITRUST Alliance.
The Breach Landscape
Source: 2016 Ponemon Cost of Data Breach Study: Global Analysis
© 2017 HITRUST Alliance.
Value of Healthcare Data
• Healthcare data is worth more than 10x your credit card number on the black market – Used to create fake IDs to buy medical equipment or
drugs that can be resold – Combine a patient number with a false provider
number and file made-up claims with insurers
© 2017 HITRUST Alliance.
HITRUST Self-Assessment
• Performed internally by an organization • Gap assessment • Low level of assurance • Step towards becoming validated or certified • Results in self-assessment report • Requires access to the MyCSF tool
© 2017 HITRUST Alliance.
HITRUST Validated Assessment • Performed by a HITRUST CSF assessor
organization • Higher level of assurance • Results in a validated or certified report • Report is valid for 2 years • Interim assessment after 1 year • Requires access to the MyCSF tool
© 2017 HITRUST Alliance.
HITRUST Certified Assessment • The same audit process for a validated or certified assessment
– Becoming HITRUST CSF certified means that the organization received at least a 3 on HITRUST’s scale
• Performed by a HITRUST CSF assessor organization • Report is valid for 2 years • Interim assessment after 1 year • Requires access to the MyCSF tool • Provides the most complete assurance level certified by HITRUST • Must meet all of the certification requirements of the HITRUST CSF
© 2017 HITRUST Alliance.
What is SOC 2? • Outsourcing tasks or entire functions to service
organizations
• Predefined criteria: Trust Services Principles • Five attributes of the system
• Requirements and guidance in AT Section 101 • Restricted Use
• Primary users - management of the service organization,
prospective user entities, independent auditors and practitioners providing services to such user entities, and
regulators
• Type 1 or Type 2 report may be issued
© 2017 HITRUST Alliance.
SOC 2 Trust Services Criteria (TSC) Principles: • Common Criteria/Security - The system is protected against unauthorized
access (both physical and logical) • Availability - The system is available for operation and use as committed or
agreed • Processing integrity - System processing is complete, accurate, timely, and
authorized
• Confidentiality - Information designated as confidential is protected as committed or agreed
• Privacy - Personal information is collected, used, retained, disclosed, and
destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in GAPP
© 2017 HITRUST Alliance.
SOC 2 Purpose/Use • Subject matter other than user entities’ ICFR • Understand the service organization
• Clear system description
• Addresses risk of IT-enabled systems and privacy
programs
• Reports on one or more of: Common Criteria/Security; Availability; Processing Integrity; Confidentiality; Privacy
• Understand the complementary user entity controls
© 2017 HITRUST Alliance.
SOC 2 – Elements of the Report • Opinion
• Fairness of Presentation • Design • Operating Effectiveness
• Assertion • System Description • Testing Matrices • Other Information Provided By Management
© 2017 HITRUST Alliance.
SOC 2 Benefits for the Healthcare Industry
• Efficient and comprehensive reporting • Meets third-party reporting needs • Maps internal controls for SOX reporting • Helps identify risks associated with securing
sensitive information (PHI, PII, and/or Confidential data)
© 2017 HITRUST Alliance.
Applicability to Business Associates
• Who is SOC 2+ a good fit for? – Service Providers (IT) – Service Providers (non-IT) – HIEs – Hospitals – Pharmacies
© 2017 HITRUST Alliance.
SOC 2 + Additional Subject Matter • The service auditors report may also include:
– Criteria in addition to the applicable TSC – Additional subject matter related to the service organization’s
services (e.g. compliance with statement of privacy practices) • The serve organization must provide:
– A description of the subject matter – A description of the criteria used to measure and present the
subject matter – A description of the controls intended to meet the criteria and an
assertion by management
© 2017 HITRUST Alliance.
SOC 2 + • There is significant overlap with many
companies who require a SOC 2 and some combination of the other major standards, including, but not limited to: – HITRUST CSF – CSA Security Trust & Assurance Registry
(CSA-STAR) – ISO-27001 – NIST SP-800-53 R4 – COSO – COBIT
© 2017 HITRUST Alliance.
SOC 2 + HITRUST CSF • Partnership between AICPA and HITRUST • Requires 135 implementation requirements
– Can issue the report based upon the 66 controls required for certification, pending AICPA approval
– Includes • Security • Availability • Confidentiality • HITRUST CSF
• Requires that the auditor is both a licensed CPA and a HITRUST CSF assessor (or has access to the HITRUST CSF)
© 2017 HITRUST Alliance.
SOC 2 + HITRUST CSF - Principles • Common Criteria/Security
– Organization and Management – Communication – Design and Implementation of Controls – Monitoring – Logical and Physical Access – System Operations – Change Management
• Additional Criteria for Availability • Additional Criteria for Confidentiality • Additional Criteria for Processing Integrity
© 2017 HITRUST Alliance.
SOC 2 + HITRUST CSF - Principles • Information Security Management Program • Access Control • Human Resources Security • Risk Management • Security Policy • Organization of Information Security • Compliance • Asset Management • Physical and Environmental Security • Communications and Operations Management • Information Systems Acquisition, Development, and Maintenance • Information Security Incident Management • Business Continuity Management • Privacy Practices
© 2017 HITRUST Alliance.
SOC 2 + HITRUST CSF - Principles SOC2 HITRUSTCSF
Organiza*onandManagement Informa*onSecurityManagementProgram
Communica*on AccessControl
DesignandImplementa*onofControls HumanResourcesSecurity
Monitoring RiskManagement
LogicalandPhysicalAccess SecurityPolicy
SystemOpera*ons Organiza*onofInforma*onSecurity
ChangeManagement Compliance
Addi*onalCriteriaforAvailability AssetManagement
Addi*onalCriteriaforConfiden*ality PhysicalandEnvironmentalSecurity
Addi*onalCriteriaforProcessingIntegrity Communica*onsandOpera*onsManagement
Informa*onSystemsAcquisi*on,Development,andMaintenance
Informa*onSecurityIncidentManagement
BusinessCon*nuityManagement
PrivacyPrac*ces
© 2017 HITRUST Alliance.
SOC 2 + HITRUST CSF- Reporting • Report Sections
– Management assertion – Independent service auditor’s report – Entity’s description of its system – Controls tested – Test results – Mapping between HITRUST CSF version 8 and the TSP and Criteria (optional in
Section 5) – HITRUST CSF Certification Report (optional in Section 5 and only available if client
performed a full HITRUST CSF Validated Assessment). • Report Types
– SOC 2 + HITRUST CSF – SOC 2 + HITRUST CSF w/ CSF Assessment
© 2017 HITRUST Alliance.
Case Study 1 • SOC 2 + HITRUST CSF
– Document management company – Provides services to healthcare organizations and
must meet HIPAA requirements – Conducts SOC 2 assessment annually – Synthesized approach reduced time and resources
necessary for HITRUST and SOC 2 – Provided necessary documentation to clientele
© 2017 HITRUST Alliance.
Case Study 2
• SOC 2 + HITRUST CSF Certification – Healthcare analytics platform – Previously completed a SOC 2 + HITRUST CSF – Wanted to achieve certification – Synthesized approach reduced time and resources
necessary for HITRUST and SOC 2 – Met client and regulatory need
© 2017 HITRUST Alliance.
Benefits of Integration • Annual audit for SOC 2 better than surveillance audit to
ensure everything is in place – saves time later • Identify overlap in controls to improve efficiency • Consolidate audit evidence • Consolidate audit firms • Save time • Save money • Reduce audit fatigue
© 2017 HITRUST Alliance.
Summary • The healthcare industry continues to face challenges
regarding the protection of personal information. • There are different reporting options for an Organization to
demonstrate compliance with the HITRUST CSF. Organizations should consult with their vendors or customers to ensure that they will accept a particular report option in order to demonstrate compliance and reduce their risk.
• Integrated reporting can create organizational and audit efficiency.
© 2017 HITRUST Alliance.
Please send additional HITRUST questions to
Steve.Simmons@a-lign.com
888.702.5446 | www.A-LIGN.com | info@a-lign.com