5 Green Flags to Look for in Your Healthcare Cybersecurity Assessor
Published On January 30, 2023
With the average cost of a healthcare data breach exceeding $10 million and 60% of healthcare breaches stemming from vendors, it’s no surprise there has been an uptick in contracting requirements around third-party assurances like HITRUST, SOC 2, and others. These assurances are often tied to contract execution, particularly for those third parties that are handling significant amounts of PHI.
But the past year has seen a shift. Anticipating future client requests surrounding these requirements and their corresponding impact on the sales cycle, vendors are beginning to pursue third-party assurance more proactively and independently.
Third-party assurances have a tendency to be viewed in a commoditized way as their controls are well defined and standardized. But any organization who has pursued one of these assurances before knows the truth: assessors are not all created equal. In fact, far from it. The assessor you choose can make or break the efficiency and effectiveness of your efforts.
If you’re in the market for an assessor, here are five green flags to look for.
- They live and breathe healthcare.
Every sector believes they are different, but healthcare truly is. An assessor that is wholly focused on the healthcare space will be able to look at your third-party assurance initiative through the lens of healthcare-specific requirements, including the ability to understand how each control relates to industry regulations like HIPAA.
Remember that your journey to HITRUST or SOC 2 designation is a great chance to ensure you’re ready for ALL of healthcare’s complex contracting requirements. A partner with deep knowledge of healthcare and experience working with a variety of payors, providers, and third parties can help you build upon the collective efforts of your HITRUST or SOC 2 initiatives to address your ability to contract in healthcare more holistically.
- They’ve traveled this road many times.
The path to assurance is far from a straight line, and successfully securing a well-respected certification or auditor’s opinion requires meticulous documentation and proactive awareness of potential hurdles along the way. An assessor that has been through the process hundreds of times before can help foresee and address key challenges before they arise.
It’s important to remember that HITRUST or SOC 2 designations are earned and securing them after submitting your documentation is far from a certainty. Make sure to ask your assessor what their track record is. How many of their clients have successfully become HITRUST or SOC 2 compliant? An assessor should have a strong track record of helping organizations achieve their assurance goals by using a proven methodology designed to give organizations their best chance for success.
- You like working with them.
It goes without saying you and your assessor will be spending significant time together. Make sure you find it easy to work with their team, consider their perspective credible, and are confident in their ability to successfully manage projects from start to finish. This might seem like a ‘soft skill’, but an assessor that is difficult to work with is unlikely to help you achieve your intended outcome.
More specifically, look for evidence of a well-defined process—including a repeatable methodology for assurance services and impressive sample reports and deliverables. These are both strong indicators that an assessor has what it takes to get the job done and serve as a helpful, value-added partner along the way.
- They can make the most of your efforts.
The pursuit of a third-party assurance framework is an important decision that involves a significant investment in time, attention, and financial resources. Because of the synergies between various frameworks, and the tendency of a HITRUST or SOC 2 effort to impact broader cybersecurity initiatives, you may be able to use your hard work to drive progress in other areas.
Identify a partner that can enable you to pursue both HITRUST and SOC 2 initiatives concurrently when it makes sense, and understand when pursuing them simultaneously is not the optimal path forward. In turn, your partner can help to streamline the process and give you the best chance of success while minimizing duplicative efforts. Look for an assessor that is intimately familiar with the HITRUST family of products and will help you define a pragmatic plan to attain the highest levels of assurance. Most importantly, integrate these efforts with your broader cybersecurity initiatives and goals.
- Their reports are specific.
Reporting is an area in which the difference between one assessor and the next is particularly palpable. Make sure your assessor will provide full transparency into scores and remediation actions to maximize your probability of success. What is needed to attain this attestation successfully? What specific gaps must be filled and over what time horizon?
In addition to reporting specificity, look for the opportunity to capture some level of reporting sooner rather than later. For example, some partners will provide the ability to attain HITRUST i1 and SOC 2 Type 1 reports rapidly—enabling you to provide proof of security posture to your prospects while the required control period passes.
We’ve set the bar high. So should you.
All of these ‘green flags’ are critical, but none of them alone is sufficient. Perhaps the most important thing to look for in a partner is one that combines all these attributes for superior quality and results.
At Meditology, our deep expertise in security assessments for healthcare uniquely positions us to streamline your path to certification while accounting for the pragmatic realities of your organization. We have deep knowledge of third-party assurances and believe wholeheartedly in their power to address risk in all its forms. In fact, our founder, Cliff Baker, served as the lead architect for HITRUST CSF, and we have completed hundreds of successful HITRUST engagements on behalf of our clients. Speak to one of our team members to learn more about how we can position your third-party assurance initiative for success.