BLOG

Blog Post by Lisa Siedzik, Meditology ITRM Manager

---

There is a dynamic duo in healthcare data security assurance: HITRUST CSF certification and SOC 2 attestation.  Aligning your data security program with healthcare standards contained in HITRUST CSF and the SOC 2 attestation can bring numerous benefits.  Pursuing these together in a full-scale security initiative offers an efficient approach to securing healthcare data.

Here are three ways in which a combination approach to HITRUST certification and SOC 2 attestation can benefit your organization:

Compliance Readiness:  First, these standards lay out a proven security assurance approach that works in healthcare settings.  Healthcare organizations can improve their OCR compliance program readiness as the combination of these two security approaches covers much of the OCR focus areas.  HITRUST was designed specifically for healthcare and SOC 2 provides an independent third-party opinion based on the AICPA’s Trust Services Criteria relating to its Information Technology controls.

Resource Efficiency:  Secondly, pursuing HITRUST certification and SOC 2 attestation in tandem provides resource efficiency as the HITRUST CSF requirements cover many of those within SOC 2 attestation.  Pursuing these in the same project eliminates having to revisit one or both security programs in a separate project or audit.  This frees up limited resources in the information security and technology areas for other high-priority projects. In addition, it meets third-party reporting needs and is an efficient and comprehensive reporting process.

The Competitive Edge:  Finally, businesses seeking to do business with healthcare clients may be asked to fill out security questionnaires.  The security assurance task of filling out specific questionnaires and inquiries can be significantly reduced by the presence of a HITRUST CSF certification or SOC 2 attestation.  Many times, providing proof that your organization has met the standards of HITRUST and SOC 2 is enough assurance to move a contract forward in the sales cycle.

And third-party businesses also benefit from providing security assurances to a broader base of clients beyond healthcare.  Businesses can leverage the combined security initiative across a broad range of clients by pursuing HITRUST/SOC 2 in tandem.

To recap, health organizations and businesses pursuing a combination of HITRUST certification and SOC 2 attestation in one security project initiative can offer numerous benefits including:

• Leverage resource efficiencies using the HITRUST security framework as the beginning point, which can address many of the SOC 2 requirements.
• Improve OCR compliance program readiness as the combination of these two security approaches covers much of the OCR focus areas.
• Vendors servicing the healthcare market can gain competitive advantage by obtaining both security certifications/attestation at the same time thereby reducing audit fatigue.

How to Get Started with Certifications:  The first step in pursuing these certifications is selecting an appropriate assessor partner that can address both the requirements of HITRUST CSF and SOC 2 attestation, including the AICPA requirements of SOC 2 attestation.

Meditology Services is a certified HITRUST assessor and an experienced assessor for SOC 2 attestation.  Our healthcare security experts frequently train healthcare executives on best practices for pursuing HITRUST certification as well as SOC 2.

Plus, Meditology was ranked the #1 Best in KLAS Cybersecurity Advisory Services firm in 2019 and 2020. Hundreds of businesses in the healthcare market rely on our proven expertise to guide them through the process of HITRUST CSF and SOC 2 attestation.

Download our HITRUST CSF Certification and SOC 2 Attestation data sheet to learn more.