WHITEPAPER: How to Do SOC 2: The Rise of Healthcare Security Certifications
Healthcare has become a prime target for malicious actors bent on profiting from the resale and reuse of patient information. Healthcare entities are scrambling to sure up security controls for their own organizations and business partners as the sprawl of patient information continues to drive widespread data breach events.
Security certifications are fast becoming must-haves for vendors and technology firms that service the healthcare industry. Certifications provide a cost-effective means of demonstrating effective risk management practices and supporting regulatory compliance mandates.
This report explores the business drivers for healthcare security certifications and focuses on one of the most common and achievable certifications, the SOC 2 certification created by the American Institute of Certified Public Accountants (AICPA).
The report includes the following highlights:
- Business drivers for healthcare security certifications
- Defining SOC 2 Type I and Type II certifications
- Explaining the trust service principles and security controls required for certification
- Outlining the SOC 2 certification process, timing, expectations, and cost considerations
- Sharing lessons learned and critical success criteria for SOC 2 certifications
- Comparing SOC 2, HITRUST (including the NIST CSF), ISO, PCI, and other certifications common to healthcare
- Exploring options and drivers for joint certifications (e.g. SOC 2 / HITRUST)
- Leveraging SOC 2 to support vendor security risk management programs