Winds of Change: SOC 2 & Securing the Supply Chain
Published On March 3, 2021
Blog Post by Jesus Jimenez, CISA, CDPSE, CDPP, Senior Manager at Meditology Services
Groundbreaking cyberattacks against third-party vendors that support the healthcare ecosystem have begun to threaten patient safety and fundamental business operations for healthcare organizations. As a result, cybersecurity certifications like SOC 2 are fast becoming a mandate for vendors that participate in the healthcare supply chain.
The breach of SolarWinds alone has ripple effects across the supply chain including downstream breaches of tech giants like Microsoft, Google, and VMWare that provide mission-critical IT infrastructure capabilities for many healthcare entities. Disruptions to third-party solutions like SolarWinds has also hampered the ability to maintain system uptime due to interruptions of service for SolarWinds network and system monitoring solutions.
Other breaches like Blackbaud’s 2020 breach have allowed ransomware to spread onto hospital networks and take down critical systems. The Blackbaud breach alone led to the breach of sensitive information for over 6 million individuals. Breaches of Accellion’s File Transfer Appliance have also led to infiltration of dozens of customer networks.
Lawsuits have even been filed against health systems for failure to adequately assess and protect patients from breaches suffered by third-party vendors. As an example, a recent lawsuit targets Rady Children’s Hospital in San Diego for exposing patient information during a ransomware breach of their third-party vendor, Blackbaud, in the summer of 2020.
Many healthcare organizations have begun to require vendors to maintain cybersecurity certifications like SOC 2 and HITRUST as a result of the increased volume and severity of these risk exposures from their vendors. SOC 2 examinations provide assurance that vendors and other business associates are maintaining strong security and confidentiality controls and also serve as evidence that the healthcare entity has performed sufficient due diligence of vendors prior to permitting access to sensitive information and systems.
SOC 2 examinations help vendors servicing healthcare companies to:
- Lessen the burden of risk assessments and questionnaire responses for customers
- Reduce sales cycle times
- Demonstrate compliance with industry standard security and risk models
- Limit the likelihood and impact of breach events, litigation, and regulatory scrutiny
SOC 2 examinations help healthcare entities to:
- Accelerate vendor risk assessment turnaround times
- Validate controls and gain assurance
- Save time, money, and resources by not having to validate controls with internal resources and teams
- Make informed supply chain risk decisions
- Scale vendor risk programs by relying on third-party assurance from SOC 2 attestations
Meditology Services is a top-ranked provider of information risk management, cybersecurity, privacy, and regulatory compliance consulting services, exclusively for healthcare organizations. Our Meditology Assurance division is an AICPA accredited provider of SOC 2 examinations.
Contact us to learn more about how we can help you navigate your compliance and risk management needs, including SOC 2 readiness assessments and SOC 2 examinations.
WHAT OUR CLIENTS ARE SAYING:
“Value rating 5 out of 5, good value out of the partnership with Meditology because we could establish the relationship and I can call anyone on the team if I need advice. The Meditology team has helped us not only improve our business but become a distinguishing characteristic for us as a small business with a certification. We have been able to differentiate ourselves and there is value for our partners, they trust us.” - CISO, Data Analytics Organization
“I’m very satisfied with my Meditology Team on our HITRUST and SOC 2 engagements; 5 out of 5-star rating. The Team is very knowledgeable. Very professional team touching questions that are not easy and require knowledge like cloud-based environments and regulatory matters. They have much more knowledge than I and are very helpful. Questions are answered and we are not asked to just provide whatever for them to score. Communication is great; clear and constant reminders about the project schedule and deadlines. - InfoSec Engineer, IT Technology Services Company
“I’m very satisfied and it’s definitely a pleasure working with the Meditology Team on our HITRUST and SOC 2 engagements. - Director of IT and CISO, IT Technology Services Company