What is SOC 2 Certification and Why Does It Matter?

 

RelayOne recently announced its SOC 2 Type I and Type II recertification, which reaffirms the company’s commitment and dedication to not only ensuring the availability and sustainability of its solutions but also to protecting customer data, even though no protected health information (PHI) flows through the system.

 

As more and more of healthcare moves to digital environments and electronic systems, infrastructure availability and security challenges remain a top concern among hospital leaders. To help mitigate risks, hospital CIOs are seeking greater assurances from their vendors, and SOC 2 certification can help validate that a vendor is doing everything they can to protect their systems and the data that flows through them.

What is SOC 2?

Service organizations controls II, known as SOC 2, is a set of standards defined by the American Institute of CPAs (AICPA) to verify software vendors are responsible stewards of their clients’ data and business continuity. Its criteria enable standardized evaluation of a software company’s compliance through five trust services criteria: security, availability, processing integrity, confidentiality and privacy.

The certification requires a rigorous independent audit showing that the vendor’s information security practices meet the AICPA standards, confirming its data security measures are aligned with current cloud requirements.

What is the Difference between SOC 2 Type I and Type II Certification?

According to KirkpatrickPrice, the audit firm that recently recertified RelayOne, SOC 2 Type I and SOC 2 Type II both report on the non-financial reporting controls and processes at a service organization as they relate to the Trust Services Criteria. There are many other similarities between SOC 2 Type I and SOC 2 Type II report, but the key difference is that a SOC 2 Type I report is an attestation of controls at a service organization at a specific point in time, whereas a SOC 2 Type II report is an attestation of controls at a service organization over a minimum six-month period.

 

The SOC 2 Type I reports on the description of controls provided by the management of the service organization and attests that the controls are suitably designed and implemented. The SOC 2 Type II reports on the description of controls provided by the management of the service organization, attests
that the controls are suitably designed and implemented, and attests to the operating effectiveness of
the controls.

Why does SOC 2 Certification Matter?

Data Security: Stories of data breaches among healthcare providers cover the pages of industry publications. The Ponemon Institute reports that over half of organizations have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information. The report further shows that these types of cyberattacks are up 50% since 2019. The Cost of a Data Breach Report 2020 by IBM shows that the average cost of a breach for healthcare is $7.13 million.

 

System Availability: As health systems and hospitals increasingly rely on software vendors to help improve operational efficiencies, reduce costs and manage data, they’re increasingly vulnerable – not just to data breaches, but also to system failures. A hospital dependent on third-party technology in its day-to-day operations is also reliant on the diligence and sustainability of the company that developed the solution.

 

Writing in Becker’s Hospital Review, Dr. Jon Elion, MD, FACC points out the importance of ensuring vendors understand and protect against this risk as well. “There should be something that indicates consideration for [hospital] business continuity, to keep data and functionality intact in the event of network or system failures,” he says.

 

Certification Supports Health Systems' Due Diligence

SOC 2’s criteria ensure third-party vendors are knowledgeable about breach and downtime risks and have employed measures to minimize them. A SOC 2 audit takes some of the burden off hospital IT leaders by furnishing documentation that their vendors are working to protect their institutions from preventable issues. The resulting report answers key questions for providers, including:

• How does the software company back up data?
• What redundancies are in place in case of system failure?
• Does the vendor maintain operating patches and updates?
• How is PHI and other data protected from unauthorized access?

SOC 2 Can't Protect Against All PHI Risks

An area of vulnerability remains even for providers who ensure their vendors are compliant: That’s the threat created by the use of outdated and insecure methods, such as phone calls and white boards, to enable communication among care team members.

 

A recent independent study of trends in surgical services completed shows that more than half (55%) of health systems depend on these methods. And with an average of 12 team members involved in each case, the risk of exposing protected health information (PHI) is high.

 

RelayOne protects against this threat by not exposing any PHI, and no data from RelayOne is required to flow back into electronic health record (EHR) systems, eliminating the threat of data corruption or security breaches. Team members are instantly notified on their smart phones when case information changes, and sensitive data remains confidential.

 

Click here to read RelayOne’s Solution Is Proven Secure with SOC 2 Recertification