soc 2 + hitrust: understanding the benefits · pdf filesoc 2® + hitrust: understanding the...

© 2017 HITRUST Alliance.

SOC 2® + HITRUST: Understanding the Benefits

888.702.5446 | www.A-LIGN.com | [email protected]


Presenter • Current member of the HITRUST Assessor

Council • Has overseen more than 1000 SOC audits • Professional designations include: • HITRUST Practitioner • Certified Information Systems Security

Professional (CISSP) • Certified Information Systems Auditor (CISA) • Certified Internal Auditor (CIA) • ISO 27001 Lead Auditor

Steve Simmons Director of SOC and Attestation Services

at A-LIGN


Agenda

• Understanding the Healthcare Compliance Landscape

• Compliance Options • Breaking Down SOC 2 for Healthcare Providers • Real-World Case Studies • Summary


UNDERSTANDING THE HEALTHCARE COMPLIANCE LANDSCAPE


The Breach Landscape

“No locale, industry or organization is bulletproof when it comes to the compromise of data.” – Verizon’s 2016 Data Breach Investigations Report


The Breach Landscape

Source: 2016 Ponemon Cost of Data Breach Study: Global Analysis


Value of Healthcare Data

• Healthcare data is worth more than 10x your credit card number on the black market – Used to create fake IDs to buy medical equipment or

drugs that can be resold – Combine a patient number with a false provider

number and file made-up claims with insurers


COMPLIANCE OPTIONS


Compliance Options


HITRUST Self-Assessment

• Performed internally by an organization • Gap assessment • Low level of assurance • Step towards becoming validated or certified • Results in self-assessment report • Requires access to the MyCSF tool


HITRUST Validated Assessment • Performed by a HITRUST CSF assessor

organization • Higher level of assurance • Results in a validated or certified report • Report is valid for 2 years • Interim assessment after 1 year • Requires access to the MyCSF tool


HITRUST Certified Assessment • The same audit process for a validated or certified assessment

– Becoming HITRUST CSF certified means that the organization received at least a 3 on HITRUST’s scale

• Performed by a HITRUST CSF assessor organization • Report is valid for 2 years • Interim assessment after 1 year • Requires access to the MyCSF tool • Provides the most complete assurance level certified by HITRUST • Must meet all of the certification requirements of the HITRUST CSF


BREAKING DOWN SOC 2 FOR HEALTHCARE PROVIDERS


What is SOC 2? •   Outsourcing tasks or entire functions to service

organizations

•   Predefined criteria: Trust Services Principles •   Five attributes of the system

•   Requirements and guidance in AT Section 101 •   Restricted Use

•   Primary users - management of the service organization,

prospective user entities, independent auditors and practitioners providing services to such user entities, and

regulators

•   Type 1 or Type 2 report may be issued


SOC 2 Trust Services Criteria (TSC) Principles: •   Common Criteria/Security - The system is protected against unauthorized

access (both physical and logical) •   Availability - The system is available for operation and use as committed or

agreed •   Processing integrity - System processing is complete, accurate, timely, and

authorized

•   Confidentiality - Information designated as confidential is protected as committed or agreed

•   Privacy - Personal information is collected, used, retained, disclosed, and

destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in GAPP


SOC 2 Purpose/Use •   Subject matter other than user entities’ ICFR •   Understand the service organization

•   Clear system description

•   Addresses risk of IT-enabled systems and privacy

programs

•   Reports on one or more of: Common Criteria/Security; Availability; Processing Integrity; Confidentiality; Privacy

•   Understand the complementary user entity controls


SOC 2 – Elements of the Report • Opinion

• Fairness of Presentation • Design • Operating Effectiveness

• Assertion • System Description • Testing Matrices • Other Information Provided By Management


SOC 2 Benefits for the Healthcare Industry

• Efficient and comprehensive reporting • Meets third-party reporting needs • Maps internal controls for SOX reporting • Helps identify risks associated with securing

sensitive information (PHI, PII, and/or Confidential data)


Applicability to Business Associates

• Who is SOC 2+ a good fit for? – Service Providers (IT) – Service Providers (non-IT) – HIEs – Hospitals – Pharmacies


SOC 2 + Additional Subject Matter • The service auditors report may also include:

– Criteria in addition to the applicable TSC – Additional subject matter related to the service organization’s

services (e.g. compliance with statement of privacy practices) • The serve organization must provide:

– A description of the subject matter – A description of the criteria used to measure and present the

subject matter – A description of the controls intended to meet the criteria and an

assertion by management


SOC 2 + • There is significant overlap with many

companies who require a SOC 2 and some combination of the other major standards, including, but not limited to: – HITRUST CSF – CSA Security Trust & Assurance Registry

(CSA-STAR) – ISO-27001 – NIST SP-800-53 R4 – COSO – COBIT


SOC 2 + HITRUST CSF • Partnership between AICPA and HITRUST • Requires 135 implementation requirements

– Can issue the report based upon the 66 controls required for certification, pending AICPA approval

– Includes • Security • Availability • Confidentiality • HITRUST CSF

• Requires that the auditor is both a licensed CPA and a HITRUST CSF assessor (or has access to the HITRUST CSF)


SOC 2 + HITRUST CSF - Principles • Common Criteria/Security

– Organization and Management – Communication – Design and Implementation of Controls – Monitoring – Logical and Physical Access – System Operations – Change Management

• Additional Criteria for Availability • Additional Criteria for Confidentiality • Additional Criteria for Processing Integrity


SOC 2 + HITRUST CSF - Principles • Information Security Management Program • Access Control • Human Resources Security • Risk Management • Security Policy • Organization of Information Security • Compliance • Asset Management • Physical and Environmental Security • Communications and Operations Management • Information Systems Acquisition, Development, and Maintenance • Information Security Incident Management • Business Continuity Management • Privacy Practices


SOC 2 + HITRUST CSF - Principles SOC2 HITRUSTCSF

Organiza*onandManagement Informa*onSecurityManagementProgram

Communica*on AccessControl

DesignandImplementa*onofControls HumanResourcesSecurity

Monitoring RiskManagement

LogicalandPhysicalAccess SecurityPolicy

SystemOpera*ons Organiza*onofInforma*onSecurity

ChangeManagement Compliance

Addi*onalCriteriaforAvailability AssetManagement

Addi*onalCriteriaforConfiden*ality PhysicalandEnvironmentalSecurity

Addi*onalCriteriaforProcessingIntegrity Communica*onsandOpera*onsManagement

Informa*onSystemsAcquisi*on,Development,andMaintenance

Informa*onSecurityIncidentManagement

BusinessCon*nuityManagement

PrivacyPrac*ces


SOC 2 + HITRUST CSF v8.1


SOC 2 + HITRUST CSF- Reporting • Report Sections

– Management assertion – Independent service auditor’s report – Entity’s description of its system – Controls tested – Test results – Mapping between HITRUST CSF version 8 and the TSP and Criteria (optional in

Section 5) – HITRUST CSF Certification Report (optional in Section 5 and only available if client

performed a full HITRUST CSF Validated Assessment). • Report Types

– SOC 2 + HITRUST CSF – SOC 2 + HITRUST CSF w/ CSF Assessment


REAL-WORLD CASE STUDIES


Case Study 1 • SOC 2 + HITRUST CSF

– Document management company – Provides services to healthcare organizations and

must meet HIPAA requirements – Conducts SOC 2 assessment annually – Synthesized approach reduced time and resources

necessary for HITRUST and SOC 2 – Provided necessary documentation to clientele


Case Study 2

• SOC 2 + HITRUST CSF Certification – Healthcare analytics platform – Previously completed a SOC 2 + HITRUST CSF – Wanted to achieve certification – Synthesized approach reduced time and resources

necessary for HITRUST and SOC 2 – Met client and regulatory need


Benefits of Integration • Annual audit for SOC 2 better than surveillance audit to

ensure everything is in place – saves time later • Identify overlap in controls to improve efficiency • Consolidate audit evidence • Consolidate audit firms • Save time • Save money • Reduce audit fatigue


SUMMARY


Summary • The healthcare industry continues to face challenges

regarding the protection of personal information. • There are different reporting options for an Organization to

demonstrate compliance with the HITRUST CSF. Organizations should consult with their vendors or customers to ensure that they will accept a particular report option in order to demonstrate compliance and reduce their risk.

• Integrated reporting can create organizational and audit efficiency.


QUESTIONS?


Please send additional HITRUST questions to

[email protected]

888.702.5446 | www.A-LIGN.com | [email protected]


Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight

soc 2 + hitrust: understanding the benefits · pdf filesoc 2® + hitrust: understanding the...

Documents