Health Data Security – Who Do You Trust?
By Jeff Thomas, MS, CISSP
I don’t know about you, but I certainly don’t want to be associated with the next health data breach in the headlines. But we all likely rely on outside vendors for a variety of services and products, entrusting them with data and information. A recent report by Gartner Inc., “Trust and Resilience – the Future of Digital Business Risk,” lays out the stark reality: “malicious actors and increasing complexity create systemic threats to trust and resilience.”
Like the old 1950s game show “Who do you trust?,” care to roll the dice? Use that old dartboard?
Say you’re looking at new SaaS applications, mission-critical stuff. Naturally vendors are going to tell you that your data is safe with them. That’s what you want. But how can you tell if they are telling you the truth or not? Is there some “truthiness” going on? How can you tell those that are competent from those that are not?
Gartner predicts that IT spending on security and risk will double in the next five to 10 years, going from about 15 percent of overall IT spending to 30 percent. That’s huge. You’ve got to wonder – is your vendor keeping pace with their security needs or are they perhaps cutting a few corners, exposing your data to risk to save a buck?
You’re going to need some help. An important tool to get an insider’s view is a third-party audit report. Has your potential vendor had their data security procedures audited?
Everyone claims to be “HIPAA compliant.” But that gives you no real assurance that your vendor truly knows data security. Let’s look at one of the most widely-used and rigorous audits available, the SOC 2 Type II.
The SOC (Service Organization Controls) series of reports are governed by the American Institute of Certified Public Accountants (AICPA). These reports are designed to build trust and confidence between services organizations that operate information systems and their customers by having their service delivery processes evaluated by an independent auditing organization.
The SOC 2 is relevant for companies handling sensitive data as it reviews controls related to AICPA’s trust principals for Security, Availability, Processing Integrity, Confidentiality, and Privacy. (Controls may range from being technical in nature to manual processes). If those areas are of interest to you when choosing a vendor, reviewing their report is something you will likely wish to do.
A common question I hear is if a SOC 2 is good, isn’t a SOC 1 better? But in reality, it’s an apple-to-orange comparison. SOC 1 revolves around financial reporting and is often used as part of Sarbanes-Oxley compliance. If you’re selecting a vendor to handle your sensitive patient data, it’s not the right fit.
Or how about a SOC 3? A SOC 3 report is a summary report that does not have the detail of a SOC 2 report. It is generally used as a marketing tool, where the SOC 2 is a restricted document. If you want to see what controls are in place and how these controls are tested, the SOC 2 report is what you will want to read. To do so you’ll likely need to sign a non-disclosure agreement.
So you’ve signed the vendor’s NDA and have the report. Now what?
If you’re comparing vendors, it’s important to know that not all SOC 2 reports are the same. For starters, the biggest difference is that there are two types— a Type I and a Type II. A Type I reviews the vendor’s system and the suitability and design of the controls in place. Think of it as a point-in-time review indicating that the design of the controls was deemed to be reasonable on a specific day. A Type II goes further, and tests the operating effectiveness of the controls over a period of time. Accepted testing periods range from six to 12 months.
Once you have the report, what should you look for? First, there will be a summary, in which the auditor will summarize the engagement to include information about the scope of the engagement, as well as their opinion of the controls audited. This is a good place to see if there are any overall concerns.
Another section will be the vendor’s description of their controls. This will be a lengthy description of all the controls in place to meet the SOC 2 principles. After this, you will find a description of the tests for each control and the results for each test. This will map each of the vendor’s controls to the different SOC criteria and list the test performed and if any exceptions were noted. Ideally, you will find controls that meet your needs, along with a report of the tests finding “no exceptions noted.”
A SOC 2 report, especially the Type II, will not be a quick read. The time spent reading it will give you good insight into what measures a vendor uses to protect and process your data. The best part is that you don’t have to take their word for it—it’s coming from a trusted third party.
Don’t roll the dice or use darts when it comes to security. Insist on an industry-accepted, third-party audit or attestation. In this day and age of increasing digital business risk, you’ll be glad you did.
Jeff Thomas, MS, CISSP is chief technology officer of Forward Health Group of Madison, WI.