Home » Readers Write » Currently Reading:

Readers Write: Health Data Security – Who Do You Trust?

November 16, 2015 Readers Write No Comments

Health Data Security – Who Do You Trust?
By Jeff Thomas, MS, CISSP


I don’t know about you, but I certainly don’t want to be associated with the next health data breach in the headlines. But we all likely rely on outside vendors for a variety of services and products, entrusting them with data and information. A recent report by Gartner Inc., “Trust and Resilience – the Future of Digital Business Risk,” lays out the stark reality: “malicious actors and increasing complexity create systemic threats to trust and resilience.”

Like the old 1950s game show “Who do you trust?,” care to roll the dice? Use that old dartboard?

Say you’re looking at new SaaS applications, mission-critical stuff. Naturally vendors are going to tell you that your data is safe with them. That’s what you want. But how can you tell if they are telling you the truth or not? Is there some “truthiness” going on? How can you tell those that are competent from those that are not?

Gartner predicts that IT spending on security and risk will double in the next five to 10 years, going from about 15 percent of overall IT spending to 30 percent. That’s huge. You’ve got to wonder – is your vendor keeping pace with their security needs or are they perhaps cutting a few corners, exposing your data to risk to save a buck?

You’re going to need some help. An important tool to get an insider’s view is a third-party audit report. Has your potential vendor had their data security procedures audited?

Everyone claims to be “HIPAA compliant.” But that gives you no real assurance that your vendor truly knows data security. Let’s look at one of the most widely-used and rigorous audits available, the SOC 2 Type II.

The SOC (Service Organization Controls) series of reports are governed by the American Institute of Certified Public Accountants (AICPA). These reports are designed to build trust and confidence between services organizations that operate information systems and their customers by having their service delivery processes evaluated by an independent auditing organization.

The SOC 2 is relevant for companies handling sensitive data as it reviews controls related to AICPA’s trust principals for Security, Availability, Processing Integrity, Confidentiality, and Privacy. (Controls may range from being technical in nature to manual processes). If those areas are of interest to you when choosing a vendor, reviewing their report is something you will likely wish to do.

A common question I hear is if a SOC 2 is good, isn’t a SOC 1 better? But in reality, it’s an apple-to-orange comparison. SOC 1 revolves around financial reporting and is often used as part of Sarbanes-Oxley compliance. If you’re selecting a vendor to handle your sensitive patient data, it’s not the right fit.

Or how about a SOC 3? A SOC 3 report is a summary report that does not have the detail of a SOC 2 report. It is generally used as a marketing tool, where the SOC 2 is a restricted document. If you want to see what controls are in place and how these controls are tested, the SOC 2 report is what you will want to read. To do so you’ll likely need to sign a non-disclosure agreement.

So you’ve signed the vendor’s NDA and have the report. Now what?

If you’re comparing vendors, it’s important to know that not all SOC 2 reports are the same. For starters, the biggest difference is that there are two types— a Type I and a Type II. A Type I reviews the vendor’s system and the suitability and design of the controls in place. Think of it as a point-in-time review indicating that the design of the controls was deemed to be reasonable on a specific day. A Type II goes further, and tests the operating effectiveness of the controls over a period of time. Accepted testing periods range from six to 12 months.

Once you have the report, what should you look for? First, there will be a summary, in which the auditor will summarize the engagement to include information about the scope of the engagement, as well as their opinion of the controls audited. This is a good place to see if there are any overall concerns.

Another section will be the vendor’s description of their controls. This will be a lengthy description of all the controls in place to meet the SOC 2 principles. After this, you will find a description of the tests for each control and the results for each test. This will map each of the vendor’s controls to the different SOC criteria and list the test performed and if any exceptions were noted. Ideally, you will find controls that meet your needs, along with a report of the tests finding “no exceptions noted.”

A SOC 2 report, especially the Type II, will not be a quick read. The time spent reading it will give you good insight into what measures a vendor uses to protect and process your data. The best part is that you don’t have to take their word for it—it’s coming from a trusted third party.

Don’t roll the dice or use darts when it comes to security. Insist on an industry-accepted, third-party audit or attestation. In this day and age of increasing digital business risk, you’ll be glad you did.

Jeff Thomas, MS, CISSP is chief technology officer of Forward Health Group of Madison, WI.

View/Print Text Only View/Print Text Only

HIStalk Featured Sponsors


Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Vince Ciotti’s HIS-tory of Healthcare IT

Founding Sponsors


Platinum Sponsors





















































Gold Sponsors
















Reader Comments

  • "People": I don't think people in general really care that much about their information getting out there or the government having...
  • Woodstock Generation: Agrees with Dave Butler, MD....................
  • Mike Magee: Jayne- Thanks for this thoughtful article - and for the "shout-out" for CODE BLUE. Would value greatly your full review...
  • A Gunter Fan: Total fan of Jen Gunter, M.D. She is one of the docs using social media well to spread truth, debunk myths and take on t...
  • Dave Butler, MD: Solid interview and responses. Great job Jeremy!...
  • Robert D. Lafsky: The term "copy/paste" is used excessively in a way that obscures problems with current EMR use. Plagiarizing someone el...
  • FRANK POGGIO: Re: "He notes interestingly that Medicare created a physician golden goose in 1965 in virtually guaranteeing that medica...
  • Me Three: The central points are 1. that Carl is reading and deciding on low level department transfers and that is a huge waste...
  • Overcharged: Well private equity can jump in line of who all is screwing the consumer...bloated organizations, vendors charging 5x wh...
  • What: It's too late for Epic to develop a search engine as well. Them's the breaks....

Sponsor Quick Links