Five Common Questions About SOC 2
In the healthcare industry, trust is vital. About 80 percent of U.S. consumers say they are at least somewhat confident in their healthcare providers' data security oversight plans and protocols — yet 25 percent of those consumers have suffered healthcare data breaches — and 50 percent of those people have fallen prey to medical identity theft as a direct result, losing $2,500 on average.
Control requirements can help remedy these issues. The standard known as SOC 2 is one of the most common requirements that tech-based service businesses must comply with today. It is the second iteration of the Service Organization Control (SOC) reporting platform set forth by the American Institute of CPAs (AICPA).
SOC 2 is an auditing process and certification standard that requires tech-oriented service businesses to write down and adhere to certain policies and protocols so they can ensure information security. It applies to technology-oriented businesses that store clients' personal data in the cloud.
Service organizations like skilled nursing facilities, assisted living facilities and continuing care retirement communities (CCRCs) that use electronic health records are some of the companies that will need to demonstrate the compliance of their IT systems. SOC 2 aims to ensure cloud-based computing and storage systems are configured in a way that assures security, privacy and protection of data.
There are two report types for SOC 2:
SOC Type 1 compliance reports involve assessing systems and determining whether they can meet trust services criteria by a specific date.
- SOC Type 2 compliance reports involve documenting the operational effectiveness of those systems throughout a specified period.
So, what are the main elements of SOC 2, and how can businesses ensure compliance with them? We will answer these questions below, and we'll also provide a helpful SOC 2 compliance checklist to use as a guideline.
SOC 2 Requirements
Complying with SOC 2 means developing a comprehensive, formal data security oversight plan to ensure the security of sensitive information. SOC 2 sets a high standard for the security of sensitive client information by:
Requiring that companies develop and adhere to security policies and protocols for cloud-based information systems.
- Assessing companies' efforts to ensure compliance with those security policies and protocols.
- Updating compliance and security standards to account for the most current cybersecurity challenges and threats.
Additionally, SOC 2 establishes five core principles, known as trust services criteria, that all data-oriented service organizations must address to keep client data secure:
- Security: The security of client data is measured by the extent of the data's protection from malicious external threats. Access controls should bolster security by preventing information theft, system breach, unauthorized data retrieval and other malicious interference. Service organizations can use tools like firewalls, two-factor authentication, and intrusion detection systems to boost their security and keep client data protected.
- Availability: The availability of user data is measured by the extent to which data systems and products are accessible. Sometimes, security systems can interfere with the accessibility of data, but SOC 2 requires a certain standard of data availability. Network availability and performance and the handling of any security breaches to preserve data are included in this metric.
- Processing integrity: Processing integrity refers to how well the data-handling system does its job. For instance, it should produce and process data as intended, with methods that are reliable, timely and free from errors. Data-processing monitoring and quality assurance processes can help assure high processing integrity in accordance with SOC 2.
- Confidentiality: This metric refers to the broader confidentiality of company data and procedures, including internal and business information, intellectual property and confidential client information.
- Privacy: This metric refers more specifically to the privacy of sensitive, personal client data. This data might include client names, addresses, phone numbers, Social Security numbers, credit card numbers, as well as information on potentially sensitive topics like health, sexual orientation and religion. SOC requires stringent access controls to guarantee the privacy of such information. Service organizations should also give out client privacy notices that explain how confidential client data will be handled — and organizations should then continue to abide by the terms laid out in the notices.
SOC 2 Security Regulations
SOC 2 has several different security requirements, including:
1. Written Policies and Protocols
SOC 2 requires that technology-focused service organizations develop specific policies and protocols regarding digital security. Organizations must write these security regulations out and adhere to them precisely, and auditors will ask to see them when they arrive to perform SOC 2 audits. The written policies and protocols should address the security, availability, processing integrity, confidentiality and privacy of client data stored in the cloud.
Setting up a data security plan is likely to involve several of the following steps:
- Establishing processes for server and system activity monitoring and alerts for unusual activity.
- Determining a baseline of normal user activity that your company can then use to figure out what constitutes unusual and potentially malicious user activity.
- Developing methods for measuring and tracking system activity, both authorized and unauthorized.
- Writing out your data security oversight plan and making sure it is available to both staff and SOC 2 auditors when they arrive for routine audits.
2. Preventing Cyberincidents
The SOC 2 security compliance requirements ask companies to prevent various types of cyberincidents. Under SOC 2, your organization is required to be able to prevent any activity that poses a threat to the security, availability, processing integrity, confidentiality or privacy of your systems and data. Being compliant with SOC 2 is a way to let your clients know they can trust you with their data because you have the technical and organizational capability to stop a threat before it can compromise their sensitive personal information. Therefore, you must demonstrate your capabilities accordingly.
Much of the work of keeping data secure also involves increasing visibility. Your organization will need security and compliance solutions that allow you to monitor your system around the clock and detect potentially malicious behavior immediately. To maintain SOC compliance, you will need to demonstrate that your organization has visibility into network connections, user activity, internal processes and more.
SOC 2 requires tech-focused, service-oriented businesses to monitor cloud-based activity and guarantee proper oversight of the data-processing and data-storage activities that occur. Specifically, an organization should monitor computing and data-storage systems to ensure no unauthorized or suspicious access to data takes place.
One way to provide the required level of monitoring is to configure your system for maximum security and put strict controls on user access. Your organization will need to be able to monitor for anticipated malicious activity like phishing, as well as for unanticipated threats such as new malware or new types of attempted data breaches.
To prepare for these unexpected attacks or breaches, your organization may find it helpful to determine the typical baseline level of use, activity and access for your system. Once you have done this, you can better evaluate whether abnormal and potentially malicious activity has taken place. Partnering with a continuous security monitoring service is one excellent way to do this.
4. Setting Up Alarms
One way to help prevent cyberincidents is to set system alarms. SOC 2 requires organizations to set up alarms to alert to the following types of activity:
Exposure or alteration to data or system configurations
- File transfers
- Privileged account or login access, such as administrator access
- Unauthorized logins
- Unauthorized exposure of client data
- Unauthorized modifications to client files
Once you have a basic alarm system in place, you can also fine-tune the system to help it safeguard your data even more effectively. Some possible fine-tuning adjustments include:
Establishing a baseline of typical levels of user activity.
- Identifying and addressing all incidents suspected to have caused a threat.
- Developing risk profiles to trigger specific alerts.
- Tailoring alerts to the proper staff members so they can respond efficiently.
Everyone in your organization should understand what types of activities constitute a threat to your data and what types of activity trigger a system alert. When a cyberincident occurs, your alert system should immediately notify the relevant personnel, so they can shut down the threat. Any delay could compound the harmful effects of malicious activity and make potentially preventable data breaches into substantial data losses. The alerts must also be sensitive enough to alert you to potential cyberintruders, but not so sensitive they result in a flurry of false alarms that could make your team more likely to dismiss a credible cybersecurity threat.
Calibrate your alerts accordingly so you can be sure when malicious activity or a suspected breach has occurred and act swiftly to ensure confidential data remains uncompromised. By doing so, you will enable your company to meet SOC 2 compliance requirements as well.
SOC 2 Compliance Training
SOC 2 compliance training is a must for your employees. Compliance training helps ensure that your IT personnel are well versed in the regulations your company must adhere to to achieve full SOC 2 compliance.
For the most reliable compliance training, your organization may want to work directly from AICPA materials. The AICPA has put out several different explanatory materials — some directed at certified public accountant (CPA) auditors and others aimed at helping service organizations attain SOC compliance.
You can also develop in-house training that focuses on each of the five SOC 2 trust services criteria and how to address them. You will want to develop a SOC 2 control list as part of training, for example, and teach your staff members about access controls for passwords, firewalls, encryption and so forth. You will also want to provide SOC 2 audit training to educate staff members about how to develop proper documentation and prepare for audits.
SOC 2 training should focus some of its attention on software as well. SOC 2 compliance software can be critical in helping organizations manage their cloud-based systems and achieving and remaining in compliance. Talk to your IT management team to determine how to train staff members in its use.
SOC 2 Confidentiality
SOC 2 confidentiality is particularly important for preserving the intellectual property and vital business information that allow your company to flourish. You will need to develop procedures to ensure that only individuals with the necessary authority and clearance can access confidential business data. Your company can take the following steps to help ensure the confidentiality of critical information:
Encrypt data before transmitting it.
- Invest in and test network firewalls.
- Invest in and test application firewalls.
- Develop system access controls.
Companies should also never disclose confidential information to third parties without clients' express written consent.
What about the Health Insurance Portability and Accountability Act (HIPAA)? Some organizations may be wondering about SOC 2 vs. HIPAA and how the requirements differ for each. SOC 2 compliance does not ensure HIPAA compliance or vice versa, and the two systems do not necessarily have to work together.
The SOC 2 framework can be an excellent method for HIPAA reporting, but companies can also send HIPAA-specific reports. These reports are useful because they define the scope of the compliance efforts in terms of HIPAA and its priorities rather than SOC 2 and its priorities. Your IT management team can be an excellent resource to help you determine which type of reporting is best.
SOC 2 Audit Reports
SOC 2 also requires extensive, detailed auditing. Your organization will need to create rigorously documented paper trails that account for system activity. If a security incident takes place, you will need this documentation, so you can address the situation and secure as much data as you can. When a professional auditor comes to evaluate your company's compliance, you will need rigorously detailed documentation, as well.
The SOC 2 report you create should document the who, what, when, where, why and how of all your system and data access so you can react quickly and effectively to an incident of malicious activity. Maintaining comprehensive audit reports helps you both comply with SOC 2 and maximize the strength of your response to a potential threat. It will also help you minimize vulnerabilities and speed up remediation time.
An audit report of cloud-based system activity can help your company answer some of the following questions in the event of a cyber attack:
- Who was responsible for the attack?
- When did the attack take place?
- What activities took place during the attack?
- What information was improperly accessed during the attack?
- Was malware installed during the attack?
- Were server configurations changed during the attack?
When your company is working toward SOC 2 compliance and preparing for an audit, the following SOC compliance checklist may be helpful. Check the security of the following items against external threats and disasters:
- Access controls
- Double-factor authentication procedures
- Intrusion detection systems
- Data encryption
- Stringent controls to ensure security for passwords, firewalls and encryption
- Stringent controls regarding access to business and client data
- Recovery policies that ensure data integrity
- Data backups that store copies of business and client information offsite
- Working surge protectors and fire suppression systems in data centers
Answer the following questions as well:
- What type of sensitive data does the organization have?
- Who has access to that data?
- How will that data be used?
- Who will monitor the data?
- How will security incidents involving the data be handled?
For the last step, write up the necessary policies and procedures for your staff and external auditors.
Contact Prelude Services for All Your Healthcare IT Support Needs
When you need assistance with your IT and data needs, including SOC 2 compliance, trust Prelude Services for guaranteed solutions. Prelude Services works primarily with service-oriented providers, such as assisted living facilities and skilled nursing facilities, so our friendly, professional staff members have extensive experience in optimizing cloud-based IT services for healthcare and senior care needs. Best of all, we are fully SSAE SOC 2 compliant and can handle your sensitive data securely and confidentially.
Contact us today to learn more.