Article
Why are SOC audits for healthcare so important?
Aug. 8, 2021 · Updated April 28, 2022 · Authored by Mark Hurst
System and organization control (SOC) examinations, also referred to as SOC audits, aren’t always contractually required, but they’re increasingly being requested by regulators or healthcare companies and organizations as part of doing business.
The purpose of a SOC audit is to report on the effectiveness of a company’s internal controls and safeguards they have in place while providing feedback that’s both independent and actionable.
In the healthcare industry, business associate agreements and other contractual client obligations often require an annual SOC report for either SOC 1 or SOC 2.
Discover why your organization needs a SOC audit for healthcare, how a SOC audit can help avoid security breaches, and the overall benefits a SOC audit can provide.
Why does a healthcare organization need a SOC audit?
While additional controls need to be considered, a SOC audit can provide a check for Affordable Care Act (ACA) regulations and achieving Health Insurance Portability and Accountability Act (HIPAA) compliance.
ACA requirements
The ACA’s 2010 implementation added a host of regulatory and compliance requirements, including measures to ensure the privacy of patient data. Healthcare organizations are required to maintain stringent controls on privacy and confidentiality, considering the type of information they maintain. This, in turn, has increased the demand for SOC audits on the part of healthcare organizations.
HIPAA compliance
Similarly, HIPAA drives a rapid increase in demand for SOC reports. HIPAA mandates the security and privacy of personal medical information. Most of this data is now stored in an electronic format, so the importance of an assessment performed by an objective SOC audit resource is greater than ever.
SOC compliance according to HIPAA standards
HIPPA expansions have extended SOC compliance requirements to include business associates and entities that handle electronic protected health information (ePHI). If your organization has any interaction with the healthcare industry, it will need to have adequate protections in place to reduce the risk of unintended disclosure of ePHI.
Compliance issues for technology related to HIPAA are powerful drivers when it comes to trust criteria within security, confidentiality, and privacy of information. SOC security criteria related to data protection provides a strong baseline for compliance with the HIPAA frameworks and mapping can provide users with an understanding of how a company protects ePHI.
Can a SOC audit help prevent security breaches?
A SOC audit covers criteria that enable companies to lessen the risks of a breach. The SOC 2 compliance baseline security criteria focuses on security policies and procedures and the effectiveness of a company’s internal controls to mitigate the risk of a breach.
Many health and wellness programs and procedures are now available on mobile devices. Hospitals and clinical practices must be aware of the threat of security breaches.
Potential healthcare cybersecurity breaches
- Health data hacking
- Insider or employee fraud
- Unintentional actions, for example, when a hospital employee accidentally falls prey to system-user fraud or a phishing scam
- Supply chain attacks or breaches, such as when information a hospital shares with a third-party vendor is hacked through the vendor’s platform
To learn more about cyberthreats the healthcare industry faces, especially with the increase in use of telehealth platforms during COVID-19, see our article.
For additional cybersecurity resources, please see:
- Health data hacking
- Insider or employee fraud
- Unintentional actions, for example, when a hospital employee accidentally falls prey to system-user fraud or a phishing scam
- Supply chain attacks or breaches, such as when information a hospital shares with a third-party vendor is hacked through the vendor’s platform
To learn more about cyberthreats the healthcare industry faces, especially with the increase in use of telehealth platforms during COVID-19, see our article.
For additional cybersecurity resources, please see:
- A SOC examination for cybersecurity could combat risk for remote work
- SOC for cybersecurity: Build stakeholder confidence
What are the benefits of SOC reports for a healthcare organization?
There are many drivers and benefits for conducting a SOC audit:
- Improve compliance of business audit requirements, including HIPAA, Health Information Trust Alliance (HITRUST), Payment Card Industry Data Security Standard (PCI-DSS), the ISO 27002 Standard, and Section 404 of the Sarbanes-Oxley Act (SOX 404)
- Provide due diligence to evaluate service provider controls
- Reduce time auditors and customers need to evaluate an organization
- Stay competitive when entering a new market or gaining or retaining customers
- Develop internal controls to boost confidence for a start-up’s management and credibility by validating its control environment
- Monitor and maintain tighter oversight of third-party vendors
- Help mitigate security breaches
- Potentially lower insurance coverage rates
SOC reports also help healthcare organizations focus on controls over privacy, which is especially relevant for environments that deal with personally identifiable information (PII) or protected health information (PHI).
Privacy criteria topics in SOC audits
- Privacy policies
- Personal identifiable information (PII) classification
- Risk assessment
- Incident and breach management
- Provision of notice
- Choice and consent
- Collection
- Use and retention
- Disposal
- Access
- Disclosure to third parties
- Security for privacy
- Quality
- Monitoring and enforcement
- Improve compliance of business audit requirements, including HIPAA, Health Information Trust Alliance (HITRUST), Payment Card Industry Data Security Standard (PCI-DSS), the ISO 27002 Standard, and Section 404 of the Sarbanes-Oxley Act (SOX 404)
- Provide due diligence to evaluate service provider controls
- Reduce time auditors and customers need to evaluate an organization
- Stay competitive when entering a new market or gaining or retaining customers
- Develop internal controls to boost confidence for a start-up’s management and credibility by validating its control environment
- Monitor and maintain tighter oversight of third-party vendors
- Help mitigate security breaches
- Potentially lower insurance coverage rates
SOC reports also help healthcare organizations focus on controls over privacy, which is especially relevant for environments that deal with personally identifiable information (PII) or protected health information (PHI).
Privacy criteria topics in SOC audits
- Privacy policies
- Personal identifiable information (PII) classification
- Risk assessment
- Incident and breach management
- Provision of notice
- Choice and consent
- Collection
- Use and retention
- Disposal
- Access
- Disclosure to third parties
- Security for privacy
- Quality
- Monitoring and enforcement
