Cybersecurity is a serious concern for the management and board members of organizations around the world. Consequently, service providers are being faced with increasing scrutiny and pressure to prove that they have taken appropriate measures to protect their systems, the client data that they process or store, and the systems and entities who use or interact with them.
If you are reading this post, chances are you have clients that are requesting or requiring you to provide a SOC 2 report and/or a HITRUST validated assessment. You may be wondering which of these you should do or how to do both. In this post, we will explore an option available to you that may help satisfy both requirements while saving time, money, and aggravation—SOC 2+HITRUST.
What is a SOC 2 Assessment?
A System and Organization Controls (SOC) 2 report documents the independent assessment performed by a CPA firm of the design and operational effectiveness of an organization’s controls to meet the Trust Services Criteria related to:
You can learn more about SOC 2 assessments by reading our post on what a SOC 2 is.
A SOC 2 is the most common way for Software-as-a-Service (SaaS) companies to have an annual SOC 2 assessment performed by an independent auditor to report to their clients on the design and operating effectiveness of the controls to meet the specified Trust Services Criteria.
What is HITRUST?
HITRUST is an organization and a security framework. The Health Information Trust is a nonprofit based in Frisco, Texas, that was founded in 2007. The organization’s goal is to help companies manage and certify their compliance with information security controls and to consolidate compliance reporting requirements. The organization created and maintains the Common Security Framework that is also referred to as HITRUST CSF.
HITRUST CSF was created for organizations working in the healthcare industry that found the vagueness of the HIPAA Security rule often difficult to understand and appropriately implement. This resulted in healthcare organizations not having a good way to assess the security posture of their service providers and the effectiveness of the controls in place to safeguard protected information.
The goal of the HITRUST CSF is to align the compliance requirements from other regulatory and security frameworks (e.g., HIPAA, PCI, COBIT, ISO, etc.) and to provide specific details of how to implement the corresponding controls. The framework is designed to be scalable for organizations based on the entity type and volume of data/transactions and adaptable depending on what regulatory and security frameworks are applicable to an organization.
Read our post on the HITRUST Framework if you would like to learn more.
SOC 2 or HITRUST, What One Should You Choose?
If you are familiar with the requirements for SOC 2 and HITRUST assessments, you know that there is an extensive set of controls and documentation needed to fulfill both of these reporting requirements. Performing two separate assessments would likely take a significant commitment of resources (e.g., people, time, money) from what are often resource-stretched organizations. So, you may be constrained to choose to do one or the other. If you are trying to decide between doing a SOC 2 or HITRUST assessment, you may want to read our post comparing SOC 2 vs HITRUST frameworks to see what would best meet your needs.
How Can I Get Both SOC 2 and HITRUST Assessments?
For a time, if an organization needed both a SOC 2 report and HITRUST certification report, there was only one option—have two separate assessments. This resulted in a significant cost to organizations needing to show compliance with both the Trust Services Criteria and the HITRUST CSF requirements. The American Institute of Certified Public Accountants (AICPA) worked with HITRUST Alliance in an effort to create a more efficient reporting structure that aligned their reporting frameworks and create a combined assurance program known as the SOC 2 + HITRUST.
The SOC 2 + HITRUST program maps between the Trust Services Criteria and the HITRUST CSF requirements and allows service organizations (like yours) to report on controls to meet both sets of requirements in a single report.
SOC 2 + HITRUST Assessments
A SOC 2 plus HITRUST assessment is performed by an independent CPA firm. The assessment scope covers the organization’s controls pertinent to meeting the applicable Trust Services Criteria and the HITRUST CSF requirements. The report issued by the CPA firm includes an opinion as to the suitability of the design and operating effectiveness of the controls to meet the Trust Services Criteria and the HITRUST CSF requirements. The report may be shared with third parties including clients and potential clients to evidence the organization’s compliance. However, this does not result in a HITRUST certification for the organization.
Should an organization want to be HITRUST certified, it may pursue a SOC 2 + HITRUST CSF + CSF Certification. This results in the same report and opinion in the SOC 2 plus HITRUST assessment, but a copy of the CSF certification report issued by the HITRUST Alliance is appended to the report. To obtain a CSF certification from a combined assessment, the CPA firm performing assessment must also be an approved CSF assessor registered with the HITRUST Alliance. The organization must also go through the HITRUST certification process. Obtaining the CSF Certification will increase the cost of compliance for the use of the myCSF tool, HITRUST’s assessment fee, as well as additional effort spent by the CSF assessor/CPA Firm related to the certification.
Should I Get HITRUST Certified?
Complying with the HITRUST CSF can provide your organization with several benefits. These may include:
- Maintaining proper security of PHI
- Staying up-to-date with evolving security risks
- Better organizational compliance with HIPAA requirements
- Increased recognition from clients for organizational commitment to security
Does an organization need to be HITRUST certified to receive the benefits complying with the HITRUST CSF? The answer is, “It depends.”
Compliance with the HITRUST CSF will improve an organization’s security around PHI, help it stay up-to-date on the latest security risks, and help it comply with HIPAA requirements. However, client perception is the real variable. While many organizations will accept various types of assurances related to security, some large healthcare organizations may require its service providers to be HITRUST certified.
I recommend that, as a rule, organizations avoid unnecessary costs. Audits and assessments are not cheap and once you start them, they become a future client expectation. So, if you do not have to get a SOC 2 report or HITRUST certification, I would recommend against getting one until you have to. Don’t get me wrong, you should strive to meet the highest security standards within your organization—I am not saying that you shouldn’t. I am just saying I would not pay someone to test them until I had to.
So, along that line of thinking, I would recommend getting SOC 2 plus HITRUST without the certification, unless you need to get the certification. If a client or potential client was requiring a HITRUST certification, I would recommend asking if they would accept a SOC 2 + HITRUST report as evidence of HITRUST compliance.
Are There Pros and Cons to SOC 2 + HITRUST assessments?
A SOC 2 + HITRUST assessment will save the service organization money and time. Specifically:
- Without a HITRUST certification, the service organization will not need to pay:
- myCSF tool subscription
- HITRUST assessment fee
- HITRUST report fee
- Overall audit fees from the CPA firm will likely decrease by combining the two examinations into one where certain control sets overlap
- Reduced interruption of company operations/employee time for one audit versus two separate examinations
- Only one report to distribute to clients
There are a couple of potential drawbacks to weigh when considering to do a SOC 2 + HITRUST. These include:
- Potential increase of the SOC 2 scope. If you have obtained a SOC 2 in the past you may need to add additional criteria to the scope. Most SOC 2 reports cover just security or common criteria. A SOC 2 + HITRUST assessment will require the availability and confidentiality criteria to be included.
- Findings will impact both assessments. With a combined report, the opinion will reflect any exceptions from either part. Whereas, if you had two separate reports, findings would only show in the respective report.
If you are needing to provide assurance to clients related to the Trust Services Criteria and HITRUST CSF, you should consider whether a SOC 2 + HITRUST makes sense for you and your organization. It is not talked about frequently, but it is an option that may satisfy your clients’ requirements while saving your organization a lot of time and money. Contact us if you would like to learn more about the many services offered here at Linford & Co.
Isaac Clarke is a partner at Linford & Co., LLP. He began his career with Ernst & Young in 2003 where he developed his audit expertise over a number of years. Isaac specializes in and has conducted numerous SOC 1 and SOC 2 examinations for a variety of companies—from startups to Fortune 100 companies. Isaac enjoys helping his clients understand and simplify their compliance activities. He is attentive to his clients’ needs and works meticulously to ensure that each examination and report meets professional standards.