Security Savvy in Healthcare Tech: Ensuring the Protection of SOC 2 and HITRUST

January 30, 2024

When it comes to healthcare technology and protecting Personal Healthcare Information (PHI), data security isn’t just a box to tick – it’s a sacred trust. We’re dealing with lifeblood information, the most intimate details woven into the fabric of your patient population. As an organization working in healthcare technology for over a decade, strategically navigating the waters of healthcare security and taking protective measures has always been a top priority.  

Reported by The HIPAA Journal, 2023 was a record year for both, data breaches and the number of exposed or breached records.  Many security breaches are avoidable. SOC 2 and HITRUST aren’t just fancy acronyms. They’re shields protecting the most vulnerable data on the planet─ your patients. So, let’s unlock the vault and examine the importance of these security designations, what they mean for ePrescribing software, and what questions you should ask when considering an ePrescribing platform.

What is SOC 2 Type 2?

Think of it as a detailed audit, a deep dive into a vendor’s security infrastructure, policies, and procedures. It requires more diligence than the Type 1 requirements. Type 2 goes beyond simply stating what controls exist; it verifies their effectiveness. To receive this designation for our ePrescribing platform, DoseSpot worked with independent auditors who spent months scrutinizing how we actually operate, not just what we claim to do. Currently, we have the type 2 designation with zero exceptions.

Why should this matter to vendor partners?

• Transparency: As a healthcare company looking to integrate with new ePrescribing software, you need a clear picture of the vendor’s security posture, allowing you to make informed decisions based on objective evidence.
• Reduced Risk: With robust controls in place and their effectiveness proven, the likelihood of a data breach is decreased. Imagine sleeping soundly, knowing your patients’ data rests in secure hands.
• Compliance: SOC 2 aligns with regulations like HIPAA, meaning the vendor is actively working to stay on the right side of the law. Think of it as an extra layer of assurance.

How do you assess SOC 2 with your health tech vendors?

Use this list of questions below to help guide you through SOC 2 conversations with any vendors you intend to partner with:

• What specific Trust Service Principles (TSPs) did you get audited for? (Security, Availability, Processing Integrity, Confidentiality, Privacy)
• Were there any exceptions in your report? If so, understand the nature and impact before proceeding.
• How often do you perform SOC 2 audits? Annual audits are standard, but more frequent audits indicate a proactive approach.

Can you share your SOC 2 report with us? Transparency is key, and reputable vendors will readily share their reports (with redactions for sensitive information).
* DoseSpot requires that you have a signed NDA in place before sharing our SOC 2 report.

Now, let’s move on to HITRUST. This framework was first established in 2007 to bring alignment to the processes and standards of healthcare security. It goes beyond SOC 2, specifically designed for the unique security challenges of the healthcare industry. It incorporates HIPAA, NIST, PCI DSS, and other relevant regulations, creating a comprehensive compliance roadmap.

Think of HITRUST as a fortress built with multiple layers of defense: common controls, industry-specific controls, and even tailored controls specific to your needs. This multi-layered approach ensures your sensitive patient data is shielded from a wide range of threats. DoseSpot has engaged an independent assessor as we pursue the HITRUST pathway.

Why HITRUST matters:

• Targeted Protection: It addresses the specific risks inherent in healthcare data, going beyond generic security measures.
• Enhanced Trust: Achieving HITRUST certification demonstrates a vendor’s deep commitment to healthcare data security, building trust with patients and partners.
• Reduced Costs: By demonstrating compliance with multiple regulations, HITRUST can streamline audits and reduce overall compliance burdens.

So, when evaluating vendors, ask:

• Are you pursuing HITRUST certification? This shows a proactive approach to healthcare data security.
• Which HITRUST tiers are you targeting? Tier 1 is basic compliance, while Tier 2 involves an independent assessment for deeper assurance.
• How do you integrate HITRUST controls into your security program? Look for a holistic approach where HITRUST is embedded in the security culture.

Remember, healthcare technology is a delicate dance, balancing innovation with unwavering data protection. Don’t settle for vendors who treat security as an afterthought. Demand transparency, demand compliance, and most importantly, demand the peace of mind that comes with knowing your patients’ data is in the safest hands possible. After all, in today’s world of cyber threats, data breaches, and targeted online attacks, there’s no such thing as being overly secure. At DoseSpot, we take pride in mitigating security risk by pursuing what’s next in data protection and regularly updating policies and procedures to keep up with the fast-changing healthcare technology standards.