The vulnerability of computer systems has been front and center in the headlines over the last few weeks.
In addition to healthcare providers that have been directly impacted, suppliers of healthcare-related services have also been tangled up with malware, which in turn has had a significant adverse impact on the hospitals of many of our colleagues.
Trying to keep up-to-date with all of the reports on various forms of malware can make one’s head spin, with technical jargon quickly clouding the issues. It’s not really important to most users and hospital administrators to understand the significance of your Master File Table, Master Boot Record, or the workings of a “killswitch.” Focus has been appropriately directed at increasing awareness about the dangers of opening emails from unknown sources and other ways to avoid infection. While that is all well and good, there are two basic steps that are being overlooked that can significantly help protect your computers and your hospital enterprise.
When considering software (and especially “Software as a Service”) for your hospital, how can you help assure that the supplier is taking all reasonable steps to protect your data, confidentiality and security? To answer that, we need to look at something called Service Organization Controls (SOCs), and more specifically “SOC 2.”
A SOC 2 compliance report is the result of an audit of security processes established by the American Institute of Certified Public Accountants (AICPA). It helps to evaluate a service organization’s compliance with the five Trust Services Principles (TSPs) for Service Organization Controls, including:
SOC 2 compliance not only requires comprehensive policies and procedures related to the TSPs shown above, but also requires periodic technical audits to review hard evidence that the policies and procedures are being followed.
Hospital IT departments should ask for the SOC 2 “Management Assertion” and audit report of every vendor with whom they are doing business or with whom they planning on working. This is where, for example, you can review policies for data backup and for operating system patches and updates. And, very importantly, there should be something that indicates consideration for Business Continuity, to keep data and functionality intact in the event of network or system failures.
Can you ever really “expect the unexpected” and avoid an incident such as the ones we’ve seen in the past few weeks? Reading over each SOC 2 Management Assertion will help you see how each vendor answers that question.
If you’d like more information, want to schedule a one-on-one demonstration, or just want to let us know what you think, please fill out the form below and we’ll contact you as soon as possible.