What do you need to know about SOC 2 certification?

Logo of SOC

SOC 2 Certification

SOC 2 (System and Organizations Controls) compliance can encompass everything from how your system runs, how you update job descriptions, how customer data is stored in the cloud, to how you onboard new hires.

SOC 2 certification ensures and gives the confidence to your customers that you secure your data and protect their privacy at all costs. It is no wonder that SOC 2 certification has emerged as one of the most sought after standards. It is an auditing procedure that is unique to each organization but essentially needs to comply with one or more trust principles and administered by AICPA.

SOC 2 certification trust principles

SOC 2 certification process includes the criteria for managing customer data based on security, availability, confidentiality, processing integrity, and privacy.

  • Security – deals with how the system is protected against access and theft
  • Availability – deals with the accessibility of the systems, services, and products of the organization
  • Processing Integrity – deals with how goals are achieved by the system
  • Confidentiality – deals with the confidentiality of the organization’s intellectual properties
  • Privacy – deals with the collection, usage, storage, retention, disclosure, and disposal of customer data

 

SOC 2 Certification Process

The SOC 2 certification process involves the following steps:

  • Decide the trust principles that you need to audit

The mandatory criterion for SOC 2 certification is security. The other trust principles are identified after collaboration with stakeholders.

  • Pick the right report

There are two types of SOC 2 audit reports; Type 1, which describes if a system meets the trust principles, and Type 2 which checks the operational effectiveness of the systems against the trust principles. Pick the right report that meets your needs.

  • Define the scope

Determine what you will test for and why. The scope usually depends on your reason for carrying out the audit, i.e. either you are carrying out the certification for vendor management, internal corporate governance, vendor management, or regulatory oversight.

  • Carry out self-assessment

Self-assess your system against the chosen security principles before actually hiring professionals to carry out the formal audit.

  • Undergo a formal SOC 2 audit from a Certified Public Accountant (CPA)

A normal SOC 2 audit is carried out by CPA by carrying out employee interviews and assessing paperwork, screenshots, or logs.

  • Receive a SOC 2 report

The final step in the SOC 2 certification process is getting the final SOC 2 report that measures how well your system stands against the set security standards.

 

SOC 2 Certification Checklist

Before you start the SOC 2 certification process, there are a few things which you can follow regularly to make the process smoother:

  • Create an organizational culture of security
  • Revoke access rights of former employees
  • Manage access rights of current employees by creating users with unique access rights, centralizing user management, and monitoring user access
  • Follow data retention best practices according to industry standards
  • Automate and document every change by using centralized logging facilities provided by cloud solutions, version control systems like Github, or ticketing systems like Jira.
  • Implement correct procedures to deal with common vulnerabilities and exposure
  • Create policies and procedures best on industry best practices, and follow them to the core

 

SOC 2 Certification Cost

The typical SOC 2 certification cost for Type 1 report is typically 15,000 to 20,000 USD, while that for a Type 2 report can range from 25000 to 30000 USD.

 

Why SOC 2 Certification?

SOC 2 certification is on the verge of becoming the most sought after certification because of customer demands. Customers need proof of the fact that you protect your data from unauthorized access and theft. Additionally, in the long run, the price of getting SOC 2 certification is nothing when compared to being affected by a breach (average $3.86 million). SOC 2 can prove to be a protective measure that makes your organization more secure, hence avoiding costly breaches.

Needless to state, SOC 2 certification gives you a competitive advantage, peace of mind, and valuable insights into your organization’s security. Hence large companies like AWS, Microsoft, and other companies are SOC 2 certified. Getting SOC 2 certified is difficult, but the burden does not need to fall into you.

Databrackets can come to the rescue, and relieve you of the hassle of SOC 2 certification. We have certified security and privacy professionals who work in collaboration with partner CPA firms to help you meet your compliance needs with ease and with lower costs. Schedule a consultation with us today!

Beware of COVID-19 Cyber Scams

The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19. CISA encourages individuals to remain vigilant and take the following precautions. Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachments and Avoiding Social Engineering and Phishing Scams for more information. Use trusted sources—such as legitimate, government websites—for up-to-date, fact-based information about COVID-19. Do not reveal personal or financial information in an email, and do not respond to email solicitations for this information. Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scams for more information. Review CISA Insights on Risk Management for COVID-19 for more information.

Health care provider pays $100,000 settlement to OCR for failing to implement HIPAA Security Rule requirements

The practice of Steven A. Porter, M.D., has agreed to pay $100,000 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to adopt a corrective action plan to settle a potential violation of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.  Dr. Porter’s medical practice provides gastroenterological services to over 3,000 patients per year in Ogden, Utah.

OCR began investigating Dr. Porter’s medical practice after it filed a breach report with OCR related to a dispute with a business associate.  OCR’s investigation determined that Dr. Porter had never conducted a risk analysis at the time of the breach report, and despite significant technical assistance throughout the investigation, had failed to complete an accurate and thorough risk analysis after the breach and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

 

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino.  “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.” 

 

In addition to the monetary settlement, Dr. Porter will undertake a corrective action plan that includes two years of monitoring.  The resolution agreement and corrective action plan may be found at:  http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/porter/index.html.

Top 5 Trends in Cybersecurity in 2020

Cybersecurity Trends in 2020
Cybersecurity Trends in 2020

In 2017, the UK’s National Health Service (NHS) experienced a severe ransomware attack. This incident resulted in the cancellation of nearly 20,000 medical appointments, including rerouting of cancer patients in emergency care to other destinations. The attack cost NHS trusts nearly $93 million.  Proper cybersecurity compliance could have prevented this attack.

Concerns of the cyber-threats have reached the United States as well. According to the secretary of the Department of Homeland Security, cyber weapons and sophisticated hacking currently pose the greatest threat to the United States and the private companies involved . 

According to a recently published report from Verizon, 43% of all cyber-threats are aimed at small businesses, with 39% of the total attacks carried out by organized criminal groups. Small and medium scale enterprises remain most vulnerable, due to a lack of awareness and resources  . According to the National Cybersecurity Alliance report, over 60% of the small enterprises go out of business within six months of experiencing a cyber-attack. 

Although these statistics are frightening, there is some good news. For instance, according to the Verizon report, the incidences of attack to steal credit and debit card information is on the decline. The new chip and pin technology have made these attacks more redundant for hackers. Here are some other innovative trends in cybesecurity worth watching out for in 2020: 

  1. The ultimate battle over internet dominance will continue

The incidents of cyberattacks in the recent years has coerced many countries to restrict internet traffic and take other stringent actions. In fact, Russia was one of the first countries that suggested filtering of internet traffic through Kremlin’s Roscomnadzor internet censor node with an aim to create the country’s very own internet “RuNet”, which might ward off cyberattacks. Moscow even tried to influence the BRICS nations (Brazil, Russia, India, China, and South Africa) to create a separate domain name in order to establish hegemony over the internet. Apart from Russia, China too has enforced many policies to establish itself as the thought leader of internet space. Many countries have even emulated China’s policies and formulated anti-privacy and surveillance laws. This has led to massive fragmentation of the Internet world, resulting in the Balkanization of sorts of the technology arena. However, the blame cannot just be placed on Russia and China alone. Even countries in the west have put stringent policies in place to establish dominance under the ambit of mitigating security risks. One such example is UK and the US snubbing Huawei technologies’ economical 5G services. While these fragmentations may create pockets of internet everywhere, it can be helpful in assuaging cybersecurity woes. However, it would lead to more confusion, less transparency, and perhaps strike down innovation. This dilemma is bound to worry the thought leaders even in 2020.

  1. Compliance Assessment To Take Centerstage

In June 2019, American Medical Collection Agency (AMCA) discovered that an unauthorized person had gained access to its web payment portal. Even more surprising was that the attacker had access to its system since August 2018, resulting in a major loss for the organization with 150,000 cases of the data breach. Under the 43% of all cyber-threats, the agency will have to report the breach to all the potential patients, which itself will require very numerous man-hours During such attacks, it is impossible to know the full extent of the breach within a short duration. Moreover, without adequate precautions, organizations can leave their consumers and themselves open to major risks, ranging from legal liabilities to financial  and personal loss. It’s easier to avoid such issues with quick response procedures that detect threats in time then pass on the message to concerned stakeholders at the earliest. This compliance procedure is not just mandatory by law, but can save enormous financial loss, and even lives. Hence, compliance assessment is likely to remain one of the highest priorities in fighting cyber-attacks.

  1. Attacks on Multiple Fronts

Cyber-attacks are becoming more sophisticated, and this is likely to continue as multi-vectored attacks like NotPetya, and WannaCry remain active. Using these ransomware executable files, hackers can simultaneously attack multiple fronts of digital infrastructure including mobile devices, network, and cloud systems. It is estimated that less than 5% of today’s systems are capable of handling these advanced attacks. With a widespread lack of awareness about security assessment, these attacks will continue to plague small businesses, large enterprises, and government entities. 

  1. Adoption of Data Harbours

According to the US Council of Economic Advisers, cyber-attacks cost the US economy nearly $109 billion in 2016, and pending on cyber-security reached over $120 billion in 2019 globally. Major stakeholders in many industries are threatened, especially in the healthcare and financial fields. On the other hand, cyber threats continue to become more intelligent, systematic, and operate over longer periods of time undetected. This has forced many to create external data harbours for their data, independent of their infrastructure.

  1. Data Privacy Regulation Goes Global 

In 2018, the European Union signed the General Data Protection Regulation, or GDPR law. This law has paved the way for more regulations concerning the use of personal data, such as the California Consumer Privacy Act (CCPA). These laws already affected enterprises worldwide due to the global nature of the internet. Moreover, the GDPR covers European citizen’s data access in all countries and promises to penalize breaches stringently. The growing regulation regarding data privacy holds a major implication for firms who do not have access to compliance assessment. 

Data regulations could also impact companies who host their data in clouds like Azure, Google, and AWS. The increasing data breaches and growing stringent regulatory environment will be worth monitoring in 2020, as cloud adoption and security plays an increasing role.  

In conclusion

If your company is looking for solutions including security assessment, data warehouses, and regulatory compliance, there is a variety of options available. Continuous employee training on cyber-attacks also should remain a high priority, as  prominent forms of attacks took place through phishing methods. If you want to protect your organization from bad actors, you have to perform adequate security assessment and training. 

In fact, security assessment and risk analysis is the first step towards mitigating cyberattacks. And if you are looking for a perfect partner that can help you keep threats at bay, Databrackets is your destination. Backed by a plethora of services including current trend analysis along with past risk assessment reports, awareness training, threat forecast, and more, Databrackets seamlessly alleviates the cybersecurity woes of your organization.

Reference links: 

https://www.clevelandfed.org/en/newsroom-and-events/speeches/sp-20190404-perspectives-on-cybersecurity-the-financial-system-and-the-federal-reserve.aspx

https://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/

https://compliancy-group.com/blog/

https://www.acronis.com/en-us/articles/nhs-cyber-attack/

https://www.us-cert.gov/ics/Downloading-and-Installing-CSET

OCR Secures $2.175 Million HIPAA Settlement after Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information

In an agreement with the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS), Sentara Hospitals (Sentara) have agreed to take corrective actions and pay $2.175 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.

Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.

In April of 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s protected health information (PHI). OCR’s investigation determined that Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services.  Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.  Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director.  “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sentara/index.html

 

OCR Imposes a $1.6 Million Civil Money Penalty against Texas Health and Human Services Commission for HIPAA Violations

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) has imposed a $1,600,000 civil money penalty against the Texas Health and Human Services Commission (TX HHSC), for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules between 2013 and 2017. TX HHSC is part of the Texas HHS system, which operates state supported living centers; provides mental health and substance use services; regulates child care and nursing facilities;

It Administers hundreds of programs for people who need assistance, including supplemental nutrition benefits and Medicaid. The Department of Aging and Disability Services (DADS), a state agency that administered long-term care services for people who are aging, and for people with intellectual and physical disabilities, was reorganized into TX HHSC in September 2017.

On June 11, 2015, DADS filed a breach report with OCR stating that the electronic protected health information (ePHI) of 6,617 individuals was viewable over the internet, including names, addresses, social security numbers, and treatment information. The breach occurred when an internal application was moved from a private, secure server to a public server and a flaw in the software code allowed access to ePHI without access credentials. OCR’s investigation determined that, in addition to the impermissible disclosure, DADS failed to conduct an enterprise-wide risk analysis, and implement access and audit controls on its information systems and applications as required by the HIPAA Security Rule. Because of inadequate audit controls, DADS was unable to determine how many unauthorized persons accessed individuals’ ePHI.

The Notice of Proposed Determination and Notice of Final Determination may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/txhhsc/index.html

Failure to Encrypt Mobile Devices Leads to $3 Million HIPAA Settlement

The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. URMC includes healthcare components such as the School of Medicine and Dentistry and Strong Memorial Hospital. URMC is one of the largest health systems in New York State with over 26,000 employees.

URMC filed breach reports with OCR in 2013 and 2017 following its discovery that protected health information (PHI) had been impermissibly disclosed through the loss of an unencrypted flash drive and theft of an unencrypted laptop, respectively. OCR’s investigation revealed that URMC failed to conduct an enterprise-wide risk analysis; implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level; utilize device and media controls; and employ a mechanism to encrypt and decrypt electronic protected health information (ePHI) when it was reasonable and appropriate to do so. Of note, in 2010, OCR investigated URMC concerning a similar breach involving a lost unencrypted flash drive and provided technical assistance to URMC. Despite the previous OCR investigation, and URMC’s own identification of a lack of encryption as a high risk to ePHI, URMC permitted the continued use of unencrypted mobile devices.

“Because theft and loss are constant threats, failing to encrypt mobile devices needlessly puts patient health information at risk,” said Roger Severino, OCR Director. “When covered entities are warned of their deficiencies, but fail to fix the problem, they will be held fully responsible for their neglect.”

In addition to the monetary settlement, URMC will undertake a corrective action plan that includes two years of monitoring their compliance with the HIPAA Rules. The resolution agreement and corrective action plan may be found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/urmc/index.html.

HHS Office for Civil Rights Secures Corrective Action and Ensures Florida Orthopedic Practice Protects Patients with HIV from Discrimination

The U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR) has successfully secured corrective action and resolved a complaint against the Florida Orthopaedic Institute (“Florida Orthopaedic”). The complaint alleged that Florida Orthopaedic unlawfully cancelled a surgery because of a patient’s HIV positive status. After HHS OCR informed Florida Orthopaedic of the complaint and that it would be investigating the allegations, Florida Orthopaedic banned the patient from the practice and cited the patient’s complaint to HHS as a basis for doing so. Retaliation for filing complaints with HHS OCR is prohibited by law.

Florida Orthopaedic is a comprehensive orthopedic practice that employs approximately 40 physicians working in 10 offices and 20 hospitals in the Tampa area. Florida Orthopaedic receives federal financial assistance through its participation in Medicaid and Medicare Part C; and is subject to the requirements of Section 504 of the Rehabilitation Act of 1973 (Section 504). Section 504 prohibits discrimination on the basis of disability (including HIV/AIDS) in health programs or activities that receive HHS funding, such as medical practices, nursing homes, and hospitals.

HHS OCR received a complaint that a Florida Orthopaedic surgeon allegedly made an offensive comment relating to the patient’s HIV status and then refused to perform the patient’s scheduled surgery which prompted the patient to file a complaint with HHS OCR. After informing Florida Orthopaedic of the allegations, and before HHS OCR reached any conclusion as to the merits of the claims, Florida Orthopaedic prohibited the patient from receiving further care at the practice and cited patient’s complaint with HHS as a basis.

The patient informed HHS OCR of the retaliatory dismissal from the practice and on this ground HHS OCR secured several corrective actions from Florida Orthopaedic, including amending its nondiscrimination policies and revising its procedures for dismissing any patient from the practice. Florida Orthopaedic also agreed to provide staff with multiple trainings on HIV, federal non-discrimination laws, grievance procedures, and the requirement to refrain from retaliatory actions. Before Florida Orthopaedic completed its compliance activities, it provided the complainant with referrals to three orthopedic surgeons in the area to prevent further delays in the patient’s health care.

“Patients with HIV have the right to nondiscriminatory health care which includes the right to file complaints with OCR without fear of unlawful retaliation,” said HHS OCR Director Roger Severino. This case is representative of HHS OCR’s continuing compliance work and commitment to the full implementation of the National HIV/AIDS Strategy and the President’s Initiative, Ending the HIV Epidemic: A Plan for America.

For additional information on HHS OCR’s work on HIV/AIDS issues, visit: www.hhs.gov/civil-rights/for-individuals/special-topics/hiv

To learn more about civil rights and health information privacy laws that HHS OCR enforces, and to find information on filing a complaint, visit us at www.hhs.gov/ocr.

Follow HHS OCR on Twitter at twitter.com/HHSOCR