For many organizations in the healthcare industry, it is becoming increasingly difficult to keep up with multiple audits, many times around the same processes and policies, year after year. One of the reasons for this has to do with organizations not having the necessary resources for internal compliance services, forcing individuals to take on multiple roles in these audits on top of their existing roles within the organization for multiple audits throughout the year.
HITRUST and the American Institute of CPAs (AICPA) took notice of this issue and sought to alleviate some of these concerns by streamlining and combining the CSF and SOC audit efforts. It is a natural transition since HITRUST CSF can easily fit within SOC 2’s structure. Although they are separate reporting efforts, they can easily fit into a “love affair” in that they can exist separately yet mesh well together.
Before discussing how well this “love affair” works for both auditing efforts, let’s explore each individually. SOC 2 is similar to SOC 1 in structure and approach but differs in that SOC 2 allows organizations the flexibility of incorporating any additional suitable criteria. Also, whereas SOC 1 focuses on “design” of controls, SOC 2 focuses on the “operating effectiveness.” SOC 2 is a reporting format more than it is a security framework and it includes five different principles, known as the Trust Service Principles:
- Processing Integrity
The User will select the principles that meet their needs and then must address all the criteria for the selected principles.
HITRUST CSF is a certified framework that combines healthcare-relevant regulations and standards into one security framework which is both risk and compliance based. The CSF framework is broken down as follows:
- 14 Control Categories
- 45 Control Objectives
- 149 Control Specifications
With HITRUST CSF, it is the risk factors that help in deciding which controls are to be specified for the assessment. The assessments can be conducted as “Self-Assessments” or “Third-Party Assessments” (Certified or Validated).
Combining SOC 2 and HITRUST CSF reporting into one effort has different advantages. Currently, HITRUST has developed a standard report that allows for the reporting of risk, compliance posture, and a corrective action plan that allows for comparison between other similar organizations. However, requests for this type of information can come in different formats such as security questionnaires, RFPs, description of processes and/or controls being implemented to satisfy the CSF, and the assurance that controls have operated for a fixed period of time.
The best way to combine both assessment efforts would be to issue a SOC 2 report with the HITRUST CSF control requirements being used as the benchmark for the organizations’ information security program.
One of the benefits of combining SOC 2 and CSF is that the HITRUST CSF controls can be leveraged into the SOC engagement. Also, by combining both assessments, there will be time efficiencies and cost savings by being able to combine SOC 2 criteria and the HITRUST CSF controls. By doing this, the organization will not have to report on the similar controls for two different reporting requirements, thus saving on costs, minimizing inefficiencies, and economizing resource availability.
On July 31, 2014, HITRUST announced its collaboration with the AICPA to develop recommendations around streamlining the process of combining the CSF and the SOC reporting efforts. The effort began with mapping the CSF controls and the Trust Services principles and criteria for security, availability, and confidentiality.
This collaboration has led to the following work products:
- Mapping of CSF to Trust Services Principles and Criteria (Security, Confidentiality, and Availability)
- Overview document with frequently asked questions
- HITRUST and SOC 2 reporting template
It is this collaboration between HITRUST and AICPA that has made a “love affair” between CSF and SOC 2 official. Organizations in the health industry have been patiently waiting for a resolution to the issue of having multiple audits over the same processes and policies, and now with the HITRUST and SOC 2 reporting collaboration, they have their answer: a love affair between HITRUST CSF and SOC 2.