Understanding HITRUST vs SOC 2
Safeguarding customer information and adhering to strict government regulations are critical for healthcare organizations. But organizations must do more: They must also prove compliance and provide assurances to customers and partners that they are truly securing data and maintaining privacy. Earning a certification or producing report that confirms compliance can alleviate concerns and open new business opportunities.
Both the HITRUST Common Security Framework (CSF) and the SOC 2 examination for service organizations can deliver proof and provide assurances. But which compliance framework is the right one for your organization?
Understanding the differences between these two voluntary frameworks, identifying the benefits of each, and seeing where they overlap can help your organization decide whether one or both should play a role in your compliance strategy.
HITRUST vs SOC 2 Origin and Development
HITRUST (originally an acronym for the Health Information Trust Alliance) is a privately held organization founded in 2007 that has become a leading source for standards development and certification. The organization created HITRUST certification to help healthcare organizations demonstrate compliance with key regulations for data privacy and security, including HIPAA (the Health Insurance Portability and Accountability Act of 1996). HITRUST continuously updates its certification framework to help organizations protect themselves from the newest threats and adhere to the latest standards.
SOC 2 was created by the American Institute of Certified Public Accountants (AICPA) to evaluate the effectiveness of a service organization’s controls for securely managing customer data. Though SOC 2 was released in 2010 (and made effective in 2011), it reflects the evolution of auditing standards that were created and modified between 1972 through 1992.
SOC 2 is one of three types of SOC (System and Organization Controls) reports released by AICPA:
- SOC 1 focuses on internal financial controls.
- SOC 2 reports on security and controls for an organization’s management, customers, and auditors.
- SOC 3 presents SOC 2 results for a public audience.
The Basis for HITRUST
HITRUST certification was initially developed for the healthcare industry, though it can now be used for organizations outside of healthcare. Its central aim is to verify compliance with stringent regulations on data privacy and security. Before HITRUST certification was introduced, healthcare organizations could not easily prove they were adequately safeguarding Protected Health Information (PHI)—and many organizations were not.
The HITRUST CSF provides a comprehensive framework for complying with HIPAA as well as other regulations and standards, including:
- The Health Information Technology for Economic and Clinical Health (HITECH) Act
- International Organization for Standardization (ISO) standards
- The European Union’s General Data Protection Regulation (GDPR)
- National Institute of Standards and Technology (NIST) standards
- The Payment Card Industry Data Security Standard (PCI DSS)
The HITRUST CSF includes controls focused on specific requirements for security and privacy. An organization might need to implement several hundred controls to be eligible for the highest level of HITRUST certification.
The Basis for SOC 2
SOC 2 can be used by any service organization that handles sensitive customer information. Those organizations might include Software-as-a-Service (SaaS) providers, financial services businesses, analytics companies, cloud service providers, as well as healthcare organizations.
The SOC 2 report generated centers on five principles, called Trust Services Criteria:
- Security: This principle, which must be addressed for SOC 2 compliance, focuses on whether an organization has sufficient controls to prevent unauthorized access, safeguard change management, monitor system operations, mitigate risk, and more.
- Availability: Organizations must ensure their systems are available for users. They should identify all potential threats to availability.
- Processing integrity: Data processing should be complete, valid, accurate, timely, and authorized. Organizations should keep detailed logs of operations.
- Confidentiality: Information designated as confidential within a system should be protected from unauthorized users.
- Privacy: Organizations must ensure they are collecting, using, retaining, and disposing of personal data in responsible ways. And they must inform customers about how they are doing so.
Key Differences Between HITRUST and SOC 2
Despite some similarities, HITRUST and SOC 2 employ distinct approaches to achieving their aims. HITRUST certification is prescriptive: The CSF establishes numerous control objectives and specifies precise tasks for achieving those objectives. By contrast, SOC 2 is based on principles: Organizations have the flexibility to determine which controls to implement so they can best comply with SOC 2 trust principles.
Consequently, the assessment process is different for HITRUST and SOC 2. In the HITRUST certification process, a third-party assessor evaluates an organization’s controls against the standard defined by HITRUST. With SOC 2, a third-party auditor evaluates the controls defined by the organization.
The end results of these assessments are likewise distinct. HITRUST provides a certification that an organization has met the very high standards for security outlined by HITRUST in the CSF. The result of an SOC 2 examination is an attestation report—an opinion that provides assurances about the effectiveness of security controls in place.
HITRUST vs SOC 2 Reporting Options
Organizations can choose from multiple assessment and reporting options whether they are pursuing HITRUST certification, SOC 2 attestation, or both.
HITRUST offers:
- HITRUST Essentials 1-year (e1) Assessment: An entry-level validated assessment and certification.
- HITRUST Implemented, 1-year (i1) Assessment: A moderate level of assurance that organizations have adequately addressed cybersecurity threats.
- HITRUST Risk-based, 2-year (r2) Assessment: The most rigorous assessment, with the most comprehensive set of control requirements. An interim assessment must be conducted every other year.
AICPA offers:
- SOC 2 Type I audit: An attestation to the design and implementation of controls at a single point in time.
- SOC 2 Type II audit: Attestation to the design, implementation, and operating effectiveness of controls over a period of time, usually between 3 and 12 months. The attestation can be renewed yearly.
When organizations are using both the HITRUST framework and SOC 2 principles, they can choose:
- SOC 2 reporting only: A report for a Type I or Type II audit.
- SOC 2 + HITRUST reporting: A combined report that evaluates the design and operating effectiveness of controls relevant to both SOC 2 and the HITRUST CSF.
- HITRUST certification only: The certification that an organization has met rigorous HITRUST requirements.
- SOC 2 audit + HITRUST audit + HITRUST certification: The organization undertakes both SOC 2 and HITRUST audits, receiving a SOC 2 report and HITRUST certification.
The amount of time required for these processes varies according to the organization and its choices. For example, a SOC 2 Type I audit might require up to six months; a combined SOC 2 audit, HITRUST audit, and HITRUST certification process could take nine months to a year.
Mapping Options Between HITRUST and SOC 2
Many organizations do not have the resources to undertake the distinct processes of earning HITRUST certification and conducting a SOC 2 audit. Fortunately, HITRUST and the AICPA have worked together to directly map some CSF controls to SOC 2 Trust Services categories. So, for example, if you implement the 44 HITRUST controls needed for an e1 assessment and certification, you will substantially reduce the number of controls you need for the SOC 2 audit.
Of course, there will remain some HITRUST controls that do not map directly to SOC 2. If you begin preparing for a SOC 2 audit, you might still need to implement numerous additional controls for a HITRUST r2 assessment.
Benefits of HITRUST Certification
There are multiple benefits to HITRUST certification. First, working to meet the rigorous requirements for HITRUST certification will help your organization better protect sensitive healthcare data and IT systems from a growing number of security threats.
Second, achieving that certification gives your partners and customers the confidence that your organization won’t be a target or vector for attacks. Because it is tailored to the healthcare industry, HITRUST certification signals that you are particularly well equipped to maintain privacy and security for healthcare data, and defend against threats that target healthcare organizations. At the same time, though, HITRUST provides the framework for complying with regulations that extend beyond healthcare.
HITRUST certification can give you a competitive edge. Earning certification puts you in a select tier of healthcare organizations. As large organizations increasingly require HITRUST certification of partners, you can win contracts for which non-certified businesses can’t compete.
Because HITRUST certification evaluates organizations against a defined standard, it might be considered more valuable than a SOC 2 report for healthcare organizations. However, the process of achieving certification could also require more time, effort, and money than preparing for a SOC 2 examination.
Benefits of SOC 2 Examination
SOC 2 is well recognized across multiple industries as a rigorous report. Whether you are interacting solely with other healthcare organizations or with businesses in multiple fields, the report can quickly affirm that you are meeting key criteria for security, availability, processing integrity, confidentiality, and privacy. Like a HITRUST certification, a SOC 2 report can help you stand out among competitors, providing assurance that you have solid practices in place for protecting sensitive data.
Also similar to the HITRUST certification process, preparing for a SOC 2 examination can help spur you to implement stronger controls and streamline processes. You can reduce your vulnerabilities and enhance efficiency.
SOC 2 compliance offers greater flexibility than the more prescriptive HITRUST certification process. Consequently, preparing for a SOC 2 audit might require less time and fewer resources than working toward HITRUST certification.
Combining HITRUST and SOC 2 Reports
There are several potential advantages to combining HITRUST and SOC 2 reports. Doing so provides a more comprehensive view of your security and compliance posture than pursuing either report separately. Moreover, combining the healthcare-specific HITRUST report with the cross-industry SOC 2 report shows that you can satisfy a broad range of requirements for maintaining security and privacy. And because there is some overlap with the controls needed for both frameworks, you can save time and money by pursuing a combined report rather than working to produce distinct reports.
Factors to Consider for Integrated Reports
Should your organization choose an integrated report? First, consider the level of overlap between HITRUST and SOC 2 controls. A high degree of overlap can certainly enhance the efficiency of your preparatory work, but remember there will still be controls that do not map directly between HITRUST and SOC 2. For example, you might need to add controls to meet SOC 2 criteria for availability and confidentiality, which will require your organization to dedicate more resources to the initiative.
Also consider whether a SOC 2 report will truly help your organization. If you are operating exclusively within the healthcare industry, and your customers and partners do not require SOC 2 reporting, it might be more beneficial for you to focus on HITRUST certification only.
Finally, before committing to a combined reporting option, carefully evaluate all your costs. Working toward a combined report will likely save your organization money compared with pursuing HITRUST certification and a SOC 2 assessment separately. But the combined effort could still cost more than one effort alone. You’ll need to determine whether the added costs will be worth the benefits.
Guidance for Optimizing Compliance Strategy
Both HITRUST certification and SOC 2 reporting can help your organization strengthen its security posture while clearly demonstrating regulatory compliance and use of best practices. Choosing one or both will depend in part on your organization’s industry, your systems, and your compliance needs. You should also evaluate the scope and focus of each type of report, and determine which better suits your requirements.
The time, costs, and resources needed to support HITRUST certification and SOC 2 attestation should factor into your decisions. As you compare costs, remember you can capitalize on the overlaps between the two compliance frameworks to streamline your work, saving time and money.
Whichever path you choose, Cloudticity can help you design and optimize a compliance strategy for your specific business requirements. To learn more, contact us today for a free consultation.
Guidance for Accelerating HITRUST Certification
If you choose the HITRUST route, there are ways to accelerate your journey. Using public cloud service providers like Amazon Web Services, Microsoft Azure, or Google Cloud Platform can significantly cut down on the work needed to achieve HITRUST.
Read the Blog: How to Accelerate HITRUST Certification on the Cloud
If you want to understand how much time and money HITRUST might require of your organization, try the HITRUST Cost Calculator tool. Or schedule a free consultation to learn how Cloudticity might be able to help you achieve HITRUST 25-62% faster.