Safeguarding customer information and adhering to strict government regulations are critical for healthcare organizations. But organizations must do more: They must also prove compliance and provide assurances to customers and partners that they are truly securing data and maintaining privacy. Earning a certification or producing report that confirms compliance can alleviate concerns and open new business opportunities.
Both the HITRUST Common Security Framework (CSF) and the SOC 2 examination for service organizations can deliver proof and provide assurances. But which compliance framework is the right one for your organization?
Understanding the differences between these two voluntary frameworks, identifying the benefits of each, and seeing where they overlap can help your organization decide whether one or both should play a role in your compliance strategy.
HITRUST (originally an acronym for the Health Information Trust Alliance) is a privately held organization founded in 2007 that has become a leading source for standards development and certification. The organization created HITRUST certification to help healthcare organizations demonstrate compliance with key regulations for data privacy and security, including HIPAA (the Health Insurance Portability and Accountability Act of 1996). HITRUST continuously updates its certification framework to help organizations protect themselves from the newest threats and adhere to the latest standards.
SOC 2 was created by the American Institute of Certified Public Accountants (AICPA) to evaluate the effectiveness of a service organization’s controls for securely managing customer data. Though SOC 2 was released in 2010 (and made effective in 2011), it reflects the evolution of auditing standards that were created and modified between 1972 through 1992.
SOC 2 is one of three types of SOC (System and Organization Controls) reports released by AICPA:
HITRUST certification was initially developed for the healthcare industry, though it can now be used for organizations outside of healthcare. Its central aim is to verify compliance with stringent regulations on data privacy and security. Before HITRUST certification was introduced, healthcare organizations could not easily prove they were adequately safeguarding Protected Health Information (PHI)—and many organizations were not.
The HITRUST CSF provides a comprehensive framework for complying with HIPAA as well as other regulations and standards, including:
The HITRUST CSF includes controls focused on specific requirements for security and privacy. An organization might need to implement several hundred controls to be eligible for the highest level of HITRUST certification.
SOC 2 can be used by any service organization that handles sensitive customer information. Those organizations might include Software-as-a-Service (SaaS) providers, financial services businesses, analytics companies, cloud service providers, as well as healthcare organizations.
The SOC 2 report generated centers on five principles, called Trust Services Criteria:
Despite some similarities, HITRUST and SOC 2 employ distinct approaches to achieving their aims. HITRUST certification is prescriptive: The CSF establishes numerous control objectives and specifies precise tasks for achieving those objectives. By contrast, SOC 2 is based on principles: Organizations have the flexibility to determine which controls to implement so they can best comply with SOC 2 trust principles.
Consequently, the assessment process is different for HITRUST and SOC 2. In the HITRUST certification process, a third-party assessor evaluates an organization’s controls against the standard defined by HITRUST. With SOC 2, a third-party auditor evaluates the controls defined by the organization.
The end results of these assessments are likewise distinct. HITRUST provides a certification that an organization has met the very high standards for security outlined by HITRUST in the CSF. The result of an SOC 2 examination is an attestation report—an opinion that provides assurances about the effectiveness of security controls in place.
Organizations can choose from multiple assessment and reporting options whether they are pursuing HITRUST certification, SOC 2 attestation, or both.
HITRUST offers:
AICPA offers:
When organizations are using both the HITRUST framework and SOC 2 principles, they can choose:
The amount of time required for these processes varies according to the organization and its choices. For example, a SOC 2 Type I audit might require up to six months; a combined SOC 2 audit, HITRUST audit, and HITRUST certification process could take nine months to a year.
Many organizations do not have the resources to undertake the distinct processes of earning HITRUST certification and conducting a SOC 2 audit. Fortunately, HITRUST and the AICPA have worked together to directly map some CSF controls to SOC 2 Trust Services categories. So, for example, if you implement the 44 HITRUST controls needed for an e1 assessment and certification, you will substantially reduce the number of controls you need for the SOC 2 audit.
Of course, there will remain some HITRUST controls that do not map directly to SOC 2. If you begin preparing for a SOC 2 audit, you might still need to implement numerous additional controls for a HITRUST r2 assessment.
There are multiple benefits to HITRUST certification. First, working to meet the rigorous requirements for HITRUST certification will help your organization better protect sensitive healthcare data and IT systems from a growing number of security threats.
Second, achieving that certification gives your partners and customers the confidence that your organization won’t be a target or vector for attacks. Because it is tailored to the healthcare industry, HITRUST certification signals that you are particularly well equipped to maintain privacy and security for healthcare data, and defend against threats that target healthcare organizations. At the same time, though, HITRUST provides the framework for complying with regulations that extend beyond healthcare.
HITRUST certification can give you a competitive edge. Earning certification puts you in a select tier of healthcare organizations. As large organizations increasingly require HITRUST certification of partners, you can win contracts for which non-certified businesses can’t compete.
Because HITRUST certification evaluates organizations against a defined standard, it might be considered more valuable than a SOC 2 report for healthcare organizations. However, the process of achieving certification could also require more time, effort, and money than preparing for a SOC 2 examination.
SOC 2 is well recognized across multiple industries as a rigorous report. Whether you are interacting solely with other healthcare organizations or with businesses in multiple fields, the report can quickly affirm that you are meeting key criteria for security, availability, processing integrity, confidentiality, and privacy. Like a HITRUST certification, a SOC 2 report can help you stand out among competitors, providing assurance that you have solid practices in place for protecting sensitive data.
Also similar to the HITRUST certification process, preparing for a SOC 2 examination can help spur you to implement stronger controls and streamline processes. You can reduce your vulnerabilities and enhance efficiency.
SOC 2 compliance offers greater flexibility than the more prescriptive HITRUST certification process. Consequently, preparing for a SOC 2 audit might require less time and fewer resources than working toward HITRUST certification.
There are several potential advantages to combining HITRUST and SOC 2 reports. Doing so provides a more comprehensive view of your security and compliance posture than pursuing either report separately. Moreover, combining the healthcare-specific HITRUST report with the cross-industry SOC 2 report shows that you can satisfy a broad range of requirements for maintaining security and privacy. And because there is some overlap with the controls needed for both frameworks, you can save time and money by pursuing a combined report rather than working to produce distinct reports.
Should your organization choose an integrated report? First, consider the level of overlap between HITRUST and SOC 2 controls. A high degree of overlap can certainly enhance the efficiency of your preparatory work, but remember there will still be controls that do not map directly between HITRUST and SOC 2. For example, you might need to add controls to meet SOC 2 criteria for availability and confidentiality, which will require your organization to dedicate more resources to the initiative.
Also consider whether a SOC 2 report will truly help your organization. If you are operating exclusively within the healthcare industry, and your customers and partners do not require SOC 2 reporting, it might be more beneficial for you to focus on HITRUST certification only.
Finally, before committing to a combined reporting option, carefully evaluate all your costs. Working toward a combined report will likely save your organization money compared with pursuing HITRUST certification and a SOC 2 assessment separately. But the combined effort could still cost more than one effort alone. You’ll need to determine whether the added costs will be worth the benefits.
Both HITRUST certification and SOC 2 reporting can help your organization strengthen its security posture while clearly demonstrating regulatory compliance and use of best practices. Choosing one or both will depend in part on your organization’s industry, your systems, and your compliance needs. You should also evaluate the scope and focus of each type of report, and determine which better suits your requirements.
The time, costs, and resources needed to support HITRUST certification and SOC 2 attestation should factor into your decisions. As you compare costs, remember you can capitalize on the overlaps between the two compliance frameworks to streamline your work, saving time and money.
Whichever path you choose, Cloudticity can help you design and optimize a compliance strategy for your specific business requirements. To learn more, contact us today for a free consultation.
If you choose the HITRUST route, there are ways to accelerate your journey. Using public cloud service providers like Amazon Web Services, Microsoft Azure, or Google Cloud Platform can significantly cut down on the work needed to achieve HITRUST.
Read the Blog: How to Accelerate HITRUST Certification on the Cloud
If you want to understand how much time and money HITRUST might require of your organization, try the HITRUST Cost Calculator tool. Or schedule a free consultation to learn how Cloudticity might be able to help you achieve HITRUST 25-62% faster.