Have you ever heard the phrase, what keeps you up at night?If you’re a healthcare executive, there is an ever-growing list of challenges, including patient care, staffing, technology and equipment, facilities, and pandemics. And those are just the primary concerns.
This leaves little room to be consistently overburdened with extra administrative oversight of internal processes, applications, IT infrastructure, and vendors. All of which create significant risks to the business side that could paralyze the patient side of the organization.
Has the organization invested in maintaining controls to appropriately protect the infrastructure and applications against cybersecurity threats? Is the organization HIPAA compliant? What risks to the organization do vendors pose, and how are those risks mitigated?
Each of those questions are critical to understand and ensure that the organization is taking steps to address. But how sure are you that appropriate processes have been established to mitigate the business risks?
In the midst of 2021, in a year where healthcare providers experienced significant staffing shortages and were at or near capacity limits for substantial stretches, the healthcare industry experienced the largest number of reported security breaches and exposed the largest number of Protected Health Information (PHI) records. According to a report issued by Critical Insight Inc., the number of breaches in the healthcare industry rose 84% between 2018 and 2021, while the number of PHI records exposed rose 218%, emphasizing the need to ensure that controls are maintained throughout the organization to mitigate such threats.
The trend for breaches and records impacted will only continue to climb. In response, healthcare providers and vendors of those providers should be performing assessments of their internal control structure at least annually to consistently evaluate their internal controls and ensure that they have positioned themselves to protect against the latest threats. Some healthcare providers may be required to do so contractually, while others may not; however, they would benefit from an organizational perspective to ensure that they take appropriate steps to protect the organization, staff, and patients.
One mechanism that has become prevalent in evaluating a healthcare organization’s internal controls is through a System and Organization Control (SOC) audit. The product of a SOC audit is a report on the organization’s internal controls. There are multiple flavors of SOC audits, depending on the business need. The key SOC audits that we traditionally see across the healthcare industry include the following:
- SOC 1: Audit intended for organizations providing a service. This report focuses on Internal Controls over Financial Reporting (ICFR).
- SOC 2: Similar to a SOC 1, this report is intended for organizations providing a service. This report focuses on identifying and evaluating controls in place that meet a pre-defined set of criteria covering the controls applicable to the service relative to their Security, Availability, Confidentiality, Processing Integrity, and/or Privacy practices.
- SOC for Cybersecurity: This would be the most useful report for healthcare providers that aren’t providing a service to other organizations. A SOC for Cybersecurity report is intended to be a general distribution report. This type of report is designed to identify and evaluate the entire organization or a portion of the organization’s cybersecurity program.
The main benefit of a SOC audit is that it provides an independent assessment of controls that have been established. This can be especially useful in cases where an organization seeks to ensure that they have taken appropriate measures to protect itself against breaches. In the event a breach was to occur, a SOC audit can be provided to regulators as a tool to support that the organization was exercising reasonable due diligence to protect against breaches. This would be one of the criteria that would be evaluated if the Department of Health and Human Services’ Office for Civil Rights (OCR) or state attorneys general needed to assess the penalties to be considered following a breach.
As a component of evaluating risk, one of the most overlooked threats an organization faces is monitoring the vendors they are utilizing. According to the Critical Insight report, these vendors, or business associates, accounted for over 23% of PHI records exposed. As a result, not only is it essential for healthcare providers to evaluate their own internal control set, but they should also ensure that their controls include mechanisms to evaluate and manage their vendor risks as well. In essence, ensure that they have established vendor management practices to evaluate their vendors consistently. One commonly used way for ongoing monitoring of vendors is to contractually require them to obtain their own SOC report at least annually. The provider’s role then becomes to review the SOC reports from their vendors to ensure that their controls are reasonable and operating effectively to mitigate the risk that they pose to that provider.
Many healthcare executives don’t think of a Certified Public Accounting (CPA) firm as their go-to organization when it comes to IT controls. However, the professionals performing these internal control assessments are well versed in understanding the complexity of laws and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH); control frameworks, such as those from NIST, HITRUST, and ISO; as well as being able to identify and evaluate the controls that have been established to address components of those laws and regulations and control frameworks. In fact, only licensed CPA firms are able to issue SOC reports.