Published on: August 1, 2014
Healthcare organizations are seeking more efficiencies in the compliance reporting process while demand for CSF Certifications and SOC 2 reports is increasing
The Health Information Trust Alliance (HITRUST), the leading organization supporting the healthcare industry in advancing the state of information protection and responsible for the development of the Common Security Framework (CSF), announced today a collaboration with the American Institute of CPAs (AICPA) to develop and publish a set of recommendations to streamline and simplify the process of leveraging the CSF and CSF Assurance programs for the AICPA’s Service Organization Control SOC reporting, the accounting standards for reporting service organization controls.
This approach will provide healthcare organizations that must comply with HIPAA or other regulatory requirements the ability to leverage one comprehensive, scalable and up-to-date framework relevant to their organization type. This means healthcare organizations can more easily meet the wide and varied array of information protection regulations, standards, best practices and other information protection requirements and streamline and support their SOC 2 reporting requirements.
“HITRUST has been championing the need for greater efficiencies in the industry’s information protection compliance programs and striving for more consistency, less redundancies and greater efficiencies in the current assessment and reporting practices both within and between organizations,” said Ken Vander Wal, Chief Compliance Officer, HITRUST. “Establishing guidance that enables organizations to leverage the CSF for their SOC 2 reporting is another win for industry.”
Some of the benefits to healthcare organizations include:
- Leveraging the HITRUST CSF controls in SOC 2 engagements
- Realizing significant time efficiencies and cost savings through synergies between the CSF controls and Trust Services Principles and Criteria
- Reducing the inefficiencies and costs associated with multiple control frameworks and reporting requirements
The collaboration is also expected to help manage the increasing risks third party vendors can bring by having a comprehensive control framework that focuses on controls and requirements that would address those risks.
“Vendor risk management is a component of enterprise risks management that is receiving ever increasing attention, particularly as organizations use cloud services to store and process confidential information,” said Chris Halterman, Executive Director, Ernst & Young LLP. “By using a SOC 2 report to communicate how it has implemented the HITRUST CSF controls, a service provider might efficiently and effectively demonstrate compliance with their vendor risk management responsibilities and reduce the amount of time and effort required by its clients to support vendor risk assessments.”
This new cooperative development between the AICPA and HITRUST has begun with the formation of a working group consisting of AICPA member firm representatives and an industry advisory group consisting of industry representatives. As a starting point, the working and advisory groups will have access to a mapping that has been performed of the CSF controls and the Trust Services principles and criteria for security, availability, and confidentiality.
“As the CISO of an organization that receives many information security compliance reporting requests, it is crucial we evaluate how to most efficiently communicate the information protection controls we have in place,” said Roy Mellinger, Vice President and Chief Information Security Officer, WellPoint. “Being able to leverage the HITRUST CSF as the controls framework for our SOC 2 reporting speaks to the comprehensive of the CSF and achieves the ‘assess once report many’ approach industry has been seeking.”
The guidance and recommendations from the working group are expected to be available within six to nine months.