HITRUST vs SOC 2: How to Choose
A HITRUST certification or a SOC 2 report, what’s best for your organization? At CompliancePoint, we’ve worked with many organizations that didn’t understand what option made the most sense for their operations. To clarify the decision, here are the key factors organizations must consider when making the HITRUST vs SOC 2 choice.
HITRUST is a Common Security Framework (CSF) primarily designed to help healthcare companies protect and manage sensitive data. The highly regarded framework was designed to encompass other information security and privacy regulations including NIST, ISO 27001, PCI DSS, HIPAA, and GDPR. A HITRUST certification gives organizations the ability to demonstrate regulatory compliance with multiple standards and regulations through one certification.
Organizations have three HITRUST assessment options to choose from. All options require the organization to use a HITRUST assessor firm to evaluate their control maturity for submission to HITRUST for certification.
HITRUST Essentials, 1-year (e1): The e1 is designed as a lower-effort assessment focusing on basic cybersecurity hygiene and addressing what HITRUST identified as the most critical cybersecurity practices. There are 44 e1 controls that are standardized with no scoping required.
HITRUST CSF Implemented, 1-year (i1) Validated Assessment: The i1 is a certifiable assessment option that represents a midrange in terms of time, effort, and cost. There are approximately 180 i1 controls, including all the controls in the e1, that cannot be customized.
HITRUST CSF Risk-based, 2-Year (r2) Assessment: The r2 requires the most significant commitment to obtain, but it is a highly regarded certification that demonstrates an organization’s dedication to the highest level of data security. The r2 contains more than 2,000 controls, but your organization’s scope can be customized to match its operations. An r2 Assessment will include all the controls in the i1 plus additional controls based on the risk factors for the organization being assessed. Most businesses will have a control count between 200-800.
SOC 2 Basics
SOC 2 is a data security reporting framework developed by the American Institute of CPAs (AICPA) focused on the secure handling and management of customer data. Service providers utilize SOC 2 most frequently.
SOC 2 is more flexible than other security frameworks because it allows organizations to design and implement their own controls. The standard focuses on the Trust Service Criteria with five AICPA Trust Service Categories to choose from: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The Security category is required for all SOC 2 reports and the others depend on the type of service organization and requirements from requesting parties.
Unlike HITRUST, there is no certification for SOC 2. Organizations obtain a SOC 2 report via an audit and receive an attestation from a third-party auditor. There are two different SOC 2 reports, Type 1 and Type 2.
Type 1 report: Describes a vendor’s environment and whether the security control design is suitable to meet relevant principles. This report is a point-in-time evaluation of the design of a security program.
Type 2 report: Tests both the controls design and operational effectiveness of those controls over a period of time. This report is an evaluation of the execution of a security program.
The SOC 2 Type 2 is the more valuable report because it demonstrates a greater commitment to data security. The Type 1 report could be a good option for businesses or organizations working towards a security certification for the first time.
If your organization is having the HITRUST vs SOC 2 debate, these are some of the key factors that need to be considered:
Know what your current customers, prospects, and/or partners require from their vendors in terms of security frameworks. Many large players in healthcare require their partners to be HITRUST certified. The same thing can be said about SOC 2 in the financial and banking world. Don’t let a lack of proper security and compliance be the cause of losing a customer or missing out on new business.
If your business isn’t currently required to comply with HITRUST or SOC 2 standards by a customer, consider the future requirements it could face in its target industries. Businesses that hope to work with insurance providers, hospital systems, and other healthcare companies will likely eventually encounter a HITRUST requirement. For businesses not in the healthcare space, A HITRUST certification might not make sense. SOC 2 may be the more appropriate path.
Security Program Maturity
Organizations need to assess the maturity of the security program they have in place. Do you have security procedures and policies already implemented? Do you have the staff to spearhead a large certification project?
If the answer to these questions is no, your business likely isn’t ready to take on the full HITRUST r2 framework. A more manageable framework like SOC 2, the HITRUST e1 or i1, or even NIST will be a more practical option.
Healthcare organizations that lack a mature security program but have HITRUST certification as a goal will still benefit from a SOC 2 report. The security controls implemented during the SOC 2 process can serve as a solid foundation for a HITRUST certification in the future.
If an organization has only a short time to demonstrate compliance with a security framework, a SOC 2 Type 1 report or the HITRUST e1 are the fastest options.
What to do If You Need Both
There are overlapping requirements between SOC 2 and HITRUST. Your HITRUST assessor and your CPA firm can work together to identify those and leverage the work performed and evidence gathered to reduce redundant tasks that can be required if both a SOC 2 and HITRUST certification are required.
CompliancePoint is an authorized HITRUST CSF Assessor. Our team of healthcare and cybersecurity professionals can help your organization through every step of the HITRUST certification process. Our team also has guided many organizations through successful SOC 2 audits. Contact us at firstname.lastname@example.org to learn more about how we can help.
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.