HITRUST meets SOC 2: Relationship Advice
HITRUST, or the Health Insurance Trust Alliance, is a security organization and the creator of the Common Security Framework (CSF), "a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health, and financial information." Also, HITRUST developed a standard security report that addresses risk and compliance issues and helps compare security issues for an organization with others across the industry.
However, when an outside entity seeks information additional to what the HITRUST validated report contains, the reporting mechanism needs to be flexible enough to address other questions, respond to specific security questionnaires, and provide information that others request. To accomplish this, HITRUST has teamed up with the AICPA to add the ability for a Security Organization Controls (SOC) reporting mechanism to complement the HITRUST validated report or serve as an alternate reporting mechanism to the HITRUST validated report.
Reporting Framework for HITRUST and the AICPA
Recently the AICPA announced a collaboration with HITRUST to develop a SOC 2 report that incorporates the HITRUST Common Security Framework (CSF). The CSF was built upon other security requirements that include HIPAA, HITECH, PCI, COBIT, NIST and FTC. The AICPA HITRUST working group has developed an illustrative SOC 2 report and performed a mapping between the current TSP Section 100 and the HITRUST CSF version 7.
As shown on the mapping document, HITRUST has determined the CSF controls that would apply to each of the criteria within the TSP Section 100. These controls would be tested in a SOC 2 examination by a CPA firm for fairness of presentation and suitability of design (Type 1) or additionally for operating effectiveness (Type 2) according to AICPA standards. One important note is that even though the reporting mechanism is per AICPA standards, the content of the CSF is licensed HITRUST material that can only be utilized for reporting purposes by organizations that have a license to utilize the CSF.
While the CSF content is similar for a HITRUST assessment and the SOC 2 examination, the reporting options will address controls in a different manner. A HITRUST validated assessment relies on a PRISMA scoring model for control maturity levels and allows associated corrective action plans (CAPs) for controls lacking in a minimum maturity level. Conversely, the SOC 2 report does not incorporate either the PRISMA maturity scoring or CAPs as part of the audited section of the report. Information related to HITRUST control maturity scoring or CAPs would be considered as “unaudited” information provided by management in the SOC 2 report.
What Does the SOC 2 Report Add?
A SOC 2 report expands beyond the standard HITRUST reporting to provide information on a service organization’s controls relevant to one or more of the Trust Services Principles and Criteria for specific users or knowledgeable parties. The AICPA has published some guidance on preparing such a report, commonly referred to as a SOC 2 + Additional Subject Matter report. The guidance outlines example SOC 2 engagements for varying types of subject matter. It also describes the requirements of the service organization when additional subject matter is included in the scope of the engagement.
The AICPA states that the following is required for a service auditor to report on the additional subject matter:
- An appropriate supplemental description of the subject matter;
- A description of the criteria used to measure and present the subject matter; and
- If the criteria are related to controls, a description of the controls intended to meet the control-related criteria and an assertion by management regarding the additional subject matter or criteria.
Implementing the SOC 2 Examination
The SOC 2 examination should not appear as an obstacle but as a complement to a HITRUST validated assessment already in place or an alternate to a HITRUST validated assessment. The audit examination should be according to the AICPA's AT Section 101 and SOC 2 guide. The resulting report will provide auditors, customers, and regulators a greater comfort level as to the security, availability, processing integrity, and confidentiality controls relating to the personal health and financial information in place within the organization.
Authors
Debbie Zaller
Debbie is a Principal at Schellman, with over 15 years of IT attestation experience. Debbie currently spearheads the Schellman SOC 2 practice, where she is responsible for internal training, methodology creation, and quality reporting. Debbie also currently serves on the Florida Institute of Certified Public Accountants’ Finance and Office Advisory Committee and was a past member of the Board of Governors.
Gary Nelson
Gary is a Senior Manager at Schellman, with over 14 years of experience. He has experience providing both IT audit and IT consulting services, including financial audit support, IT risk assessments, process and control reviews, revenue assurance projects, IT contract compliance reviews, application and platform security reviews, firewall and network perimeter security reviews, and IT security and risk management policies development and implementation. Gary has provided professional services for multiple Global 1000, Fortune 500, and regional companies during the course of his career.