We recently completed our latest System and Organization Controls (SOC 2) Type 2 examination. But what does that mean for us as an organization—and for you as our customer?
At MedStack, keeping customer and stakeholder data secure is our top priority. To ensure that our systems and controls have been designed appropriately to achieve that goal, we once again sought out to achieve an independent third-party attestation.
In this blog post, we’ll explain what a SOC 2 report is, what it covers, and why we chose to undergo this rigorous compliance audit.
What is a SOC 2 report?
Obtaining a SOC 2 report is one way for a service organization to attest to the security of its digital environment.
Completing a SOC 2 examination through an accredited third-party auditor does not result in any certification. Instead, the resulting CPA’s report functions as a tool to help an organization communicate whether the internal controls they’ve put in place governing the security of customers’, partners’, and stakeholders’ data are properly designed, implemented, and maintained.
In simpler terms, a SOC 2 report provides an avenue for current and potential stakeholders to assess risk by giving them a closer look at the policies and procedures put in place to ensure an organization’s services are provided safely and reliably.
What does a SOC 2 report cover?
All SOC 2 examinations are performed by accredited CPA firms under the standards defined by SSAE 18. An auditor tests the effectiveness of the internal controls outlined by the organization, then maps those controls to one or a combination of Trust Services Criteria (TSC) established by the American Institute of Certified Public Accountants (AICPA).
AICPA has developed the following principles and related criteria for use by practitioners in the performance of trust services engagements:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives.
- HIPAA Security Rule Requirements: The system is compliant with the applicable HIPAA Security Rule requirements set forth in the U.S. Department of Health and Human Services’ (HHS) Health Information Portability and Accountability Act.
The scope of a SOC 2 report can also vary with regard to the time period covered.
SOC 2 Type I reports examine an organization’s controls at a single point in time and include a list of the controls tested.
SOC 2 Type II reports examine controls over a period of time, usually between three and 12 months, and include both a list of the controls tested as well as the auditor’s test results.
Why did MedStack undergo a SOC 2 exam?
Our annual SOC 2 examination demonstrates our commitment to data security and ensures that we’re prepared to face the challenges of the ever-changing cybersecurity landscape.
This year’s audit, performed by BARR Advisory, resulted in a CPA’s report that proves MedStack has the appropriate controls in place to mitigate risks related to Security, Availability, and Confidentiality, along with HIPAA Security Rule requirements.
For MedStack customers, the controls associated with each of these three specific criteria are 100% inheritable, making it significantly easier to prepare for and undergo their own audits. There are no other platforms that currently exist that can pass through such vast amounts of evidence as a benefit to its digital health customers.
|SOC 2 Type 2 Trust Services Criteria||Coverage Handled by MedStack Products|
|Confidentiality||Up to 100%|
|Availability||Up to 100%|
|Security||Up to 100%|
Where can I go for more information?
Current and prospective customers interested in obtaining a copy of MedStack’s SOC 2 report may contact us directly.