S2 E33: Deciding Between SOC 2 and HITRUST

Audio version

Deciding Between SOC 2 and HITRUST

Transcript

Jordan Eisner: Well, here we are. Thank you, everybody who’s watching and listening to another episode of CompliancePointers. I am your host, Jordan Eisner, VP of Sales at CompliancePoint. CompliancePointers is a podcast where we talk about information security, data privacy, and regulatory compliance as it pertains to these areas and organizational risk.

We’ve got a first-timer on the show today, Brooke Gardner. Hey, Brooke.

Brooke Garner: Hello.

Jordan Eisner: Coming to us live from Indiana. Fort Wayne.

Brooke Gardner: Yeah. Northeast Indiana.

Jordan Eisner: What people need to know about Brooke, she’s been working in this industry and SOC 2 and HITRUST which we’re going to be talking about today for 20 years somehow since you were a teenager or even younger.

Brooke Gardner: Right. I was about 10.

Jordan Eisner: Yeah. I was looking at your about me, and for those people watching, they’re probably thinking, why does he keep looking down? Well, I had to print out all the different certs that Brooke holds. 

Audience, bear with us. CCSFP, CHQP, CPA, CISSP, CISA, CIA, CITP, CHC, and then your HITRUST certified assessor too. Quite a rap sheet. You know a little bit about what you’re talking about.

Brooke Gardner: I think so.

Jordan Eisner: Well, it’s good to have you on, and this is a common topic that we are discussing with organizations, at least I run into it quite a bit. You probably do as well and others listening to this maybe do. That’s SOC 2 and HITRUST, which is better, which should we go down, do them at the same time, and so on and so on.

We’re going to compare those. We’re going to compare and contrast. We’re going to specifically look at which security standard makes the most sense for small and mid-sized businesses.

Yeah. Break that down a little bit. You, being a CPA, conducting SOC 2 audits but also being a HITRUST-certified assessor and doing HITRUST assessments, you’re a good source for this information and the key differences between the two.

Let’s start simple. Can you give a quick overview of each standard for our listeners that maybe want that to start?

Brooke Gardner: Sure. Yeah. I’ll start with SOC 2. That was developed by the American Institute of CPAs, the AICPA, originally designed for service organizations that handle customer data. It’s especially relevant for tech companies and Cloud service providers where secure data handling is critical.

It focuses on the trust services criteria, which includes security, availability, processing integrity, confidentiality, and privacy. Then the controls in SOC 2 are designed to meet those trust services criteria.

HITRUST is based on the HITRUST CSF, their common security framework. It was primarily designed to help healthcare companies protect and manage sensitive data. But it’s evolved over the years to be relevant for various sectors. It combines multiple standards and just a few of those are ISO, NIST, and HIPAA all into a single framework.

I will point out to you that I have been doing SOC 2 for 20 years, but HITRUST hasn’t been around for quite that long, but I’ve been around since its origination.

Jordan Eisner: Yeah. Good correction. But similar stuff. I know with SOC 2, it’s more yes, it’s based on trust services criteria and controls, but the organization controls a little bit more what they’re audited against than HITRUST per se.

Brooke Gardner: For sure. Yeah. HITRUST is very scriptive. They give you the controls. SOC 2, you get to write your own for the most part as long as they meet those criteria.

Jordan Eisner: Right. Then SOC 2 is CPA firms, they do the auditing and then with HITRUST, you have to be approved HITRUST CSF assessor, at least that was a term that you said. Do they have a special term for it now or is that it?

Brooke Garnder: They call it assessor firms. So the firm itself has to be approved and then in order to work on the assessment itself, a certain number of the people that work on it have to be certified through HITRUST to do so.

Got you. Yeah. For those listening and watching, CompliancePoint is a CPA firm, so we can do the SOC 2 audits and we can do the HITRUST certifications as well.

Jordan Eisner: What are the benefits of SOC 2 and then following that, what are the benefits of a HITRUST certification?

Brooke Garnder: Sure. Yeah. I’ll start. Some of the benefits of SOC 2, first, they have a clear focus on some key areas. A SOC 2 evaluates how well your company handles information security and privacy based on the five trust services criteria. So that helps make it easy to see where you stand along those criteria.

It also has customizable reports. So SOC 2 reports can be tailored to your business’s specific needs and provides relevant information to your stakeholders. SOC 2 allows companies to write their own controls, which you kind of mentioned, as the framework does not have pre-written controls that are required like HITRUST does.

SOC 2 instead has the trust services criteria that must be met. And the company, along with their CPA firm, can decide the specifics for how to meet those criteria. And that allows for a little bit more customization and flexibility for companies to decide what’s best for their specific environment.

Lastly, on the SOC 2, it’s typically ideal for tech and service providers. SOC 2 is highly valued in the tech and cloud service sectors. It showcases your commitment to maintaining high standards and data security.

 So jumping over to the HITRUST and benefits of getting the HITRUST certification, it’s one framework for many standards. It’s kind of a term that HITRUST has. It simplifies compliance by merging various standards into one framework. And that’s very helpful if you have multiple regulatory requirements that you have to meet.

Some of the frameworks that can be incorporated into a HITRUST assessment are HIPAA, NIST, FISMA, MARS-E, FedRAMP, and PCI. There’s a lot. There are a lot of others also.

And while it doesn’t replace all the requirements for those frameworks, it can definitely be helpful for companies looking to enter those spaces and can show their clients that they’re making progress in that direction.

HITRUST is also versatile across industries. So although it started in healthcare, HITRUST is now applicable to many other industries. So that helps make it a very flexible option.

So we see a lot of companies with a focus on providing software or technology in the health care space are required to obtain the certification in order to do business with certain clients. So they’re kind of forced to go the HITRUST route in a lot of cases.

Lastly, for HITRUST, it has a focus on risk management. So HITRUST helps you not just comply with regulations, but also manage and improve your security posture.

Jordan Eisner: And then SOC 2, there’s a type 1 and there’s a type 2. And you’re going to correct me if I’m wrong on any of this, but type 1 is just a point-in-time audit, right?

So the point of controls in place in the type 2 is over a period of time, usually six months or 12 months. I’ve seen them the shortest three months, but that’s the idea there.

Brooke Garnder: Yeah.

Jordan Eisner: HITRUST has some similarities in that the controls need to bake for a period, not necessarily twelve months or six months, but a lot of them 90 days at least, they need to show it’s in place, some 60 days. But then there’s various types of HITRUST. They keep coming out with more.

Brooke Garner: Yeah, they do.

Jordan Eisner: And then the last time we did a podcast, I think it was E1, I1, R2, and now there’s E1 plus HIPAA. Has there been any more that have emerged?

Brooke Gardner: Did you mention the I1? Yeah, the I1, R2, E1, yeah. And then there’s readiness assessments, but those don’t generate reports through HITRUST at least. But I think you got them all.

Jordan Eisner: Well, now I think the main point of the podcast, right, so the big question, that’s for businesses and our listeners here trying to decide between HITRUST and SOC 2, especially now, given the relevancy of what you talked about just recently with HITRUST expanding beyond just healthcare, and having all those different frameworks and regulations that you can build into your HITRUST certification, being multi-industry, for businesses trying to decide between HITRUST and SOC 2, what are the key differences, and how should those differences influence their decision?

Brooke Garnder: I’ll start with the scope and coverage of the two. HITRUST covers a lot of ground, like I said, because it combines several standards into one framework, so that makes it suitable for businesses with complex compliance needs.

SOC 2, however, focuses specifically on data security and privacy, which may be simpler if your primary concern is how you handle customer information.

Also, the industry fit. So HITRUST is great for industries with tough regulatory requirements like healthcare. If your business operates in the tech or service space, like we’ve said a few times, SOC 2 is widely recognized and may better align with your needs.

The biggest difference, in my opinion, is the certification process. HITRUST certification process involves a thorough assessment and often requires more time and resources than a SOC 2. HITRUST requires an external assessor firm, like we talked about earlier, to review all the relevant controls and documentation, and then also includes a secondary review by HITRUST themselves to confirm the assessor’s work.

Another big difference is HITRUST requires policies and procedures to be written for every single control and scope for the assessment. And while SOC 2 may have some policy and procedure-focused controls, it’s more focused on the implementation of controls versus that documentation through policies and procedures. So that’s one big key piece that makes SOC 2 a lot easier because there’s just a lot less documentation required.

The SOC 2 attestation, like we said, it must involve an audit by a CPA firm and focuses on your adherence to those trust service criteria over a set period. Like you said, typically, most often you’ll see it be a full year, but you can see three months, six months, even one month, but I wouldn’t recommend that.

HITRUST typically covers the previous 90 days for implementation of controls, with the exception of like quarterly or annual controls. And then the certification itself is good for two years with a quick review of a subset of controls after the first year.

And like we said, SOC 2 can cover any timeframe the company wishes, but you’ll typically see it cover just a year.

And then you mentioned it before too, SOC 2 allows for a Type 1 or a Type 2 report. The Type 1 is a quick and easy way to show clients that you’re making progress towards a Type 2, as the Type 1 simply covers the design of the controls and doesn’t actually include testing of the implementation of those controls. So you’re simply writing the controls and making sure they meet those trust services criteria.

And then the Type 2 is where the audit firm will actually confirm that those controls are in place by testing them.

HITRUST does allow for a readiness assessment to help your company be familiar with the required controls, which involves a quick run through of evidence, but HITRUST doesn’t provide a report like the SOC 2 Type 1 that can be shared with clients and customers. Your assessor firm might, but SOC 2 or HITRUST does not.

So also cost and time. HITRUST, because of these nuances that we talked about, it could be more expensive and time consuming because it’s more comprehensive. And also HITRUST dictates what controls the company must meet, depending on the size and nature of the company. There’s some scoping questions that go into creating HITRUST assessment that then HITRUST, their HITRUST CSF then spits out what kind of controls you specifically have to meet.

And SOC 2 may be a little bit more cost effective and quicker, especially if your company is already familiar with AICPA standards, mostly because companies are able to write their own controls to meet those trust services criteria. Of course, your CPA firm has to agree with you that your controls are meeting those criteria, but it makes it a little bit easier to achieve because you can meet those criteria in many different ways that are specific to your company. So you don’t have to just do it exactly how like HITRUST is dictating sort of.

The last thing is market recognition. So both certifications are respected, but they excel in different areas. So HITRUST is particularly valued in regulated industries, especially health care and health care insurance companies and stuff like that. And SOC 2 is then well regarded in the tech and service sectors more often.

Jordan Eisner: That was quick and thorough, and I should have expected it coming from you, Brooke. No, that was good.

Another idea that popped in my head too is a lot of organizations, I was going to say, when in doubt, do both. It’s going to depend on external drivers and whatnot, but you’ve heard of the HITRUST plus SOC 2 and organizations ask about that. I know we I think we caution to them to treat these as separate instances, but you could theoretically do both simultaneously.

Brooke Gardner: Yeah, there is a SOC 2 plus HITRUST. It’s essentially a HITRUST assessment in a SOC 2 document. So I’ve seen it done very few times. It just makes the SOC 2 process a little bit more complicated than it has to be. But it then it makes it a lot easier than to get both at one time, you know, because you can then have the same audit firm conduct both assessments simultaneously and then you can have both reports be done at the same time.

So it has some benefits, but it’s not something I typically recommend for for companies to do.

Jordan Eisner: That seems to be what I’ve seen. What’s the largest amount of controls using in a HITRUST audit?

Brooke Gardner: Oh, boy. Six hundred and something. Six. I’ve seen over six hundred. But, you know, giant companies, you know.

Jordan Eisner: Yeah. But they can get even bigger than that. I’ve heard I mean, if somebody is really, really ambitious. That’s it’s a lot of controls.

Brooke Gardner: Yes, that is definitely a lot. Yeah.

Jordan Eisner: Well, Brooke, appreciate your time. I do. I mean, when I said I think this was very thorough, a lot of information packed a punch in a small period of time. So things can be good content for our listeners and our watchers if you have further questions on all this information is just provided as part of this podcast. Please don’t hesitate to reach out to CompliancePoint.

You can find us online. Compliancepoint.com. You can email in at connect@Compliancepoint.com.

Brooke and I are both available on LinkedIn.Happy to answer questions that way and start a conversation.

So until next time, thanks, everybody. Thanks, Brooke