Healthcare providers are increasingly adopting SaaS (software-as-a-service) models because it frees up capital, requires less up-front spending, and shifts routine “break-fix” work from their IT team to their software vendor. When it comes to healthcare, HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is at the top of the jargon list, typically linked to words like “compliant” or “certified.” However, there is no such thing as HIPAA-certified software and being “compliant” does not mean an organization is as secure as they need to be. While HIPAA is the name everyone knows, it is only part of the story regarding health information security and cyber defense.
Some Background on SOC and SOC Compliance
SOC 2®, or SOC for Service Organizations, was developed by the American Institute of CPAs (AICPA) as a means to report on the measures taken to ensure security, availability, processing integrity, confidentiality, and privacy. When a business, cloud provider, or SaaS solution is certified as SOC 2 compliant, it means an independent auditor has conducted an extensive examination of their policies, processes, and evidence of compliance. The auditor then issues a written opinion stating the subject has adequate controls in place for the scope of the service they provide.
When a data center says it is SOC 2 compliant, it relates to physical security measures, like requiring two- or three-factor authentication to enter the data center or provide redundant cooling, power, and internet pathways. The same is true for a cloud hosting provider such as Amazon Web Services (AWS) or Microsoft Azure. They are SOC 2 certified with respect to the processes they adhere to in delivering their cloud services. However, running a SaaS solution in a SOC 2 certified environment does not make the SaaS solution SOC 2 compliant.
The Responsibilities Customers Have
Whether as a sales tactic or through ignorance, some healthcare software vendors imply that their software is secure by running in a SOC 2 certified environment. However, there is much more to it than that. The SaaS solution provider must also go through the same rigorous, independent review to ensure all of their policies, processes, and procedures are in place and followed at the appropriate level before the solution can be called SOC 2 compliant.
As a customer, it is not just essential to have confidence in where the SaaS solution is being run; it is critically important to be confident in how it is managed and delivered. Security and privacy in healthcare are very black-and-white issues, and an organization never wants to find themselves in a gray area when facing a HIPAA audit.
Lightbeam made the strategic decision and investment early on to ensure its SaaS-based population health platform is fully SOC 2 compliant. Currently, Lightbeam holds SOC 2 Type 2 certification, with the new 2020 report available for clients to review. Lightbeam’s solutions are also hosted in datacenter and cloud environments that are themselves SOC 2 certified. Lightbeam knows this gives customers the end-to-end assurance that their security, availability, processing integrity, confidentiality, and privacy are being rigorously managed.
It is vital to have a SaaS provider that shares the organization’s goals for how technology, data analysis, and data management supports delivering high-quality healthcare while enhancing the patient experience. For more information about Lightbeam’s credentials and SOC 2 Type 2 certification as a population health management vendor, please feel free to email me at rsmith@lightbeamhealth.com.
Russ Smith is Lightbeam’s Vice President of Infrastructure & Security