Security in healthtech: How to avoid compliance chaos with audit stacking
Cybersecurity is a moving target for the healthtech industry. Last year, there was a 264% rise in ransomware attacks — and the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) responded with actions to target organizations without proper security and compliance protocol.
There are no indications that the wave of system breaches to access sensitive patient data will slow down. Consider a few trends that will continue to create complexity in today’s security landscape:
- AI is sharpening as a double-edged sword: While AI is making it easier to deploy continuous and effective data security, it is simultaneously helping threat actors launch sophisticated attacks at scale.
- The enterprise attack surface is expanding: As the universe of medical IoT devices expands, so will the attack surface for bad actors to exploit vulnerabilities and find new points of entry.
- Telehealth is complicating data compliance: Providers working across states need to navigate both federal and state privacy laws and work harder to avoid unauthorized data tracking or sharing.
As these various dynamics play out, companies that sell technology services, solutions and devices to primary holders of health information need to purposefully adopt security frameworks that can cover their bases. For most organizations that deal with health data, that means pursuing a multi-framework approach — stacking audits like HITRUST, SOC 2 and more — to go beyond HIPAA’s spirit of the law for truly proactive, ongoing compliance.
But every organization needs to address different security requirements — and it’s not always easy to navigate big-picture compliance. Read on to discover how to think intentionally about audit stacking, and ways that healthtech organizations can get ahead of the complexity involved in layering multiple frameworks.
From certifications to reports: What’s in the stack?
As international, federal and state-level enforcement intensifies, there are a few major frameworks that are often required or strongly recommended to demonstrate robust security practices to their customers, stakeholders and potentially to regulators, auditors and governing bodies. Each individual framework brings something unique to an enterprise, but areas of overlap can create complexity and confusion for organizations putting the pieces together.
Here’s a quick breakdown of a few common components in a multi-audit stack:
|
Component |
What it is |
Why it matters |
|
|
HITRUST is a cybersecurity framework for managing information security and privacy risks. Certification involves a rigorous process that addresses comprehensive security controls and data privacy measures across multiple HITRUST domains. |
It’s a control framework that quantifies an organization’s effectiveness in security practices. Since it covers a lot of ground, many organizations use HITRUST because it is a “framework of frameworks” to address requirements from other audits. |
|
SOC 2 |
SOC 2 reports, developed by the AICPA, are intended to meet the needs of users who require information and assurance about the security controls at a service organization. Organizations engage an independent auditor and choose trust services criteria: security (always included), confidentiality, privacy, availability, or processing integrity. |
It’s a reporting framework that helps audit whether controls are properly designed and operating effectively. Organizations not needing HITRUST certification but wanting to align with it can get a “plus” report (SOC 2 + HITRUST). |
|
HIPAA security risk assessment |
HIPAA security risk assessments are internal audits — legally required in the U.S. — to assess risks related to PHI annually. Covered entities and business associates must conduct a formal analysis to share with regulators and leadership, often resulting in a security improvement worklist. |
It’s an assessment that helps identify areas of risk and actions to mitigate them. These are typically internal-use only, but HIPAA compliance can be factored into HITRUST or SOC 2 “plus” reports. |
|
GDPR compliance |
GDPR is a law requiring privacy controls for organizations with data subjects in the EU. Compliance is ongoing and demonstrated through documentation, governance, and internal policies. Noncompliance can lead to fines. |
It’s a law that applies across industries and data types. There’s no certification, but ISO/IEC 27701 can show alignment. GDPR can also be included in HITRUST or SOC 2 “plus” reports. |
Challenges in audit stacking for healthtech companies
A multi-framework security compliance approach is a journey, and not a check-the-box process. Along the way, it’s common to encounter a few pain points at various levels of the audit stack.
For healthtech companies that may have limited compliance resources — such as startups and mid-sized SaaS providers — these pain points often boil down to efficiency. Here are three challenges that can be avoided with a well-defined enterprise strategy for audit stacking.
Challenge No. 1: Streamlining the audit cycle (so there isn’t constant chaos)
Multiple audits can easily overwhelm information security and IT staff that might already be at capacity. What are these teams up against? Multiple times a year, they might be gathering evidence, preparing for audits and responding to findings — not to mention trying to keep up with constant regulatory changes and addressing customer inquiries on their information security program.
Here’s what helps:
- Coordinating renewal dates and audit periods across audits
- Establishing annual or quarterly compliance seasons (e.g., Q3 is “audit prep”)
- Staggering audits to avoid disruption and to create efficiency
Challenge No. 2: Removing unnecessary duplication (so you’re not reinventing every wheel)
Each security audit has different terminology, evidence formats, scoping and cycles — but there is still notable overlap across requirements and standards. While some duplication is healthy for comprehensive security, healthtech companies don’t have time or resources to re-produce the same reports, scans or policies for multiple audits.
Here’s what helps:
- Identifying which controls and evidence can be collected once and then scaled across multiple audits
- Building a central control library that can feed HITRUST, SOC 2, HIPAA and more
- Automating repeatable compliance tasks or ongoing evidence collection with data platforms and AI
Challenge No. 3: Clarifying governance and sponsorship (so there’s real accountability)
A multi-framework approach to compliance requires cooperation across teams spanning legal, IT, HR, operations and more. Without executive sponsorship, healthtech organizations may end up with patchwork compliance. But security in healthcare is more than just protecting data — it’s about safeguarding patient information and well-being — so patchwork security is not enough.
Here’s what helps:
- Framing compliance as a growth strategy, not just a check-the-box IT effort
- Defining roles and accountabilities, from collecting evidence (e.g., IT) to training employees to comply with new policies (e.g., HR)
- Setting up a governance body to help ensure audits are deliberate and coordinated across the larger compliance stack
Embracing audits as a competitive differentiator
PHI is one of the most valuable types of data on the dark web. So, it’s no surprise that hospitals, insurers and enterprise health systems often demand multiple audits before contracting with a healthtech vendor — and regulators are raising the stakes for multilayered security.
While meaningful compliance requires investment, these security frameworks can also be growth enablers — shortening sales cycles, unlocking partnerships and encouraging investor confidence.
How Wipfli can help
As a trusted auditor and advisor that helps clients manage across the whole audit stack, Wipfli helps you position proactive compliance as a competitive differentiator. We turn a chaotic process into what we call a “one audit experience” for a manageable, efficient and strategic compliance journey.
For a unified approach, our team helps you:
- Decide which audits to prioritize based on goals and expected value.
- Map out all audits to cut duplicative efforts or unnecessary costs.
- Spot gaps between audits to reinforce with additional security practices.
- Oversee documentation and audit readiness to avoid rework.
- Stay updated to help ensure that regulatory changes are addressed before they cause audit issues.
Get in touch to learn about our many services, including SOC 2, HITRUST, HIPAA security risk assessments, tax and financial services, data and analytics integration — along with our change management capabilities that help healthtech companies roll out new strategies across people, processes and technology.
Explore our services for healthtechRead more:
