Automating your SOC 2? Here are 4 frequently asked questions in healthtech
Today, rigorous security requires automation for speed and scale. And in the compliance world, automation is making it more feasible than ever to track controls continuously and centralize complex security processes.
As industries like healthtech face funding challenges and budget constraints, more organizations are introducing automation through governance, risk management and compliance (GRC) tools that implement and manage the controls required for SOC 2 reporting. These ready-to-go compliance tools promise a cost-effective path to meeting client and contractual requirements.
While an automated “out-of-the-box” solution sounds good on the surface, misinformation abounds when it comes to what organizations truly need for SOC 2 compliance. So, let’s set the record straight.
Here are some frequently asked questions about SOC 2 automation that clients have been bringing to our team at Wipfli:
Q: I’m considering a pre-packaged SOC 2 offering. What should I expect?
A: GRC tool can be a useful security companion for organizations with limited compliance resources or complex environments, systems and services. Depending on how it’s configured and integrated across systems, the tool pulls information from IT environments to perform security checks across an established set of categories — from firewalls to authentication. It then consolidates the evidence to identify gaps or anomalies, without the need for manual work.
Ultimately, an automated GRC tool is like a starter kit. It gives organizations a quick compliance snapshot that they can use internally as a guide and to satisfy clients who want a basic level of security assurance.
Here’s where it can get confusing: It’s common to assume that these reporting tools provide an official SOC 2 stamp of approval — but that is not the case, by design. Only an independent, official CPA-licensed auditor can attest to SOC 2 compliance.
Q: Don’t these out-of-the-box tools make formal reviews easier for SOC 2 auditors?
A: Yes and no.
Imagine this scenario: A healthtech company that provides software to providers and insurance companies must demonstrate security controls to clients via a SOC 2 report. The company needs to act quickly before it’s time to renew an upcoming contract, so leadership decides to use an out-of-the-box tool that promises to automate the service. When it’s time for the formal report, the company provides an official auditor with access to the tool and its findings.
Yes, the auditor gets a handy snapshot of high-level operational controls, with clear indicators to mark areas that need further risk management. But here’s what they can’t see without going far beyond reviewing dashboards and exported reports:
- Whether the tool was configured correctly across all appropriate systems
- Whether the evidence is relevant for health industry requirements
- What rationale or breadcrumbs are leading to the high-level snapshot
So, while the automated tools are certainly helpful, the auditor needs a deeper level of information to test the logic and independently attest to SOC 2 compliance.
Q: What are some of the specific SOC 2 audit risks in the health industry?
A: Anytime that protected health data is involved, compliance is instantly more complex and prone to closer inspection by regulators. Unfortunately, SOC 2 reports that are overly generic or hard to validate most likely will not satisfy the expectations of the Office for Civil Rights (OCR) if they come in for an audit after a data breach.
We understand there can be benefits for healthtech companies — especially those in growth mode — to automate the compliance process for efficiency and cost savings. But with the prospect of OCR fines and penalties (not to mention the erosion of client trust and reputation after a breach), it’s not worth sacrificing audit quality for a quick fix.
Ultimately, SOC 2 reports need to stand up to the standards set by the American Institute of Certified Public Accountants (AICPA) to avoid scrutiny. And for healthtech companies specifically, a SOC 2 report is often one requirement of many: Customers may require them to layer different security frameworks and reports to demonstrate compliance with HITRUST, HIPAA and more.
Q: How does a more individualized SOC 2 audit fill in the gaps?
A: GRC tools and other automation-driven audit solutions are often useful to get smaller and midsized organizations into compliance shape (it’s like signing up for your first gym membership). With proper configuration, these tools can help introduce a basic structure for policies and procedures and can monitor IT systems for high-level security gaps.
But regulators and educated customers require organizations to demonstrate that security controls are valid and functioning — and there’s no such thing as a carbon-copy data environment. Just like every person needs a unique workout routine to keep them healthy and fit, every company needs a unique security protocol.
At Wipfli, we individualize audit services and can also augment automation tools with:
- Evidence inspection and validation.
- Customized controls based on your unique environment.
- Independent AICPA attestation.
Most companies recognize that SOC 2 reporting helps satisfy basic customer requirements and qualify for future contracts. But it’s important to remember that these audits are more than a logo on the website or a simple check-the-box activity in a proposal response. For organizations responsible for the protection of sensitive health information, rigorous compliance builds a strong culture of security — with critical controls in place to keep growing with confidence over the long term.
How Wipfli can help
Get in touch to learn about our SOC 2 auditing services, HIPAA security risk assessment, tax and financial services, data and analytics integration — along with our change management capabilities that help healthtech companies roll out new strategies across people, processes and technology.
Explore our services for healthtech
