As a HealthCare company that stores, consolidates and transports patient data, we are subject to both state and federal mandates around security and privacy. One way of demonstrating our commitment to protecting this information is to obtain what is known as a SOC or Service Organization Control report. These come in many flavors, but perhaps the most commonly obtained is the SOC II which “Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy”.
SOC II reports come in two flavors; the “Type one” where you state the controls you have in place, and the “Type two” where an external audit firm assesses your compliance to these controls. Most organizations are encouraged to obtain a SOC II Type one first and then move onto the harder Type two. At eHealth Technologies, we decided to go straight for the Type two because we believed we could leapfrog the Type one. In retrospect this was a pretty brave move that worked out for us thanks to careful preparation.
So, what are the three magic lessons we learned that might help you out if you are going for a SOC II Type two?
Prepare staff who will be audited
The first and most important lesson is to get your staff who may be audited thoroughly trained in audit procedures. At eHealth Technologies we did this in two stages; first, we had our core SOC-II team attend a local Medical Device audit preparation course taught out of Buffalo New York. While not oriented towards the SOC itself, this course taught how to deal with the FDA and other Federal Agencies. Much of the training dealt with what to say and how to answer questions with the minimum amount of correct information.
The second stage of training was taught one on one by a local consultant who had been in a senior compliance role at a local payer organization. She honed the general training down to a fine edge and prepared our key audit personnel so that they would be ready for any questions that were likely to come their way.
Say what you do
Repeat after me; have your policies and procedures defined, ready to go, and in a repository for easy access. Well defined policies and staff who are trained in them are key to success.
At eHealth Technologies, we maintain a library of over one hundred procedures and policies using a service called Qualio that allows us to easily write, maintain, and train our staff on controlled documents. We can spit out an up to date training matrix showing who was trained in a matter of moments, and can easily produce uncontrolled copies of any document in our system and supply that to the auditors.
Do what you say
Keep good records to prove that you follow your policies, procedures and work instructions. Auditors will be doing spot checks of this material to ensure that you have everything in place so don’t skimp here. For example, if you claim to do security reviews of your log files each morning (which you should) then expect the auditor to ask for records over a period of time, and expect them to check each record thoroughly.
Building a culture of “doing what you say” typically involves creating your own internal audit program and routinely cycling through your policies and procedures to ensure they are being followed. Do your policies require an annual exercise of your DR Plan? Then bite the bullet and get it done!
Obtaining a SOC II type II at eHealth Technologies was a relatively straightforward exercise because we went to so much trouble to prepare ourselves up front. If you pay attention to the three lessons above I’m sure you will be successful as well!