Yesterday we announced our SOC 2 Type 2 Security Compliance Certification. As head of our analytics and customer success operations, I led the Laudio SOC 2 preparation and audit review process over the past year. In reflecting on what we learned, there were a couple of insights I wanted to share. They may be helpful in saving time for hospital CIOs who are on the other side of the table, vetting companies like ours for security and dependability.
SOC 2 Background
As a brief background, SOC 2 has five trust principles, of which the critical one is Security. Laudio completed two other trust principles that we deemed most important for our customers, Availability, and Confidentiality. Over a 3 month period, an independent auditor reviewed our adherence to the 100+ detailed controls that define our commitment to those 3 principles.
The security principle audited our processes and commitment to the protection of our system resources against unauthorized access, potential system abuse, and improper alteration or disclosure of information. The availability principle audited our ability to meet our service level agreements for performance levels, system availability, data backups, and redundant/failover systems. The confidentiality principle audited our ability to secure protected and sensitive data, including encryption during transmission, firewalls, rigorous access controls, and processes to safeguard information.
Idea 1: Let SOC 2 Do the Technology Review Work for You
As a vendor to hospitals, we often have to complete a lengthy due diligence form provided to us by the CIO and their team. The larger the health system, the more detailed the questionnaire. It’s often a complex document because the range of types of vendors that CIOs have to vet is quite wide: from physical devices for communication to onsite data warehouse solutions to applications like ours that live entirely off-premise in the cloud.
Therefore these questionnaires have multiple sections depending on if the solution requires on-premise software installations, on-premise database usage, access to local data warehouses, physical devices, and similar. Such questionnaires are needed to better understand the type of solution and the resources it will need – but let SOC 2 do the work in determining if the solution meets security and reliability thresholds. These diligence forms are often crowded with questions such as “will the solution comply with our password requirements?” and “is the data encrypted at rest?” All valid inquiries, but a CIO can’t audit the answers and the answers are often complicated anyway. Does a solution that uses Single Sign-On need to comply separately to local password requirements? The forms can only gauge the surface of true security due to the range of solutions they have to cover.
I propose instead that these forms start with opening questions: “Are you SOC 2 compliant?”, “Are you on the path to SOC 2 compliance?”, “When was your last audit?”, “When is your next scheduled audit?”, and “What are the trust principles that you cover in your SOC 2 certification?”. If the answers are yes and complete to these, then allow the vendor (and the health system CIO) to take a shortcut and skip many of the questions in the form.
Idea 2: Focus on Adding a “Who is Responsible For What” Questionnaire
In our experience, one thing that leading health systems are starting to do is add a new simple questionnaire to the mix: a RACI-style page that will guide implementation and ongoing governance.
Completed with representatives from both our team, the hospital system’s IT team, and the ultimate users, it is a simple form, ideally one page long. The questions addressed are simple: for each area of responsibility, who is responsible?
During implementation, who is responsible for issue management, testing, training materials, and internal communication? During the ongoing phase, who is responsible for documenting and prioritizing feature or scope expansion, 24/7 issue management, escalated issue management, and contract management?
The amount of time a simple agreement upfront can save in a health system can be considerable, especially in cases where a centralized IT team is supporting multiple groups of users with multiple products that have multi-year contracts.