In the health care landscape these days, security and data protection concerns are as common as thermometers and stethoscopes. As a health care technology company, data protection can’t just be on our “to do” list. It has to be in our company DNA. If it wasn’t, we’d never close a deal, and our potential clients - medical practices of all sizes - would run screaming in the opposite direction. And, we wouldn’t blame them!
At pMD, security has always been at the core of what we do. In fact, our original infrastructure was prefaced on the highest security standards established at the time - those of the financial industry. In our daily work lives, we understand the privilege of handling a person’s Protected Health Information (PHI) and demand a high level of respect and care from every team member. I often find myself hypothesizing, “What if this were my mother’s health information? How would I want it to be handled?” So, when a large potential customer asked us to perform an annual third party audit by an AICPA accredited firm, I gave an enthusiastic “yes!” To be completely honest, I had no idea what an audit really entailed. But, I knew doing so meant an unbiased third party would come in and gut check each of our decisions, while considering our specific business, goals, and culture. Yes, please!
So, here we are, almost two years after that initial audit request, with our first audit successfully completed, and our second one not far in the distance. What did we learn? Well, in a word ... lots. But here are a few big takeaways.
Audit standards vary.
Not all audits are the same, and the differences are largely driven by the standards used by the auditors. One of the most common groups of standards is the SOC standards. A SOC report provides an analysis of a service organization’s internal controls so that users can better understand the risks associated with sharing sensitive information with this external organization. There are three SOC reports - SOC 1, SOC 2 and SOC 3. Each one makes sense for different industries and company types. Then, within the reports themselves, there are different criteria. For example, within a SOC 2 report, there are criteria related to security, availability, processing integrity, confidentiality and privacy. At pMD, security was our top priority, and a SOC 2 audit made the most sense. So, we started with a SOC 2 covering the Security Trust Services Criteria, and will consider folding in new subject areas as we move forward.
There are also two different types of SOC reports, Type 1 and Type 2. That means a company could complete a Type 1 or Type 2 SOC 1, SOC 2, or SOC 3 audit. A Type 1 report assesses controls as of a point in time, whereas a Type 2 report assesses controls over a period of time, usually six to twelve months. For our first audit, we decided to complete a Type 1 and will build that effort into a Type 2 for our second audit.
In planning our audit, we also knew how important HIPAA compliance is to each and every one of our users. So, we also completed a HIPAA audit, where our auditor used the HIPAA requirements to assess whether our security controls are adequate to meet our HIPAA obligations. Knowing that security and HIPAA would be of the utmost importance to our customers, we prioritized both those sets of standards and hope to expand them in the future.
Be open, be honest, be organized.
In the months leading up to our audit, our team had quite a bit of jitters. It felt like someone was coming into our home, looking for dirt as they wiped their finger along each of our shelves. We knew we wanted the auditors to have a full view of what we were doing, but we were still nervous that our processes weren’t “good enough.” We handled these nerves by ensuring that we were as prepared as possible before our auditors arrived onsite, sending them all requested information well before they arrived to our office. We also made the conscious decision that this audit would only be helpful if we were up front and open about what our security processes really are. So, we were open and honest with our auditors, which brings me to our next point…
Let your auditors be collaborators.
Of course, an auditor inherently has to be objective and can’t advise a company on how to meet it’s security standards. But, at the same time, auditors have a wealth of experience and knowledge, and have seen hundreds of companies’ security configurations. So, if you’re working with a good audit firm, they’ll point out areas in which you could improve, and then offer various ways they’ve seen this security control addressed, including industry best practice. Auditors can offer invaluable insights, and this perspective really helped pMD maximize the value we received from completing our audit.
There’s no silver bullet.
Of course, completing an audit doesn’t mean that a company will never have a security problem - though I certainly wish it did! But, what it does mean, is that you can sleep better at night knowing that an objective third person finds your security systems reasonable. And, from a customer standpoint, it means you don’t have to simply trust us when we tell you that we prioritize your data’s security. The proof is in the pudding - the audit reports not only clearly outline our security protocols but, more importantly, the audit indicates a culture of security awareness. It’s proof that pMD is willing to invest a great deal of time and money to ensure that our security protocols are up to par. And that means that when you engage with pMD - a responsibility we don’t take lightly - you can sleep better at night, too.