If you represent a hospital or practice that works with outside revenue cycle management vendors, you will want to make sure they have their SOCs — or be prepared for the blisters that could ensue.
The unfortunate reality is that cyber-attacks are increasing at an alarming rate. According to a Wall Street Journal article, Nebraska-based Great Plains Health saw the number of attempts to access their servers triple this past year, sometimes having to block 70,000 attempts in just one day.
A recent security breach at a Texas health system exposed information for 640,436 patients, including names and social security numbers.
Cybercriminals exploit any vulnerability within a health system and the companies they engage with to obtain personal information and leverage the data for payment. A recent data breach with health systems in Florida and Texas exposed thousands of patient records after an attempt to extort money from the hospitals.
Even if healthcare providers are taking significant precautions, their security is only as strong as their weakest link. So, how can providers be sure their partners are handling their data securely? Every revenue cycle management vendor is different, which makes SOC certifications an excellent starting point to assess their IT protocols.
An ounce of prevention is worth a pound of cure
System and Organization Controls (SOC) include a series of reports that are created after an in-depth audit from a third-party certified public accountant. There are three different levels of SOC audits, but for hospitals and health systems working with vendors for revenue-cycle services, SOC 2 carries the most importance.
According to the American Institute of CPAs (AICPA), the oversight organization for SOC services, SOC 2 reports provide detailed information about a service organization’s security, availability, process integrity and privacy of information.
The purpose of a SOC 2 certification is to make sure the IT infrastructure and processes used to manage data are secure and dependable. If the IT department is the kitchen of your favorite diner, then SOC 2 is the health inspector there to make sure food is not expired and mice are kept outside.
The best part is that this extra layer of security should come at no cost to the provider. A certified vendor will have already covered the expense of the third-party SOC audit, so healthcare providers don’t have to spend time and money digging into the security measures of a potential partner. Instead, a thorough report will be available for providers to review, and use to determine any follow up questions.
Dealing with the consequences of a data breach can cost millions of dollars and pose significant risks for your patients. Requiring a SOC audit may not be on the top of every healthcare professional’s mind, but this extra measure can go a long way in preventing devastating security breaches for hospitals and their patients.
What SOC 2 says about a company
A SOC 2 certification can indicate more about a company than meets the eye. The report itself shows that a company has a tested system to protect private information while carrying out necessary processes.
But it also means an organization cares about the integrity of the data with which they have been entrusted. A SOC audit is not cheap, or easy, which is why many revenue cycle management companies have yet to complete the process. By asking vendors if they are SOC certified, you are asking about their IT processes, but you are gaining insight about their company as a whole and what they value.
The revenue cycle management industry is a quickly changing world with companies being bought and sold on a regular basis. A SOC 2 certification shows that a revenue cycle management vendor has been around long enough to develop sound security measures and put them to the test.
So, should healthcare providers require their vendors to be SOC certified? In a world where cyber-attacks and ransomware are constantly trying to breach hospital systems, the real question is: why would providers ever want to work with anyone who is not?