In December 2022, IMO Health completed its SOC 2 Type 2 + HIPAA attestation. While these acronyms might not be the ones that appear most frequently here on Ideas, they’re of huge importance to the company overall. So, what’s all the buzz about?
SOC 2
SOC 2 is a voluntary compliance standard for service organizations. Developed by the American Institute of CPAs (AICPA), this certification program specifies how organizations should manage customer data. It produces an internal control report capturing how a company safeguards that data and how well those controls are operating.
IMO Health’s SOC 2 is evaluated based on the following four* AICPA trust principles:
- Security: Ensuring a secure environment by conducting employee background checks, using multi-factor authentication, and limiting access based on a least-privilege principal
- Confidentiality: Protecting our own and our customer’s confidential information/protected health information (PHI) through limiting access, as well as role-based training designed to understand the responsibilities of proper handling of such data
- Availability: Building and configuring infrastructure to ensure our system is always available for our customers and employees
- Processing Integrity: Defining and developing software so that search terms produce expected terminology results
HIPAA compliance is a living culture that organizations must implement within their business in order to protect the confidentiality, security, and integrity of PHI. While IMO Health is not a healthcare organization, we are considered a business associate – an entity that performs functions or activities on behalf of, or certain services for, a covered entity (healthcare provider) that involve the use or disclosure of PHI. Therefore, we conduct an annual external HIPAA assessment to ensure we are meeting those requirements.
Today we limit and de-identify potential PHI as part of our transactional workflow within our products. As our solutions evolve, they may require increased consumption of confidential information like PHI for analytical purposes in order to help us best serve our customers.
Value to IMO Health
Organizations are not required to complete SOC 2 + HIPAA, but we recognize the importance to our customers and prospects. In fact, the reports are almost always requested as part of customers’ own security and risk assessments – and rightfully so. While we can explain our processes and policies to customers, this does not necessarily guarantee that we actually do what we say we do.
In that vein, we expect our customers to employ a “trust but verify” approach when assessing us as a vendor. Because a SOC 2 + HIPAA engagement is conducted by an independent third-party auditor, securing this report provides nonbiased assurances about how IMO Health operates during the design, development, and release of our products that may contain their confidential information.
As an organization, we take pride in proactively prioritizing data security – even when we don’t have to. The controls and policies assessed by the AICPA are designed to ensure that neither we nor our customers are exposed to vulnerabilities such as data theft, breaches, or leaks; malware and ransomware attacks; and reputational damage related to losses. Loss of trust, for any reason, deals a major blow to an organization – and it’s even worse when it happens to be tied to avoidable cyber security events.
Loss of trust, for any reason, deals a major blow to an organization – and it’s even worse when it happens to be tied to avoidable cyber security events.
Lori Kevin, VP Enterprise IT and Security Tweet
Ongoing efforts
SOC 2 + HIPAA, and security in general, is an enterprise-wide effort at IMO Health. Our Information Security team works closely with all departments to advise on best practices, top-of-class security technologies, attestation requirements, and security training and awareness. To secure SOC 2 certification, IMO Health’s auditors engaged representatives across HR, Enterprise IT, Software Engineering, and Legal and Compliance Services. Team members were interviewed and described the details of our processes and operational activities, including:
- Conducting background checks on potential employees as part of our hiring process
- Requiring security training upon hiring and annually thereafter
- Assessing potential risk by thoroughly evaluating potential vendors through our vendor management program
- Monitoring and responding to anomalies in accessing our infrastructure using our third-party Service Operations Center (SOC)
- Developing and scanning our software to prevent vulnerabilities that could impact our business objectives
- Providing methods to our customers and vendors to report incidents in a secure manner and that will receive an appropriate and timely response
- Continuously assessing risk through our risk management program by reviewing and evaluating risks in our risk registry and applying appropriate controls to mitigate risk, or executing on a remediation plan to address items
Want to learn more about the specifics of our security program? You can find them here.
*Privacy is a fifth AICPA principle, but it does not apply to IMO