SOC 2 + HITRUST: Evolving infosec demands in healthcare

Two-thirds of business associates are not fully prepared to meet the growing marketplace demands regarding controls for protecting healthcare information, such as patient records, according to a survey conducted by KPMG.


“An increasing number of healthcare organizations are requiring their vendors to demonstrate controls for securing PHI (protected health information) to manage their cyber and regulatory risks, especially since healthcare information is a rich target for hackers,” said Emily Frolick, third-party risk and assurance leader for KPMG’s Healthcare practice. “These vendors are able to accomplish this through a SOC 2 + HITRUST CSF examination or a HITRUST CSF Certification, both of which enable vendors to communicate their good faith effort to protect patient information.”

“Neither is mandatory under current law, but the marketplace wants to reduce risks tied to cybersecurity with third-party assurances concerning their data protection efforts,” Frolick added.

In a survey of 604 professionals during a KPMG webcast targeting vendors to the healthcare industry, half of those surveyed were “not ready” and 17.4 percent were in planning stages for a HITRUST (the Health Information Trust Alliance) CSF assessment – an internal control-based approach that allows organizations to proactively assess and demonstrate the measures they have taken to protect healthcare information.


The HITRUST CSF is a privacy and security framework for organizations who create, maintain, transmit or receive PHI to assess the level of readiness and soundness of their control environment. The framework, in conjunction with SOC 2, a report to examine controls at a service organization developed by the American Institute of Certified Public Accountants (AICPA), is also used by third-party assessors, such as KPMG, to review security controls.

7 percent HITRUST ready

Regarding the progress that organizations have made to address HITRUST CSF requirements, only 7 percent said they are completely ready and 8 percent described their organization as “well along implementation.” The remainder (17.4 percent) were in early stages of implementation.

When asked about staffing capabilities to meet this standard, 47 percent responded that they did not have the “right staff with the right level of skills to execute against the HITRUST CSF.” The survey found 53 percent did. Respondents found that staffing (15 percent) was the biggest barrier to HITRUST CSF readiness, finishing ahead of cultural, technological, and financial concerns. More than a quarter (27 percent) pointed to all of those factors and 23 percent said “none of the above” were barriers.

Don't miss