HIPAA Survival Guide Newsletter August, 2020

Why SOC-2 will Derail your Cyber-Security Initiative

First let me start with a question that most compliance officers (COs) will not get right, which is this: “How many security laws do we have in the U.S.?” Many will answer fifty (50) because each state has at least one. Others will “throw-in” GLBA, FERPA, etc. The answer is one. The HIPAA Security Rule (HSR). What the states have are their own privacy and breach notification laws. GLBA and FERPA are for the most part privacy laws.  
The HSR is the only U.S. law that describes the controls at some depth that must be implemented to comply with HIPAA. It is a kind of cyber-security 101 law. It provides a strong foundation for a cyber-security initiative but that is it. The HSR provides a solid platform to build upon. That said, most covered entities and business associates remain woefully non-compliant even with the basics of the HSR; and where they do comply it is mostly in an ad hoc and haphazard manner.
With that as a starting point, let us look at SOC-2’s Trust Services Principles (TSPs):
  1. Security: you must protect your systems/data from unauthorized access
  2. Availability: you must institute controls that ensure that your systems/data is accessible to customers and staff when they need it
  3. Confidentiality: you must protect the privacy of your personally identifiable information (PII) or your protected health information (PHI) by allowing access on a “need to know” basis
  4. Processing Integrity: you must ensure the integrity of the PII or PHI utilized by your organization
  5. Privacy: you must ensure that that PII and PHI utilized by your organization is accessed, disclosed, and disposed of properl
For most COs the initial impression of the TSPs is that they look like “stuff” that is covered by the HSR or the HIPAA Privacy Rule (HPR); and they are absolutely correct in making this inference. Is SOC-2 law? No! It is a set of standards promulgated by the American Institute of CPAs (AICPA) with input from various consortia. We generally trust CPAs for taxes and for producing audited financial statements when required. But the elephant in the room concerning SOC-2 is “when did CPAs become qualified as cyber-security experts?” We wouldn’t let a CPA anywhere near our privacy or cyber-security initiative. Further CPAs are not lawyers and therefore not qualified to give an opinion as to whether you are legally compliant with HIPAA.
Let’s get down and dirty with this argument. What does a typical SOC-2 audit cost? The anecdotal evidence, even for a small organization, is a one-time fee of $20K for the SOC-2 provider to understand your “as is” environment, and then about $30K a year to actually deliver the report (these numbers are at the low end for smaller customers); you pay the $30K year in and year out. Why so expensive? In part, because the AICPA has promulgated such a heavyweight legally burdened process that it takes a significant amount of everyone’s time, especially that of the senior management team, to figure out the deliverables. Further, this same heavyweight process controls the auditing of the deliverables as well.
From the AICPA’s perspective, and their practitioners, it is a cleverly designed professional services revenue stream. However, in this article, we are more interested in the utility value that SOC-2 produces. What do get at the end of the day? You get an electronic “piece of paper” with recommendations as to how to proceed. Mind you, the $30K a year does not include actual remediation costs; it is nothing more than a roadmap for how to proceed.
The fact of the matter is that if you have implemented your HIPAA Compliance Initiative (HCI) using the best practices that we (and others) recommend, you are already 95% compliant with SOC-2. There are several gotchas though: (1) most companies are barely crawling with their HCI; and (2) there is not a clear and concise mapping of SOC-2 to HIPAA. With Expresso we intend to deliver that mapping through a SOC-2 load module by Q4 2020. Although this may not prevent you from having to eat a SOC-2 implementation mandated by a large customer, it will give you ammunition to make the argument that you are mostly (assuming your HCI improves) compliant with SOC-2; and moreover, be better positioned to ask the question, What more would they like you to do?
Here is the money quote. “SOC-2 is a plan, it performs, zero, nada, zilch, by way of remediation.” The controls it generally recommends are those promulgated by the Center for Internet Security (CIS). SOC-2 does not have its own control set. It recommends control sets that are already de facto industry standards. So, you can't actually map SOC-2 at the level of a control (e.g. HIPAA implementation specification), and you have to do the mapping through some of the intermediate set of controls (e.g. CIS).
The SOC-2 “value proposition” tends to work with the executive management team and with large organizations; because having an incomplete (or worse) HCI is a non-starter. The compliance organization in these large companies is in a weak position to challenge SOC-2 because the compliance department is in no position to clearly articulate what has already been accomplished to senior management (for smaller companies and startups things are even worse).
This is true even for companies that have invested in compliance software. Compliance software and related artifacts (policies and procedures, training, checklists, etc.) can dramatically reduce the time to implement a robust HCI, but there is no free lunch. The software may help with the heavy lifting, but it cannot replace boots on the ground driving the initiative.
Even if you are not required to comply with HIPAA, implementing the CIS Top Twenty Controls still gets you 95% home pursuant to SOC-2. There are only so many ways to skin-the-cat vis-à-vis launching a baseline cybersecurity initiative. There is a huge overlap between the HSR requisite controls and the CIS Controls. Most of the differences are “semantics.” Most SOC-2 reports end up recommending that you implement the CIS Controls. We just told you that well-kept secret and it didn’t cost you $50K. Ah, but the retort from SOC-2 folks is yes we often recommend the CIS Controls but our real “value add” is setting up the appropriate “governance structure” for your organization.
What does this involve? Establishing roles, responsibilities, reporting structures, and accountability. Although you may get high utility from high-quality compliance software, you generally do not get recommendations pursuant to the kinds of people and processes you need to have in place for a successful initiative. That is why at 3Lions we are now offering professional services that help you navigate these issues from a bottom-up approach. As virtual privacy/security officers on an as-needed basis, we help you navigate your organization, and by “doing the assessment and remediation” the relevant processes and reporting relationships will evolve. We help you implement what has proven to be successful HCI as demonstrated by our work at other organizations of similar size and complexity, at a fraction of the cost.
It boils down to this clash of “civilizations”: SOC-2 delivers a governance structure using a heavyweight linear methodology; Expresso delivers high utility value on day one and helps you navigate your company so that the correct governance structure evolves organically using a lightweight Agile methodology. Query your Tech friends and ask them how many are still using linear heavyweight methodologies. None. Agile dominates. That’s been about twenty years in the making. Compliance is a little slow to catch on.