
The NHCSA No Longer Considers SOC2 and HITRUST Certification Suitable Evidence that Security Standards are Being Met
Rethinking Security Compliance in Today’s Threat Landscape In an era characterized by increasingly sophisticated and pervasive security threats, the National Healthcare Security Alliance (NHCSA) has significant concerns regarding the suitability of SOC2 and HITRUST certifications as effective solutions for demonstrating adherence to security standards. Although both the SOC2 standard and HITRUST framework are robust and comprehensive in their design, the NHCSA contends that the current methodologies employed by assessors and auditors are inadequate in accurately addressing companies’ actual adherence to these standards. Furthermore, it is the NHCSA’s position that due to the lack of experience and expertise of auditors and assessors under the current methodology. Studies have shown that many auditors and assessors currently performing SOC2 and HITRUST audits lack the experience and ability to perform hands-on audit tasks. This leads to an ever-increasing environment where the SOC2 and HITRUST certifications have taken on more of a document review designed to “convince” an auditor without real-world experience than an actual audit by experienced professionals. The Issue with Current Assessment Methods The NHCSA’s primary contention lies not with the SOC2 and HITRUST standards themselves, but, as stated, with the methodologies used in their certification processes. Presently, these certifications rely heavily on assessors and auditors reviewing documentation provided by client companies. While necessary, this documentation review process often results in an extremely limited assessment of the company’s true compliance with security standards. Documentation, though essential, is inherently limited in scope. It provides a snapshot of policies and procedures but does not capture the dynamic nature of their implementation. This method overlooks the practical challenges and nuances involved in maintaining robust security practices. Consequently, there is an increasing recognition that current assessment methods must evolve to address these limitations effectively. Document Review vs. Actual Compliance One of the major drawbacks of relying solely on documentation review is that it does not necessarily reflect the real-world implementation and effectiveness of security controls. Documents can be meticulously crafted to show compliance on paper, but this does not always translate to actual practice. In many instances, there is a significant disconnect between the documented policies and procedures and their practical application within an organization. The gap between documented policies and real-world practices can lead to a false sense of security. Organizations may believe they are compliant based on their documentation, but without verifying the actual implementation, they remain vulnerable to breaches. This discrepancy underscores the need for more rigorous and comprehensive assessment techniques that go beyond mere paperwork. Impact on Data and Privacy Breaches The NHCSA has observed that reliance on a limited document review process has contributed to a substantial increase in data and privacy breaches. When auditors base their assessments solely on the information provided by the client, critical gaps and vulnerabilities may go unnoticed. These overlooked areas can become entry points for cyber attackers, leading to significant breaches that compromise sensitive data and privacy. The consequences of such breaches are far-reaching. They can result in financial losses, legal repercussions, and reputational damage. For healthcare organizations, the stakes are even higher, as breaches can jeopardize patient confidentiality and trust. Therefore, it is imperative to adopt assessment methods that provide a more accurate and comprehensive evaluation of security practices. The Need for Enhanced Assessment Techniques To address these concerns, the NHCSA advocates for a more comprehensive and hands-on approach to security assessments. This would involve not only reviewing documentation but also conducting thorough hands-on audits, technical testing, and continuous monitoring of security practices. By incorporating these techniques, assessors can gain a more accurate and holistic understanding of a company’s security posture. Enhanced assessment techniques offer several advantages. They provide deeper insights into the effectiveness of security controls and help identify discrepancies between documented policies and actual practices. These methods also enable assessors to uncover hidden vulnerabilities and recommend actionable improvements, thereby strengthening the organization’s overall security posture. Hands-on audits Hands-on audits allow assessors to audit the practical implementation of security controls within the organization. This approach provides insights into the effectiveness of these controls and helps identify any discrepancies between documented policies and actual practices. Additionally, it enables assessors to engage directly with staff, gaining a deeper understanding of the security culture and awareness within the company. During hands-on audits, assessors can conduct interviews, inspect physical security measures, and observe operational procedures. This hands-on approach offers a more realistic assessment of the organization’s security practices, ensuring that documented policies are being effectively implemented and adhered to. For example, during an hands-on audit, assessors can inspect access control procedures to ensure they are functioning properly and being implemented consistently. They can also observe how sensitive information is stored and handled, checking for compliance with data protection policies. These evaluations provide a comprehensive view of the organization’s security environment and help identify areas for improvement. Moreover, hands-on audits foster a culture of accountability within the organization. Employees are more likely to adhere to security protocols when they know their actions are going to be observed and evaluated. This proactive approach helps create a security-conscious workforce that understands the importance of maintaining robust security practices. Technical Testing Technical testing, such as penetration testing and vulnerability scanning, is essential for identifying weaknesses that may not be evident through documentation alone. These tests simulate real-world attacks, providing a clear picture of the organization’s resilience against potential threats. By incorporating technical testing performed by the assessor into the assessment process, assessors can uncover hidden vulnerabilities and recommend actionable improvements. The current SOC2 and HITRUST standards for certification and control rely on evidence from third parties and self-assessments of these controls. The NHCSA believes most organizations take precautionary and preventative actions within their capabilities. The main concern is whether they are trained and equipped to perform these tasks. Additionally, evidence has shown that under the current methodology for these certifications, the auditors themselves are not sufficiently qualified to interpret the findings of this type of testing let alone perform the tests. Independent technical testing by trained auditors would provide valuable insights