The Schellman Blog

Healthcare service providers are being told that they must begin their HITRUST Validated Assessment process soon, especially to meet the 2017 deadline for HITRUST Certification. The looming deadline and the lack of familiarity with the validation process are causing some fear. But have no fear! This article will provide guidance on the process and the necessary information needed to navigate the Validated Assessment process and obtain certification.

Promoting a culture of ethics and compliance is a fundamental component to the success of any organization. Although sometimes difficult to realize, the actual benefit of an ethics and compliance program exists in its ability to reinforce good decision making and ultimately steer us away from trouble. After all, just one mistake can leave you on the wrong side of the law, not to mention the financial drain and damage it can have on your company’s reputation. To create a culture that values ethics and compliance, we must realize a critical component: the buy-in. Simply put, everyone in the organization needs to be on board with the program.

According to the Identity Theft Resource Center, we saw 781 data breaches in 2015 that totaled hundreds of millions of stolen records, many of which included personally identifiable information about customers—names, addresses and Social Security numbers.

As organizations grow and expand their client base, especially in regulated or security-conscious industries, the demand for third-party assurance has never been higher. It’s common to be faced with requests for both an ISO 27001 certification and a SOC 2 report, but you may be wondering if they are really different. Companies often ask, “can my ISO 27001 certification cover what’s needed for SOC 2?” or “do I really need both?”

During SOC 1 Type 2 examinations, which analyze both the design and operating effectiveness of your controls, deviations from the stated control process must be disclosed within the service auditor’s testing results, often referred to as testing “exceptions” or “deviations” as they are exceptions from the stated control activity. The identification of at least one testing exception is a common occurrence, whether it is due to an outage, failure to document a manual process, or a simple oversight. There are a few questions, however, that you can ask both your auditors and yourselves to help manage the exceptions.

With growing scrutiny in healthcare and a record number of breaches increasing at an alarming rate, healthcare organizations are taking preventive measures in order to avoid breaches and possible fines. However, healthcare organizations are confused on what measures they need to take in order to protect healthcare information.

Surprisingly, business leaders—not IT departments—are the driving force behind six out of 10 migrations to the cloud. These leaders are often bothered by the nagging question, “Is the cloud secure?” This question is usually followed by a series of debates about just how secure the cloud is.

When you hear the word “whistleblower,” do you think business traitor or Good Samaritan? In most company cultures, it tends to be the former, which is unfortunate because more often than not, exposing a security issue is a matter of ethics, not malice for employees. However, because malicious intent has occurred before, the negative connotation lives.