An ongoing commitment to cybersecurity: Renewing SOC 2 + HITRUST

By Q-Centrix | December 14, 2021

Continuing to demonstrate our commitment to the highest levels of cybersecurity, Q-Centrix® has once again successfully completed the SOC 2 (System and Organizational Controls 2) + HITRUST Security Assessment—our second year in a row.

The renewal—which follows a comprehensive annual audit of our security and privacy practices to determine we meet or exceed the SOC 2 + HITRUST standards—occurs at a time when hospitals and other health care facilities are increasingly targeted by ransomware attacks that shut down networks and compromise sensitive information. In fact, ransomware attacks are a major factor in the updates to this year’s audit.

Victor Low, who leads our SOC 2 + HITRUST efforts as Q-Centrix IT director, points out that approximately 80 new controls, including those focused on ransomware attacks, were added to the audit this year based on evolving security threats and corresponding mitigation practices.

“Seizing clinical data has the potential to impact the delivery of care—which could harm a patient,” explains Victor. “With so much at stake, hackers may believe health care organizations are likely to pay up to resolve the problem, heightening the urgency and seriousness needed to combat these threats.”

A ransomware attack is typically attempted by a malicious person or group acting as a person, company, or other entity with a seemingly legitimate request. They often send what is called a phishing email to an organization’s employees containing harmful computer code hidden behind a link or in an attachment. Once unleashed, this code seizes and locks the organization’s team out of its own network. The hacker responsible then demands an extravagant ransom to allow the organization to regain access. Making matters worse, the harmful code sometimes infiltrates a network and then sits dormant for months or even years before it becomes active or detectable.

The SOC 2 + HITRUST Security Assessment looks specifically for controls designed to prevent or mitigate this type of threat. An example is the minimum necessary rule—based on the idea that limiting each employees’ network access to only what is necessary to perform their job will reduce the impact of an attack. Another is establishing an ongoing training and test phishing strategy to teach employees how to recognize ransomware phishing attempts and randomly assess their ability to do so.

These examples underscore that an effective privacy and security strategy is not just a one-time effort, but rather a deliberate and continuous endeavor involving frequent updates, perpetual assessments, and ongoing learning with the pinnacle of assessment being the annual audit.

As the provider of the industry’s only true Enterprise Clinical Data Management (eCDM™) platform, our team at Q-Centrix processes in excess of 3 million clinical data transactions annually. Our daily operations involve members of an internal team of more than 1,000 clinical experts and approximately 1,200 hospital and health system partners who interface with the platform to manage and interpret clinical data.

“Our partner community trusts us with every transaction we make with one of their most valuable assets—their clinical data,” stresses Victor. “So we take our responsibility as stewards of this data seriously, and we owe it to them to subscribe ourselves to a higher standard when it comes to security.”

Q-Centrix remains the only health care quality data organization to receive SOC 2 + HITRUST. We are also compelled to educate our community about the cybersecurity standards that third-party organizations working with hospitals and other health care organizations should be meeting. For example, our recent publication, the Clinical Data Privacy & Security guide, is freely available at www.q-centrix.com.

Why SOC 2 + HITRUST matters
A two-tiered technology and controls accomplishment, SOC 2 + HITRUST requires an organization to demonstrate the ability to protect patient and other sensitive, personally identifiable information in accordance with established industry standards and the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and security provisions. This is achieved via a 12-month audit by a third-party examiner. SOC 2 guidelines were created to provide an authoritative benchmark for proper control procedures and practices, while HITRUST provides standards for creating, accessing, storing, or exchanging personal health and financial information in a secure and transparent manner.

Achieving SOC 2 + HITRUST adds to an already-robust and multi-faceted set of data security best practices at Q-Centrix. We are fully compliant with the HIPAA and HITECH laws, which establish provisions for safeguarding medical information, and maintain a full security incident response plan with steps to identify, stop, evaluate, and contain threats or breaches, as well as prevent future similar incidents. Additional measures include encryption for all health care data stored and transmitted; data recovery and backup mechanisms; two-factor login authentication for anyone permitted to access our information systems; workforce security training; and recommended physical security elements, such as secure entrances, restricted equipment areas, and video camera surveillance.