HIPAA Evolution Offers Path for All SOC 2 Reports
Published on by Robert Ramsay in SOC Reports
Technology leaders often ask: “What more should we be doing about cybersecurity?” The complex, precise answer related to incremental benefits addressing incremental risks leaves us looking for shortcuts. In this case, it appears the Department of Health and Human Services is offering guidance.
Recently proposed modifications to HIPAA and HITECH Act rules for addressing evolving threats may be a nice avenue – you can access the entire 125-page document on the department’s website if you’re so inclined.
A little backstory
We’ve often talked about methods for using an existing framework or methodology as a guide (e.g., applying PCI DSS and replacing “cardholder data” with “my organization’s sensitive data.”) In this case, any organization can follow these guidelines for healthcare data and replace Electronic Protected Health Information (ePHI) with “my organization’s sensitive data.” In the same way, a Business Associate Agreement (BAA) can be replaced with “data sharing agreements.”
New rules proposed – the key ideas
There are several key ideas from a proposed rules update, targeting adoption in January 2026.
Maintain a compliance calendar
Capture and share key dates for recurring data security and compliance practices, which can help those responsible for the process as well as those responsible for oversight. It may lead to efficiencies from better scheduling. (i.e., cyber-insurance renewal, security training, hardware and data inventories, risk assessments, vendor assessments, and policy updates may be more efficiently addressed the same month every year that is convenient for the SOC timeline).
Keep documentation updated – and make it more accessible
Take a next-level approach to documentation of all security policies and procedures. Consider making them more accessible (both by prominence of location and ease of applicability). Perhaps have AI draft reminders using key security policy elements written specifically for applicable departments.
Revisit risk analysis
New requirements include a written assessment that contains:
- A review of the technology asset inventory and network map.
- Identification and assessment of reasonably anticipated threats to the confidentiality, integrity, and availability of sensitive data.
- Identification and assessment of potential vulnerabilities to systems storing sensitive data.
NOTE: Assessments should include the likelihood and severity of threats and vulnerabilities.
Update contingency planning and security incident response plans
Update plans for responding to security incidents:
- Establish written procedures to restore systems within 72 hours.
- Perform an analysis to determine restoration priorities.
- Document how to report suspected or known security incidents.
- Implement procedures for testing and revising security incident response plans.
Require encryption
Require encryption of sensitive data at rest and in transit.
Require Multi-Factor Authentication (MFA)
Require the use of multi-factor authentication to access any sensitive data or systems.
Conduct regular vulnerability scans and penetration testing
Conduct vulnerability scanning at least every six months and penetration testing at least every 12 months.
Related content
You may also be interested in our DIY SOC Reporting video series, with great ideas for streamlining your SOC reporting process, creating efficiencies, and reducing costs. Our SOC Reporting FAQ is packed with the top questions our SOC pros get most often, along with their detailed answers. Regardless of where you are in your SOC reporting journey, our team of top pros is here to help. Contact us today for a free consultation.
More Insights
