SOC 2 HIPAA Compliance: The Process at Rave and Result

Recently, Rave Mobile Safety received a favorable review on our SOC 2 with HIPAA Type 1 audit, an assessment based on an organization’s control environment at a certain point in time. This assessment validates the effectiveness of the Rave critical communication and collaboration platform and points out areas in which we can improve. It also ensures we have a comprehensive, continuous monitoring program in place to ensure we maintain a high level of compliance throughout the year.

The History of SOC 2 and What SOC2 Compliance Means

The SOC2 was developed by the American Institute of CPAs (AICPA) and defines criteria that service providers like Rave should have in place to manage and protect customer data. Typically, SOC 2 compliance is a minimum requirement that customers should require their SaaS (software as a service) provider have because it is an attestation from an independent 3rd party that states if the controls meet the criteria and are effective. The SOC 2 helps us demonstrate our due diligence and commitment to protecting customer data and maintaining an available and secure SaaS solution.

This compliance is based on five trust service principles: Security, availability, processing integrity, confidentiality, and privacy. Security is a core criterion set that all organizations must go through. Companies can select any or all the 4 remaining to be assessed. Since our customers expect Rave SaaS solutions to be secure, highly available, and maintain strict controls over user data, we selected to add availability and privacy. Rave also added HIPAA/HITECH criteria to ensure customers of Rave Alert and Rave Guardian and citizen users of Smart911 that individually identifiable health information is protected in accordance with HIPAA.

There are two different types of reports: type 1 and type 2. The SOC2 Type 1 Report is a report on a service organization’s system and the suitability of the design of controls. The Type I report looks at a point in time or an “as of” date at the system and how the organization describes the system and controls in place around the system. SOC2 Type 2 Report is similar to the Type 1 report, except that the controls are described and evaluated for a minimum of six months to see if they are functioning as described by management.

SOC2 Vs. Other Security Assessments

You may be wondering what the difference is between SOC 2 compliance and other security assessments. For example, if you do not obtain a FedRAMP ATO government agencies cannot use the cloud service. In contrast, if you get poor “marks” on your SOC 2 report customer can still use the services

FedRAMP is a US government-wide program that provides a standardized approach to security assessment for cloud products and services. FedRAMP enables agencies to rapidly adapt from old, insecure legacy IT (Information Technology) to mission-enabling, secure, and cost effective cloud-based IT.

A FedRAMP ATO (Authorized to Operate) is a measurement against a standard set of security controls, procedures, and policies established by the Federal Government and based on NIST (National Institute of Standards and Technology) 800-53. If the cloud service does not obtain an ATO, a government agency cannot use the service.

SOC2 reports cover controls of a Service Organization Relevancy to Security, Availability, Processing Integrity, Confidentiality or Privacy. These reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

The Soc2 Compliance Process

The process of completing the SOC2 with HIPAA compliance takes several months. The auditors must conduct a comprehensive assessment of the hundreds of controls that are covered in the report. The process includes review of policies, procedures and plans (incident response, business continuity, and disaster recovery).

In order to receive a favorable assessment, Rave had to clearly demonstrate that the appropriate programs and sequent controls were in place by supplying evidence in the form of documentation, screenshots, interviews, records, and operational procedures with corresponding service tickets. Due to Covid19, Rave conducted a virtual walk through of the corporate facilities so the auditors could see that the required physical security controls were in place.

Why It Matters

Overall, the SOC 2 provides Rave with a way to demonstrate to our customers that we have suitable processes, procedures and controls in place that are actively monitored for effectiveness and have been independently assessed. The compliance report is an attestation of how suitability and effectiveness of controls an organization has put in place to address the Trust Service Principles and in our case HIPAA requirements. It is meant for a broader group of customers that are looking for an independent 3rd party assessment. The HIPAA part of the assessment focuses specifically on HIPAA requirements and states if the provision in the law applies and if so if the control is suitable and effective. The SOC 2 report is designed to provide assurances about the effectiveness of controls in place. The SOC 2 report assessed Rave Alert, Smart911 and Guardian mobile app.