Back to Forum Back to Top

Browsing:

SOC 2 Requirements by an IRB

HIPAA certifications IT security audit

Back to Forum

Browsing: SOC 2 Requirements by an IRB


Matthew Amsden

Posts: 3
posted

We are a software as a service vendor for research, and recently we had an IRB request an SOC 2 Certification (Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy). It's specifically for software as a service companies. As I understand, instead of providing your security infrastructure, operations and procedures, instead you provide the security certificate from an independent auditor. Though I could be wrong. I've asked around among my network of health IT companies, and while some had heard of it, one started the process, none have completed it yet.

I'm curious if other IRBs are thinking about forgoing the traditional IT review process instead of this independent review? It's a relatively expensive audit process ($20k to $70k), so if there are many IRBs thinking about it, and it will reduce the sometimes laborious IT security review, it's worth the investment. But if it's not widely known or accepted, its not worth the investment for one customer at our price points.

And for anyone that is familiar with the SOC 2, and does require it, how important is it to you who the auditor is? Do you need/expect it to be from a big five auditor like PWC or Ernst & Young (very expensive) or are you satisfied with an external audit by any organization (many of whom are a lot less expensive)?

For any companies that have been through the SOC 2 audit process before, about how long did it take?

Thanks,
Matthew Amsden, CEO ProofPilot

Rubi Linares-Orozco

Posts: 22
posted

Hi Matt,

The request for a SOC2 audit is not uncommon, but it is weird is that it came from an IRB. Usually this type of request comes from IT Officer or Privacy Officer, depending on the type of interface the software will perform with the research or health data. This information is usually requested during a purchasing agreement/contract. This process is becoming more common due to changes in policies in regards to privacy and security and OCR is pushing out their second wave of HIPAA compliance audits and giving heavy penalties to institutions that do not conduct thorough privacy secuirty checks. This IRB may have been guided from their IT office to request this information from you.

Here are two articles on SOC2 audits and why they are becoming necessary in evaluating technical service providers: https://www.tripwire.com/state-of-security/security-data-protection/do-soc2-audits-even-matter/; and https://blog.threatstack.com/not-soc-2-compliant-4-reasons-your-customers-wont-work-with-you

Also if it helps you can see the OCR HIPAA findings and penalty descriptions here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/

Good luck,

~ Rubi

Matthew Amsden

Posts: 3
posted

Extremely helpful. Thank you.