At 1upHealth, our customers trust us with their most sensitive information and our interoperability solutions are very often on the critical path of patient care. As a result, we consider the protection of this information to be of the highest priority for both our organization and for the greater healthcare system.
While we anchor our day-to-day security decisions in our team’s deep experience and technical expertise, we also rely on frameworks, standards, and best practices defined over the years by leaders in the healthcare technology industry to guide our security control implementation and program development.
This blog covers the highlights of our Data Security Program.
Security and Compliance of the 1up Platform: Why Health Plans Should Trust 1upHealth with Their Data
The 1up Platform is hosted “in the cloud”, we don’t just let the world walk into our data centers, and we would never broadcast the inner workings of our systems and security protecting patient information. Given this background, how can you really know what’s happening behind the scenes?
Here’s where external audits and assessments – one of several key drivers of our security and compliance program – come into play:
We set out to not only meet, but exceed external requirements set by US laws and regulations and healthcare technology industry standards. In order to formally test our adherence to these frameworks, our organization is heavily scrutinized through our combination of two gold-standard security and compliance audits. We have outside assessors review and grade our information security program through completion of both SOC 2 Type II and HITRUST r2 audits.
Why SOC 2 Type II and HITRUST r2 are 1upHealth’s Security Certifications
Why did we choose these audits and their frameworks in particular when there are so many? What assurances provide and what are they all about?
We find this strategy to be comprehensive as an organization that is both a cloud-based technology provider and one that operates in the healthcare technology sphere.
First, let’s discuss the SOC 2 Type II:
The name itself is broken into 2 parts: the first part is SOC 2, meaning System and Organization Controls 2 – the second iteration of its kind focusing on broad data-agnostic security controls compared to the SOC 1, which focuses on security controls specifically protecting systems and data which impact financial reporting. The second part, Type II, refers to the higher maturity level over its cousin audit, Type I. More specifically, the Type I measures design of controls in a single point in time and the Type II measures that the controls are both designed effectively and operating effectively over time.
The focus of a SOC 2 Type II audit is to measure how we are meeting commitments surrounding the five trust services criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy. The standard is designed for service organizations — cloud providers, software as a service (SaaS) vendors, and other organizations that provide web-based services.
SOC 2 Type II applies to service organizations that store, process, or transmit sensitive data on behalf of their customers or users. It broadly applies to all organizations under this operating model irrespective of their industry. It spans healthcare, fintech, e-commerce, telecom, professional services, data centers, and all kinds of service providers.
In SOC 2, we’re audited against our attestations of how we meet high-level objectives (the trust services criteria) through controls that we define, implement, and continuously operate. It is a “put your money where your mouth is” type of exam – when it comes to data security in the SOC 2: we say what we do, we do it, and then prove it.
So what about HITRUST r2?
HITRUST is shorthand for Health Information Trust Alliance, which, instead of being industry agnostic, provides the strongest, most comprehensive framework geared specifically towards protecting sensitive healthcare data – our customer’s PHI. The r2 modifier means risk-based, 2 year, exemplifying the highest level of maturity in HITRUST when compared to its e1 (essentials, 1year) and i1 (implemented, 1 year).
HITRUST r2, being deeply aligned to healthcare regulatory requirements and industry standards (including HIPAA and NIST 800-53), assesses 1upHealth through validation of prescribed, risk-based controls and their implementation. It then validates our organization’s adherence to security and privacy controls which are hand selected based on the risk exposure and risk profile of our organization. For this reason, it carries the highest weight in the healthcare technology space.
How HITRUST r2 and SOC 2 Type II Differ and Why Having Both is Important
Below is a summary of the differences between the two audits, which complement each other and offer a comprehensive view of how 1upHealth approaches and ultimately meets the highest standards of information security protecting data:
|
SOC 2 Type II |
HITRUST r2 |
|
|
Stands for |
System and Organization Controls 2 |
Health Information Trust Alliance |
|
Qualifier |
Type 2: controls are 1) designed effectively and 2) operating effectively |
r2: Risk-based, 2-year validity period |
|
Assurance Objective |
Validation of established controls being consistently performed over time |
Direct alignment to regulatory requirements and defined industry standards |
|
Applies to |
Service organizations, including SaaS organizations |
Regulated Healthcare Technology organizations |
|
Scope |
5 Trust Services Criteria (TSC): Security, Confidentiality, Availability, Processing Integrity, Privacy |
19 HITRUST Domains, aligned to HIPAA, NIST, and other frameworks |
|
Assessor |
CPA firm |
Authorized HITRUST assessor and HITRUST QA assessor |
|
Prescriptiveness* |
Flexible / custom controls to meet broad objectives |
Highly prescriptive, rigorous, adjusts based on risk profile of organization |
|
Outcome |
Detailed auditor report |
Scored maturity report |
|
Why? |
Build trust and reduce security risks to PHI. Protect patient information and ensure patient information is accurate and available when needed. |
|
1upHealth’s Holistic Approach and Commitment to Data Security
1upHealth approaches security holistically as an organization, and we have an unwavering commitment to protecting our customers who trust us with their data. However, we’re even more keenly aware of our responsibilities to do right for customer members – the patients – whose information is of critical importance to their healthcare.
Having both audits completed tells a more complete story of 1upHealth’s security credibility and trustworthiness, but are only the tip of the iceberg. We don’t just meet requirements imposed on us by externalities but also have dedicated teams, programs, and technologies that are constantly on the lookout, and are constantly building upon and improving our existing security posture. Our stance is straightforward – superior security and trust are the foundation of the 1up Platform and everything we do as a company.
To learn more about our Information Security Program, visit our Security Trust Center or Contact Us.
