Small Company / Audit + Security Certifications

mjrowell · 2024-09-03T17:24:18.609Z

I wasn’t quite sure where to put this so here we are. I work for a small company that is healthcare adjacent. We rarely touch anything that HIPPAA would cover but since we work with larger hospitals and health systems and they want us to be at their standard for security but they also want third party Audits/Certifications.

Thus far what I have seen is $15-20,000 per year for what we looked at. HITRUST and SOC2 type 2. Looking for any suggestions or information from smaller hospitals, clinics, doctor’s offices or anything medical in nature.

Thanks in advance!

Rod-IT · 2024-09-03T19:22:17.130Z

HIPAA*

Basically they want you to be regularly pen-tested and audited by an external company, where they will tell you the flaws and vulnerabilities on your network and give you a grade, you then have to action those to be compliant.

There are many companies out there and while I don’t work for or around hospitals, this would be good practise for any company to do.

If you can list your location, I’m sure people within your region can add their recommendations.

mjrowell · 2024-09-03T22:26:47.782Z

Unfortunately, not quite. They specifically asked for HITRUST, SOC 2 Type 2 or ISO 27001 Certification. If I get some recommendations from other people working IT in the medical industry, then I can push back saying that we’re a small company and we do not handle patient information and other medical clinics only get X, Y or Z that’s our plan… then I can do that.

Otherwise, we’re going to end up dropping a ton of money on an industry certification we don’t need.

jameswalker20 · 2024-09-04T13:28:15.409Z

@mjrowell what specifically does the company do, and what potential PII/PHI/PCI-DSS data is it privy?

Rod-IT · 2024-09-04T17:16:23.850Z

Who is they? A partner, a company who support you or whom you are a subsidiary of?

Dashrender · 2024-09-05T14:08:35.979Z

I see this really boils down to you (or management) making the determination how how hard they want to push back against these requests from your clients - which likely will boil down to how much this costs versus how much revenue they generate for you.

Most small medical clinics to my knowledge don’t bother with anything like SOC 2 Type 2 or ISO 27001.

Since you do deal with HIPAA related information at least some of the time, and I assume you sign a BAA with your customers - you will be required to do whatever the BAA says you’ve agreed to, which could include one or more of these certifications.
At bare minimum, you’ll need to do a risk analysis and provide documentation about the mitigations of those discovered risks.
Though I’m not sure the law requires any type of actual certification when it comes to dealing with HIPAA related data.

peterb123 · 2024-09-05T18:53:10.738Z

There are some good options for Compliance Managers.

I use the Kaseya “Compliance Manager GRC”, perhaps there’s a managed service provider that has similar tools in your area that you could set up a contract to use.

It’s quite handy due to the structure of compliance/policy/report/vulnerability scans and the like, and a Compliance Manager kit is great to keep it all together and easy to update as well as distribute.