Trust in SymphonyRM’s HealthOS via Service Organization Controls (SOC) Certification
SymphonyRM underwent an in-depth audit recently in hopes of achieving the American Institute of Certified Public Accountants (AICPA) SOC 2 Type 2 certification. The result? We passed with flying colors!
What is Service Organization Control (SOC)?
SOC was put into place by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010 and is the reporting option for companies who use cloud computing to transfer and store data.
SOC 2 is considered one of the strictest audit standards for service providers, but is not mandated. As a service provider interested in ensuring the highest security standards for the safety of sensitive data such as PHI (Protected Health Information), we want our customers to know they can rely on controls put in place to support the SOC TSP (Trust Services Principles). SymphonyRM is proud to provide a safe, reliable, and secure platform for our healthcare customers – giving them one less thing to worry about.
Why is SOC 2 certification important?
SOC 2 certification is based on policies, communications, procedures and monitoring:
The system must have controls in place to protect against unauthorized access (both physical and logical).
The system must be available for operation and use as committed or agreed.
System processing must be complete, accurate, timely and authorized.
Information that is designated as “confidential” by a user must be protected.
Personal information must be collected, used, retained and disclosed by the operation’s privacy notice and principles set by the AICPA.
Independent review (the audit) ensures that stringent requirements are met. Applications and data warehoused by providers that are not SOC certified do not provide the same level of assurance. When it comes to working with providers who have access to client data, performance and reliability for keeping data secure is essential and required by regulators, examiners and auditors for such controls as the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The SOC 2 certification report is evidence that you do what you say. It shows that external auditors have agreed that the control systems you have in place work as you say they do, observed over an extended period.
When it comes time for our customers to satisfy their auditors of their compliance, they can point to our SOC 2 report and show they are using compliant services themselves. Similarly, the security team here at SymphonyRM reviews the SOC assessments of our hosting providers to make sure their security controls are operating effectively. SymphonyRM conforms to the highest standards of the AICPA – we walk the walk, not just talk the talk!