Like you, Streamline Verify puts security first! In healthcare, data is sensitive and handling it properly is a pressing concern. That’s why we’re careful to implement cutting-edge systems and procedures that safeguard the transmission and storage of data. We make sure our company systems are annually audited and SOC 2 Type II certified.
SOC 2 compliance certification remains the gold standard in assessing service provider performance against rigorous data security standards. As an organization that is entrusted with its clients’ most sensitive information, this certification signifies the strong commitment to data security that is a hallmark of excellence in our field.
Why Seek a SOC 2 Type II Certification?
Information security is a concern for all organizations, particularly when key business operations, such as exclusion screening, are performed by third parties. With the proliferation of data breaches, malware use and hacks, there is understandable concern about how data sent outside an organization’s firewall is managed and controlled. A SOC 2 Type II certification proves to these organizations that a data service provider, like Streamline Verify, adheres to the most stringent safeguards to protect their clients’ data.
What are SOC Reports?
The American Institute of Certified Public Accountants (AICPA) developed standards by which certified auditors assess data controls and related risks at service organizations. The results of such audits are captured in a series of reports which are known as System and Organization Controls (or SOC) reports. These controls are specific standards used to measure how an organization protects and manages sensitive information through its internal safeguards and controls. SOC audits are voluntary but serve to reassure security-conscious business clients that a service organization is serious about the protection of its data.
Types of SOC Reports
There are currently three types of SOC reports designed to address different topics and audiences. All SOC certifications require an organization to demonstrate controls regulating their interactions with their clients and client data.
SOC 1: A SOC 1 report evaluates controls that are relevant to a service provider’s impact on its client’s internal control over financial reporting (ICOFR). This type of report either sets a baseline for a SOC 1 Type I, or assesses performance of controls over time (SOC 1, Type II). If the service provider cannot impact their client’s IFCR, then a SOC 1 audit may not be beneficial.
SOC 2: This type of report is unique to each organization, designed to comply with one or more of the “Trust Services Criteria” set forth below. SOC 2Type II certification is the most comprehensive within the SOC protocol, and assures clients through an objective assessment by a certified auditor that an organization’s system maintains the highest standards of operating effectiveness of data security controls. As this type of report would be valuable to a hacker or others interested in accessing the organization’s data, it is generally released to a limited audience.
Our SOC 2 audit allows for customization of the examination against the following standards, known as “Trust Services Criteria (TSC)”:
1. Security: These standard addresses access controls to protect against unauthorized access (both physical and logical) of systems and data. Security controls assessed include physical security controls in place to protect infrastructure, password parameters, firewalls, and network device configuration and other security measures.
2. Privacy: The privacy standard is important when “personal information is collected, used, retained, disclosed, and disposed of to meet the entity’s objectives” in accordance with the privacy standards of the organization. This standard specifically addresses protection of personal identifiable information (PII) which allows for the identification of an individual and therefore differs from the confidentiality standard related to sensitive business information.
Obtaining a SOC 2 certification also offers benefits beyond providing an objective assessment by certified auditors whether data is being managed in a secure and reliable manner. It eliminates the audit expense to clients who would otherwise seek assurance individually that their data was being protected. Further, obtaining a SOC 2 report which can be shared with clients is a major incentive when considering the alternative of facing multiple audits that can significantly impact the regular operations of an organization.
At Streamline Verify, the annual SOC 2 Type II audits, including preparation for the audit itself, gives us all a renewed commitment to sustain our compliance with the highest standards of data security as well as to the expectations of our clients.