To ensure your data is handled in the most secure standards, Springbuk holds the HITRUST Risk-based, 2-year Certification, the highest standard of information protection certifications.
In addition, Springbuk has achieved third-party validated SOC 2 Type 2 compliance for the seventh year in a row. These prestigious statuses represent efforts met with industry-defined requirements in keeping your data safe and managing risk appropriately.
We sat down with Chris Morrison, Manager of Security and IT at Springbuk, to understand the process he and the team work through each year to achieve re-certification and third-party validated compliance.
The process takes a long time; depending on how many people you have working on it, it can take a few months to several months. Every two years, we get certified, but then there's an interim certification on the in-between year. So basically, each year, we go through a certification process.
However, as mentioned earlier, every off-year, there's also an interim certification.
In a certification, audits are usually more about an opinion on compliance, while an assessment defines the current state versus the ideal state and identifies weaknesses and gaps. So I suppose one could go through a HITRUST-based audit without the full assessment and certification. But to become HITRUST certified, the assessment process must go through an approved external assessor and then go through a HITRUST audit themselves.
Our management attests to our input to the information presented to the users within the report. And the independent party confirms these attestations. SOC 2 looks at whether the controls were appropriately designed and operated effectively during the time period for the report in accordance with the requirements stipulated by the SOC 2 criteria.
A HITRUST report comes with a certification. HITRUST is much more detailed with around five times the number of controls and incorporates requirements from various standards. HITRUST is also closely aligned with HIPAA. So it's relevant for those dealing with PHI.
We sit down with the auditors to review and make sure that priorities and expectations are clear for all parties involved. Then, with the scope in mind, the auditors will create a plan and set up a project timeline. You lay out the dates and establish the deadlines where you need to have your information presented to them.
After that, it’s time to start testing the security controls. The auditor will ask for tons of documentation and will request populations from which they will pull samples to test. There's a lot of documentation back and forth that they're requesting. These testing areas include most of the business units across the organization, to some extent at least.
The auditor dives in and tests the controls for their design, making sure they're designed appropriately and ensuring that they are effectively working how they're supposed to be. Then, there's more back and forth if evidence is missing. Or sometimes, if the evidence isn't clear, we'll often just provide explanations around the things that were submitted. And sometimes, we just have to talk through certain controls with them.
Next comes the documentation of the results. The auditors will record the results, issue a draft report, and send it back to the organization that's getting audited. At that point, you can make any edits or clarify anything if some of their information is incorrect.
And then they deliver the final report. They'll give us a written evaluation of the controls and share a final opinion on whether they think that we have our controls suitably designed and that they are ensuring data security.
It gives us a continuously updated roadmap for security.
It helps us change with the times and helps us stay secure as new risks and potential threats are discovered – and as compliance requirements change. We are continuously doing internal reviews to ensure that we adhere to these controls or have external audits.
It's not a ‘get the certification and forget about it situation.’ HITRUST and SOC 2 are ways for us to show that we're leaders in this space, and they show our platform is secure and tested against the highest security standards. It shows our customers that we are very serious about the security of their data.
Imagine a world where every healthcare decision is backed and guided by data. Springbuk is the health data analytics solution that equips you with the insights and expertise you need to sharpen your benefits strategy, advance employee health, and contain costs. Unlike legacy data warehouses, we simplify data-driven decision-making with an intuitive user experience, predictive modeling, and curated action steps. Springbuk — a world of actionable health intelligence insight at your fingertips.