To ensure your data is handled in the most secure standards, Springbuk holds the HITRUST Risk-based, 2-year Certification, the highest standard of information protection certifications

In addition, Springbuk has achieved third-party validated SOC 2 Type 2 compliance for the sixth year in a row. These prestigious statuses represent efforts met with industry-defined requirements in keeping your data safe and managing risk appropriately. 

We sat down with Chris Morrison, Manager of Security and IT at Springbuk, to understand the process he and the team work through each year to achieve re-certification and third-party validated compliance. 

Q: What is the certification process? How long does it take, and how often is it done?

A: There are four steps in the validated assessment process: 

  • The first step is completing a readiness assessment (if you haven't been certified before or if there have been significant changes in the scope of the controls).
  • Second, you score your organization on the controls in the 19 different domain areas. Then you have to enter supporting evidence and narratives into the assessment tool.
  • From there, you have to evaluate your compliance with each of the controls against the maturity levels included in HITRUST, which are the process procedure, implementation, measurement, and management of those controls. Your HITRUST-approved external assessor then performs validation testing on all the scoring and evidence you put in the tool - if their assessment agrees with your self-assessment, then you move on. If they disagree with your ratings, they will send back controls for further consideration with comments or ask for scoring adjustments. 
  • Lastly, your auditors submit the finalized assessment to HITRUST for review. And they perform several phases of reviews. Sometimes if there are any gaps, an organization may need to do some corrective action plans at that point. And then finally, after that comes the certification. 

The process takes a long time; depending on how many people you have working on it, it can take a few months to several months. Every two years, we get certified, but then there's an interim certification on the in-between year. So basically, each year, we go through a certification process.

Q: How many times has Springbuk been certified? Are there different levels to the certification?

A: This is Springbuk's second time achieving the two-year certification. However, as mentioned earlier, every off-year, there's also an interim certification.

There are different levels to HITRUST certification:

  • A self-assessment
  • A one-year assessment
  • A two-year assessment, which is the most comprehensive of all

Q: If a vendor says they have undergone a HITRUST audit, is that the same thing as being certified?

A: Not necessarily. HITRUST isn't an audit. It's an assessment. 

In a certification, audits are usually more about an opinion on compliance, while an assessment defines the current state versus the ideal state and identifies weaknesses and gaps. So I suppose one could go through a HITRUST-based audit without the full assessment and certification. But to become HITRUST certified, the assessment process must go through an approved external assessor and then go through a HITRUST audit themselves.

Q: What is the difference between HITRUST and SOC 2? Do they work together? How are they different? 

A: The main difference between HITRUST and SOC 2 is that SOC 2 is in an attestation report, while HITRUST is a certification. 

Our management attests to our input to the information presented to the users within the report. And the independent party confirms these attestations. SOC 2 looks at whether the controls were appropriately designed and operated effectively during the time period for the report in accordance with the requirements stipulated by the SOC 2 criteria. 

A HITRUST report comes with a certification. HITRUST is much more detailed with around five times the number of controls and incorporates requirements from various standards. HITRUST is also closely aligned with HIPAA. So it's relevant for those dealing with PHI. 


Q: What is the process of the SOC 2 assessment? 

A: The SOC 2 Type 2 assessment process starts with an organization defining the audit scope and objectives, such as what we want to learn from the audit. 

We sit down with the auditors to review and make sure that priorities and expectations are clear for all parties involved. Then, with the scope in mind, the auditors will create a plan and set up a project timeline. You lay out the dates and establish the deadlines where you need to have your information presented to them.

After that, it’s time to start testing the security controls. The auditor will ask for tons of documentation and will request populations from which they will pull samples to test. There's a lot of documentation back and forth that they're requesting. These testing areas include most of the business units across the organization, to some extent at least. 

The auditor dives in and tests the controls for their design, making sure they're designed appropriately and ensuring that they are effectively working how they're supposed to be. Then, there's more back and forth if evidence is missing. Or sometimes, if the evidence isn't clear, we'll often just provide explanations around the things that were submitted. And sometimes, we just have to talk through certain controls with them. 

Next comes the documentation of the results. The auditors will record the results, issue a draft report, and send it back to the organization that's getting audited. At that point, you can make any edits or clarify anything if some of their information is incorrect. 

And then they deliver the final report. They'll give us a written evaluation of the controls and share a final opinion on whether they think that we have our controls suitably designed and that they are ensuring data security.

Q: How do these reports and certifications impact the Springbuk platform and our customers?

A: The HITRUST framework is what our entire security program is built on. It's the framework we've chosen to develop our policies around, along with many of our processes. It gives us a continuously updated roadmap for security. 

It helps us change with the times and helps us stay secure as new risks and potential threats are discovered – and as compliance requirements change. We are continuously doing internal reviews to ensure that we adhere to these controls or have external audits.

It's not a ‘get the certification and forget about it situation.’ HITRUST and SOC 2 are ways for us to show that we're leaders in this space, and they show our platform is secure and tested against the highest security standards. It shows our customers that we are very serious about the security of their data.

About Springbuk
Imagine a world where every healthcare decision is backed and guided by data. Springbuk is the health data analytics solution that equips you with the insights and expertise you need to sharpen your benefits strategy, advance employee health, and contain costs. Unlike legacy data warehouses, we simplify data-driven decision-making with an intuitive user experience, predictive modeling, and curated action steps. Springbuk — a world of actionable health intelligence insight at your fingertips.