A SOC 2 is a third-party review that attests to an organization’s ability to protect data and information. In a world where data breaches and cyberattacks are on the rise, a SOC 2 report is a valuable tool to:  

• Increase insight into your organization’s security posture  
• Understand opportunities for control improvements   
• Position your company more competitively in your market (prospects want to ensure your organization takes security seriously)  

There are a lot of vendors out there that cater to different aspects of the SOC 2 process — from software providers who help you get audit-ready to certified auditors from CPA firms who can test your environment and issue a final SOC 2 report. Ideally you will want to find a firm that can take you all the way from SOC 2 readiness to report.  

Use this checklist of important questions to vet your SOC 2 auditor before signing a contract. Following this checklist will help you complete a thorough due diligence process to ensure that you partner with the right team and get the most out of your audit.  

1. Are you a licensed CPA firm?  

SOC 2 audits are regulated by the American Institute of Certified Public Accountants (AICPA) and must be completed by an external auditor from a licensed CPA firm. This is the only way a company can receive an official SOC 2 report. It’s important to confirm that the SOC 2 vendor you are considering working with has the proper accreditation.   

2. Can you provide us with a final report?   

If you are considering using a SOC 2 compliance software provider, it’s important to confirm that they also provide audit services that will result in a SOC 2 report, ideally without having to shift your information to another vendor in the middle of the audit process.   

As discussed above, a final report can only be issued by an auditor from a licensed CPA firm. Many SOC 2 software providers only offer a solution to assess your readiness to complete a SOC 2 audit — they cannot perform and/or issue the SOC 2 audit and report itself.   

If you choose to work with a software provider, you must ensure that they also have certified auditors on-staff. Otherwise, you’ll need to sign on a secondary vendor to complete the actual audit. This is not recommended, as it leaves too much room for things to be “lost in translation” between the two entities leading to wasted resources and delayed audit and report timelines.  

A-LIGN offers an end-to-end compliance solution — with a SaaS automation compliance platform to help you complete a readiness assessment and streamline the entire audit process, as well as certified auditors to produce a final report. This creates efficiencies while maintaining control of your environment.  

3. Do you offer SOC 2 readiness services?  

A SOC 2 readiness assessment is a valuable tool to help you understand your company’s position before completing an official audit. A readiness assessment can help you identify gaps in your cybersecurity procedures (and the severity of those gaps) that need remediation before a SOC 2 audit. This will ultimately help you save time, set priorities, and put your company in a better position to perform well during the SOC 2 audit.  

Companies like A-LIGN provide readiness services via automated software — which offers easy-to-read dashboards outlining gaps and priorities, and provides tips to navigate the audit process better.   

4. What is the timeline of a SOC 2 examination?  

Many software providers tout they can complete a SOC 2 audit in 14 days. It’s important to clarify this statement before signing a contract. A lot of times, the two-week timeline is an estimate for an expedited evidence collection process — but evidence collection is only one step in the SOC 2 audit process and does not result in a full audit or final report.  

Ask your vendor for a complete timeline and have them outline their step-by-step process for moving through the SOC 2 audit. This is essential for you to resource appropriately. It’s also crucial to know when you can expect to have a report in hand so you can properly communicate with prospects who ask about a SOC 2 report during the sales process.   

5. What does the evidence collection process entail?  

The evidence collection process varies significantly based on the scope of your audit. Often it can include hundreds of requests for evidence.  

We recommend using compliance automation audit software to streamline the evidence collection process and organize assets. Ask your vendor if they provide software to assist in this process.   

Through our partnership with leading GRCs and our integrated platform, evidence can be automatically collected through our audit management platform, A-SCEND.

Once collected, A-SCEND creates readable reports that are mapped to corresponding evidence requests from the “information request list” (provided earlier in the audit process). This helps you see what information is already collected and what else your team still needs to gather and provide.   

Audit management software significantly reduces the time it takes to collect, share, and analyze evidence. With A-SCEND, this information can also be stored and re-used to help complete other audits, which delivers a harmonized audit experience that minimizes deduplication and saves time and effort on your audit.​

6. How many SOC 2 audits have you completed to date?  

There is no substitute for experience. Choosing a seasoned SOC 2 auditor will be the difference between a fast and painless audit process that results in a reputable final report and being issued a piece of paper that no one accepts.   

In addition to asking about the number of audits completed to date, you can also get a sense of a company’s experience based on the resources and information they provide about the SOC 2 process on their website. A trusted, experienced partner will be able to provide you with plenty of information to educate you about the SOC 2 process and detailed information about their services and tools.  

7. In what industries do you have experience?  

You’ll want to ensure your SOC 2 auditor is familiar with the ins and outs of your industry, so they understand how the SOC 2 criteria fit your organization. Plus, many elements of SOC 2 overlap with those of other necessary, industry-specific audits. If your auditor has experience in the healthcare sector, for example, they’d be familiar with the overlap between SOC 2 and HIPAA (Healthcare Insurance Portability and Accountability Act) compliance. They may be able to offer you a SOC 2 + HIPAA combined security assessment. This would allow you to complete both audits simultaneously while saving time and resources.    

8. What other services do you provide that could help as we continue to grow as a company?  

SOC 2 is just one of the many important audits and assessments in the world of compliance and cybersecurity. It’s common for companies who complete a SOC 2 audit to pursue other compliance priorities as well.  

Plus, as mentioned above, SOC 2 overlaps with other audit criteria. Completing a SOC 2 audit positions you well to pursue other complementary certifications. Look for a vendor that offers other audits, attestations, and assessments so you can create a long-term partnership that meets all your cybersecurity and compliance needs. It’s advantageous to build a relationship with one vendor, so as not to duplicate efforts related to evidence collection and fieldwork.  

From Readiness to Report with Trusted SOC 2 Auditors  

A-LIGN is a licensed CPA firm and the top issuer of SOC 2 reports in the world. We have completed more than 5,000 SOC 2 audits and employ over 170+ SOC 2 auditors located around the world.   

In addition to the expertise of our auditors — and our deep experience — we also offer a compliance automation software solution. A-SCEND streamlines the evidence collection process and provides you with all of the tools you need to successfully complete a SOC 2 audit, from readiness to report.  

Contact us today to learn more about A-LIGN’s SOC 2 services.  

  

Ransomware attacks are occurring more often, have become more harmful and now cost businesses a great deal of resources. A-LIGN’s 2022 Benchmark Report showed that of those surveyed, only 39% of organizations have a plan in place, whereas 40% are “planning to develop” something in the future, and 10% said they don’t view ransomware as a main cybersecurity concern. This gap is leaving businesses vulnerable to attacks. To help you best prepare for a cybersecurity event, we break down what goes into a ransomware preparedness assessment. 

Contact A-LIGN to learn more about our one-of-a-kind Ransomware Preparedness Assessment.  

Chief Technology Officer at A-LIGN Recognized as a Top Tampa Bay Executive in Information Technology   

A-LIGN, the leading cybersecurity compliance and audit firm, today announced that the company’s Chief Technology Officer, Mike Herdegen, has been named a 2022 CIO of the Year honoree by the Tampa Bay Business Journal. This award recognizes top information technology executives and emerging leaders in Tampa Bay who are using innovative ways to create a competitive advantage and grow their companies.   

Tampa Bay Business Journal’s CIO of the Year awards program is the most prestigious recognition of Tampa Bay’s top IT leaders and executives. CIOs and CTOs play a critical role in corporate success as technology continues to be a driving factor to operational success in the Tampa Bay business world. These leading executives’ roles daily expand and evolve from IT infrastructure, platforms, and cybersecurity to hardware and software development.   

Herdegen is responsible for internal IT operations, ensuring A-LIGN operates against the highest standards for security in protecting information and system integrity. He also oversees the development of A-LIGN’s compliance management platform, A-SCEND, which enables customers to streamline their audits, save time and resources through automation, and demonstrate their security posture year-round.   

“One of the reasons I came out of retirement to join A-LIGN was because of the organization’s values. A-LIGN has a culture of collaboration, expertise, integrity, and vision,” said Mike Herdegen, CTO at A-LIGN. “The A-SCEND features we are currently rolling out include market-leading new capabilities that keep pace with the rapidly-evolving expectations of our customers. At A-LIGN, support means exceptional service for our clients and opportunities for our employees, and we focus on people and technology to achieve both.”   

The Tampa Bay Business Journal selected 2022 CIO of the Year honorees based on: accomplishments, leadership efforts, ethics in management and business practices, philanthropic contributions and involvement, significant projects spearheaded during the pandemic and over the past year, and how such initiatives have strengthened the company’s strategic market position.  

Herdegen’s team of over 50 domestic and international IT professionals and developers have reimagined the A-SCEND product from an internal facing audit tool to an external facing solution to scale the organization’s footprint in the market as a leader in the cybersecurity service industry. The SaaS platform is purpose-built, performing end-to-end cybersecurity audits through the entire compliance process.   

With an innovative single-provider, readiness-to-report approach, Herdegen’s primary goal over the last year and a half has been to transform A-SCEND into a cybersecurity platform that assists over three thousand clients in their compliance initiatives, and allows their audits to be as streamlined and successful as possible.  

Outside of A-LIGN, Herdegen serves as the primary information technology resource at Think Big for Kids, helping underprivileged youth discover their untapped potential by bringing them exciting career exploration, mentorship, and skill development opportunities. Additionally, Herdegen is on the Tampa Bay Estuary Program’s (TBEP) Community Advisory Committee, responsible for judging the grants provided by TBEP and facilitating grant decision meetings.    

To learn more about the team at A-LIGN, please visit our website.  

For more information about TBBJ’s CIO of the Year honorees and awards and programs, visit

https://www.bizjournals.com/tampabay.   

About A-LIGN  

A-LIGN is the only end-to-end cybersecurity compliance solutions provider with readiness to report compliance automation software paired with professional audit services, trusted by more than 3,300 global organizations to help mitigate cybersecurity risks. A-LIGN uniquely delivers a single-provider holistic approach as a licensed CPA firm to SOC 1 and SOC 2 Audit services, accredited ISO 27001, ISO 27701 and ISO 22301 Certification Body, HITRUST CSF Assessor firm, accredited FedRAMP 3PAO, candidate CMMC C3PAO, PCI Qualified Security Assessor Company, and PCI SSC registered Secure Software Assessor Company. Working with growing businesses to global enterprises, A-LIGN’s experts and its audit management platform, A-SCEND, are transforming the compliance experience.    

Media Contact:  

Danielle Ostrovsky 
Hi-Touch PR 
410-302-9459 
[email protected] 

Zero trust is an important part of President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity issued in May of 2021 and will continue to gain popularity as an effective cybersecurity solution. It focuses on restricting information access within an organization to only those who absolutely need to access the data. The entire point of zero trust is to assume that everyone is a potential threat actor and therefore, no internal or external users or systems are trusted. 

In our 2022 Compliance Benchmark Report, we surveyed more than 700 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals about their compliance programs. Here’s what we learned about how organizations are implementing zero trust strategies.  

To learn more about strategically implementing a zero-trust architecture within your organization, complete our form below and one of our trusted experts will reach out directly. 

With Three-Year Revenue Growth of 145 Percent, A-LIGN Receives Ranking No. 3569 Among America’s Fastest-Growing Private Companies 

A-LIGN, the leading cybersecurity compliance and audit firm, announced today that the company is No. 3569 on the annual Inc. 5000 list, the most prestigious ranking of the fastest-growing private companies in America. This is the sixth consecutive year the company has been recognized on the list, which represents the most successful private companies with a proven track record of growth. The list represents a one-of-a-kind look at the most successful companies within the economy’s most dynamic segment—its independent businesses. Facebook, Chobani, Under Armour, Microsoft, Patagonia, and many other well-known names gained their first national exposure as honorees on the Inc. 5000. 

“We are honored that A-LIGN has received its ranking on the 2022 Inc. annual list 5000 as No. 3569,” said Scott Price, CEO at A-LIGN. “We are incredibly proud that our outstanding team is once again recognized among America’s fastest growing private companies. It is truly an honor to be named by the prestigious Inc. magazine alongside these incredible businesses. I am deeply moved by the commitment and dedication of the entire team at A-LIGN, and look forward to the coming months as we continue to provide premier technology paired with expert professional services to our global clients.” 

The companies on the 2022 Inc. 5000 have not only been successful, but have also demonstrated resilience amid supply chain woes, labor shortages, and the ongoing impact of Covid-19. Among the top 500, the average median three-year revenue growth rate soared to 2,144 percent. Together, those companies added more than 68,394 jobs over the past three years. Complete results of the Inc. 5000, including company profiles and an interactive database that can be sorted by industry, region, and other criteria, can be found at www.inc.com/inc5000.  

“The accomplishment of building one of the fastest-growing companies in the U.S., in light of recent economic roadblocks, cannot be overstated,” says Scott Omelianuk, editor-in-chief of Inc. “Inc. is thrilled to honor the companies that have established themselves through innovation, hard work, and rising to the challenges of today.”

About A-LIGN

A-LIGN is the only all-in-one cybersecurity compliance company with end-to-end-compliance automation software and auditor expertise, trusted by more than 3,300 global organizations to help mitigate cybersecurity risks. A-LIGN uniquely delivers a single-provider approach as a licensed SOC 1 and SOC 2 Auditor, accredited ISO 27001, ISO 27701 and ISO 22301 Certification Body, HITRUST CSF Assessor firm, accredited FedRAMP 3PAO, candidate CMMC C3PAO, PCI Qualified Security Assessor Company, and PCI SSC registered Secure Software Assessor Company. Working with small businesses to global enterprises, A-LIGN’s experts and its compliance automation platform, A-SCEND, are transforming the compliance experience.

More about Inc. and the Inc. 5000 

Methodology 

Companies on the 2022 Inc. 5000 are ranked according to percentage revenue growth from 2018 to 2021. To qualify, companies must have been founded and generating revenue by March 31, 2018. They must be U.S.-based, privately held, for-profit, and independent—not subsidiaries or divisions of other companies—as of December 31, 2021. (Since then, some on the list may have gone public or been acquired.) The minimum revenue required for 2018 is $100,000; the minimum for 2021 is $2 million. As always, Inc. reserves the right to decline applicants for subjective reasons. Growth rates used to determine company rankings were calculated to four decimal places. The top 500 companies on the Inc. 5000 are featured in Inc. magazine’s September issue. The entire Inc. 5000 can be found at https://www.inc.com/inc5000. 

About Inc. 

The world’s most trusted business-media brand, Inc. offers entrepreneurs the knowledge, tools, connections, and community to build great companies. Its award-winning multiplatform content reaches more than 50 million people each month across a variety of channels including websites, newsletters, social media, podcasts, and print. Its prestigious Inc. 5000 list, produced every year since 1982, analyzes company data to recognize the fastest-growing privately held businesses in the United States. The global recognition that comes with inclusion in the 5000 gives the founders of the best businesses an opportunity to engage with an exclusive community of their peers, and the credibility that helps them drive sales and recruit talent. The associated Inc. 5000 Conference & Gala is part of a highly acclaimed portfolio of bespoke events produced by Inc. For more information, visit www.inc.com.

For more information on the Inc. 5000 Conference & Gala, visit https://conference.inc.com/.  

Media Contact:

Danielle Ostrovsky
Hi-Touch PR
410-302-9459
[email protected]

With the cost of cybercrime predicted to hit $10.5 trillion by 2025, many organizations consider enhancing their cybersecurity programs a top priority. One of the most surefire ways to find gaps in protection comes from completing multiple security audits. But with so many potential audits to pursue, it can be difficult to manage multiple workstreams and keep track of varying control elements.  

Audit consolidation — or, conducting audits in tandem as a singular annual event — is one way that organizations can maximize efficiency. 

Our 2022 Compliance Benchmark Report takes a deeper look into organizations’ views on audit consolidation. We surveyed more than 700 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals about their audit programs to gain a better understanding of their organization’s position on minimizing risk and maximizing efficiency. 

One of the biggest findings we uncovered during our research is that even though 85% of organizations conduct more than one audit every year, only 15% of the same organizations have consolidated their audits down to a single, annual event.  

Frequent audits can be costly and time-consuming, and some industries would highly benefit from audit consolidation. Our survey found that 37% of IT organizations conduct 4-5 audits per year.  We also found that 30% of finance organizations and 35% of government organizations conduct 6 or more audits annually.  

By consolidating the auditing process, organizations can work more efficiently, freeing up resources to focus on other aspects of the business. But despite these benefits, not all organizations prioritize streamlining their audit programs. 

Consolidation efforts vary by industry  

Our survey results found an interesting pattern: certain industries tend to consolidate audits more than others. The healthcare industry is particularly savvy when it comes to audit consolidation, with almost a quarter of healthcare organizations (24%) consolidating audits into a single annual event. This is an increase of 6% from last year, pushing the industry from one of the lowest adopters of audit consolidation to the sector with the highest adoption. With healthcare providers seeing a 117% increase in website/IP security alerts due to malware in the past year, it’s not surprising to see a greater emphasis on security audit efficiency. 

The professional services industry now has the lowest percentage of audit consolidation, hovering at 8%.  

Audit consolidation minimizes stress   

The audit process can be exhausting. Many staff members are often forced to step away from their normal daily responsibilities in order to ensure accurate results during an audit, which requires significant time and energy from every party involved. This reduction of working time can hinder the productivity of the organization.  

When asked about the greatest challenge of their audit process, organizations’ top responses were: 

• Limited staff resources (27%) 
• Tedious and manual evidence collection (21%)  
• The complexity of multiple audits (16%)  

Even with their challenges known, organizations may still struggle to find solutions. A useful tool for assisting consolidation efforts is compliance management software. This software is capable of:  

1. Deduplicating evidence collection efforts, allowing organizations to upload a piece of information once and use that information across multiple audits. 
2. Cross-walking, which is the ability to see how close an organization is to completing additional audits based on the work completed for a current audit. 
3. Centralizing Evidence Collections, which saves time by uploading evidence before fieldwork with one-click batch processing.

Automation tools and audit consolidation can help minimize internal disruptions, along with eliminating redundancies and identifying gaps in coverage.  

Consolidating audits with a Master Audit Plan  

The best way to consolidate your audits is by using a master audit plan (MAP). ​​These detailed plans provide an organization with a more effective approach to the auditing process, offering a clear view of scoping, timing, and internal rhythms.  

A-LIGN has a systematic and strategic 4-step approach to building MAPs for organizations and helping them complete audit requirements. A-LIGN will: 

1. Review current practices and define the audit scope  
2. Create customized timeline recommendations and identify areas of improvement 
3. Determine and confirm a holistic audit approach  
4. Deliver an efficient, collaborative, and scalable audit program 

Paired alongside A-LIGN’s A-SCEND audit management platform, a MAP can simultaneously consolidate your organization’s audits while also minimizing expenses and improving productivity. 

Start building your own MAP 

Although organizations usually complete at least one audit per year, there is no limit for the number of audits that can be completed. However, if your organization conducts more than one audit per year, creating and implementing your own MAP is a strategic investment that will save you time and money.  

A-LIGN works with organizations throughout the entire audit process. Our team of experts ensures your MAP grows with your business and operates as a living document that is continuously updated to reflect the evolution of your audit process. 

Equip your organization with a MAP to efficiently consolidate audits. Contact one of our experts to get started. 

There have been several noteworthy updates surrounding the CMMC (Cybersecurity Maturity Model Certification) program since version two — CMMC 2.0 — was released toward the end of 2021.  

Below we’ll cover the key changes you need to know if your business processes CUI (controlled unclassified information) or FCI (federal contracting information) including the: 

• New title of the CMMC accreditation body (CMMC AB)   
• Projected timeline for program launch  
• Voluntary CMMC assessments status  
• Introduction of a new federal cybersecurity framework  

The CMMC AB Becomes the Cyber AB  

In early June, the CMMC AB officially changed its name to the Cyber AB. According to Cyber AB Director and CEO Matthew Travis, the new moniker was introduced to simplify the AB’s previously lengthy name as well as set the organization up for future growth into other industries.   

“I’ve had discussions with representatives of other departments of other sectors of critical infrastructure, and even other countries who are interested in the value that the CMMC model brings,” said Travis.  

Since elevated cyber threats have become the new normal, Travis says he believes passing a rigorous CMMC assessment is an effective way to “buy down risk.” The collective cybersecurity experience held by the professionals that make up the CMMC ecosystem could certainly prove beneficial in assessing risk across industries.  

No matter the future of the CMMC program, it’s important to note the Cyber AB’s primary mission remains the same as it was under its previous name: to authorize and accredit CMMC C3PAOs (Third-Party Assessment Organizations) that conduct CMMC assessments of companies within the DIB (Defense Industrial Base).  

The DFARS Interim Rule and CMMC 2.0 Timeline Update   

After the DoD (Department of Defense) released CMMC 1.0 at the beginning of 2020, the federal branch proceeded to publish the DFARS Interim Rule in September of the same year. The rule is essentially a stopgap measure intended to pave the way for CMMC and inform DoD contractors they must report compliance with NIST 800-171.  

The DoD then used the public feedback they received on the Interim Rule to restructure the program into CMMC 2.0 in November 2021. When asked about the timeline for CMMC 2.0 rollout, the DoD has frequently said the rulemaking process could take anywhere from 9-24 months, leaving many contractors wondering when requirements will be added to contracts. 

However, CMMC Director and DoD Deputy Chief Information Officer for Cybersecurity Stacy Bostjanick recently provided some clarity around the interim final rule and the CMMC 2.0 timeline. She noted the following:  

• The current plan is for the DFARS Interim Final Rule update to be released in March 2023 and go into effect after a 60-day comment period.  
• This means CMMC 2.0 requirements could begin appearing in DoD solicitations as early as May 2023.  
• However, if the Office of Management and Budget (OMB) does not approve the interim rule, these dates will be pushed out by one year and requirements will be present in contracts starting May 2024.  

Once CMMC 2.0 is officially implemented, not all contractors will be required to immediately obtain certification to handle CUI. The DoD is going to perform a phased rollout. When CMMC first begins appearing in solicitations, all contractors will have to conduct a self-assessment and provide a positive affirmation of compliance.  

During the next phase, solicitations will require either a self-assessment or third-party certification depending on the type of information involved and the associated certification level. While the timing of these phases is to be determined, contractors should not delay in preparing their information systems for CMMC assessment.  

CMMC 2.0 Voluntary Assessments  

To help incentivize proactiveness in preparing for CMMC 2.0, there will also be a voluntary interim program in which contractors can earn a certification that will be honored when CMMC rulemaking goes into effect. 

The voluntary assessment program, which may start as soon as August of this year, will allow companies to contract with an authorized C3PAO with oversight from the DIB Cybersecurity Assessment Center (DIBCAC). Companies that pass a Level 2 assessment — the level most contractors must meet for certification — will receive credit for a high-assurance DIBCAC assessment.  

Once CMMC 2.0 becomes an official requirement in 2023 or 2024, the DoD intends to allow these certifications to remain in good stead for an additional three years beyond that date.  

A New Cyber Secure DIB framework 

Another relevant update that won’t necessarily impact the CMMC certification program but is worth keeping an eye on: Pentagon Cyber Chief David McKeown says there are active discussions around creating a “cyber secure” framework for the DIB.  

“As we go forward, we are partnering with the DIB sector coordinating [council] and CISA and trying to work on how we develop a cyber secure DIB framework. We think it will be based on [the] NIST cybersecurity framework,” said McKeown.  

Inspired largely by the state of global warfare, the proposed framework would help protect not only sensitive data but also the entire supply chain to minimize widespread damage from a cybersecurity incident.  

Start Getting Ready for CMMC Today   

Have additional questions about CMMC 2.0 and how to best prepare for implementation? A-LIGN can help. As one of the first candidate C3PAOs and a top assessor of federal compliance, our firm can perform a CMMC Readiness Assessment by evaluating your organization’s security policies, procedures, and processes against the controls published in NIST 800-171.    

Contact a CMMC expert at A-LIGN today. 

You may have heard that achieving Authority to Operate (ATO) under the Federal Risk and Authorization Management Program (FedRAMP) is a complicated and time-consuming undertaking. This is likely based on the experience many cloud service providers (CSPs) have when they dive into FedRAMP headfirst without taking the time to plan and prepare for what is undeniably a rigorous endeavor.   

There are some common mistakes and misconceptions that are worth addressing to help your CSP business plan for a less stressful, more efficient path, to FedRAMP ATO status. The information in this graphic is based on the assumption that your organization is pursuing agency authorization rather than Joint Authorization Board (JAB) authorization, as this is the route the majority of CSPs take. With that in mind, here are some of the common pitfalls and some suggestions to facilitate the process.  

Next Steps 

Like virtually all areas of compliance, FedRAMP ATO comes down to having the right people, processes, and technology in place to facilitate transparency, accountability, and efficiency across the entire journey.   

  Is your organization pursuing FedRAMP Ready and/or a FedRAMP Authorized status? As a top accredited 3PAO for FedRAMP, A-LIGN has the knowledge and skills necessary to perform these security assessments.   

Have more questions about the best way to FedRAMP?  Contact an A-LIGN Expert Today  

From completing assessments to partnering with cybersecurity vendors, or updating internal processes, there are specific actions healthcare organizations should pursue to minimize their risk of a cyberattack. 

In this blog, we’ll detail which steps healthcare organizations can take to help bolster their internal defenses. 

Focus on strengthening internal resources 

Even more important than finding strong partners is creating a strong security structure within your own organization. To do so, begin by appointing a security officer and a privacy officer. The individuals in these roles should develop and document security and privacy policies, standards, and procedures to ensure all personnel are aware of their responsibilities. As can be said for all important guidelines, every employee should have easy access to this information.  

An internal security committee composed of stakeholders from all departments across the organization should also be established. By making sure every branch has a representative present, organizations can more easily identify cross-departmental vulnerabilities.  

The goal of the committee is to perform a risk assessment and develop controls to mitigate risk to an acceptable level. Some of those controls include: 

• Installing endpoint protection on all company devices and servers. 
• Implementing media and mobile device policies and encrypting data at rest.  
• Enforcing a strong WPA AES-256 encryption policy for all wireless networks. 
• Adopting Open Web Application Security Project (OWASP) level security when developing applications and deploying changes. The Committee must patch all systems periodically to ensure they are operating under the best practices.  
• Installing security information and event management (SIEM) tools to detect and monitor all activities within the network. 
• Ensuring the organization has put an Incident Response Plan in place, along with testing the plan on an annual basis.  

On a broader level, there are certain actions that all employees at healthcare organizations should take to aid in security efforts. These include completing a comprehensive security awareness and HIPAA training on an annual basis, ensuring all of the software they use is up to date, and reading and acknowledging their organization’s Acceptable Use Policy. 

Partner with vendors that can mitigate risk during healthcare cyberattacks 

In addition to pursuing audits and assessments, healthcare organizations should seek out partnerships with vendors who specialize in cybersecurity services. 

While most organizations likely already have a dedicated IT team, they should still maintain a relationship with a breach forensic firm. Not only will a firm help an organization identify and report breaches in a timely manner, but they will also make sure the organization stays in accordance with all of the compliance standards they follow, such as the HIPAA breach notification law.  

Additionally, organizations should make sure they have a cyber insurance plan in place. As there is no framework or guideline that can 100% eliminate the possibility of a cyberattack, having an insurance policy will minimize the amount an organization would have to pay if a breach should occur.  

Focus on compliance and security assessments  

There are several security compliance assessments unique to healthcare organizations that can help ensure information remains private and protected. For organizations that store, process, or transmit, ePHI, HIPAA compliance is a must. HIPAA is a U.S. law that was enacted to protect sensitive patient data. For organizations that are uncertain if they are currently HIPAA compliant, a third-party organization like A-LIGN can review current safeguards in place and identify areas where organizations can enhance their information security program.

The most reliable ways on demonstrating HIPAA compliance is by using the HITRUST CSF to perform a certification or by using the AICPA Trust Services Criteria to perform a SOC 2+HIPAA Attestation.  

Healthcare organizations should also complete an organization-level Enterprise Risk Assessment. This assessment identifies all the critical assets of the organization, determines the threats to those assets, and ranks the risks based on the probability and impact of an asset being compromised. It’s a key step in identifying threats and implementing controls to mitigate risk.  

Another great, proactive way to protect data and mitigate risk is to conduct a penetration test. These tests simulate a network attack and illustrate how your organization would respond. It’s a great way to identify gaps in your security infrastructure and fix them before a bad actor takes advantage. 

How organizations can act now  

Bad actors will continue to consider healthcare cyberattacks a worthy endeavor — especially small and mid-sized providers and their associates. To minimize the risk of healthcare cyberattacks, organizations should look to pursue relevant audits and adhere to compliance standards, partner with organizations who can assist during incidents, and bolster internal resources via key hires or the development of a dedicated security committee.  

Ready to dive in? Reach out to A-LIGN to review your HIPAA compliance or complete a HITRUST audit.