An in-depth look at our business case for SOC 2® compliance.
The risks of mishandling user data are increasing constantly. Cyberthreats are growing in sophistication and prevalence every year, and international regulatory bodies are demanding more stringent controls to ensure sensitive information is transmitted, stored, and leveraged in a manner that prevents it from being lost, leaked, adulterated, or misused. As part of our commitment to data security, in 2022, Heartbeat Health obtained SOC 2® certification, a standard developed by the American Institute of CPAs and one of the most respected and comprehensive security frameworks today. It verifies that our digital security practices are consistent, auditable, repeatable, and in line with the most rigorous standards for protecting data. Heartbeat is growing quickly and we are helping some of the largest healthcare companies reduce their spend on cardiac care while improving outcomes — but we are equally aware that the trust of our partners and patients is dependent upon systematically protecting their data.
The decision that everyone puts off
We take our users’ clinical data seriously. At Heartbeat, we already adhere to the Health Insurance Portability and Accountability Act (HIPAA) developed by the U.S. Department of Health and Human Services (HHS) to protect the security and privacy of health information in addition to many other regulatory requirements associated with virtual first clinical care. Most certifications and security frameworks share or have overlapping controls, so we began SOC 2® certification with the assumption that we would not need to start the process from scratch. A common misconception is that teams should wait or that they need to be a certain size before they take on the certification process due to the time commitment. The truth is that it is easier to start formalizing your compliance approach as soon as your product roadmap has stabilized and before going into a growth phase. Furthermore, the process changes necessary to support a new level of compliance are easier to roll out when a team is smaller.
We’ll trust you after you fill out this survey
With so many embarrassing and damaging data breaches making headlines these days, users and organizations of all types are justifiably concerned about the safety of their data. They need good evidence that they are entrusting it to parties that will safeguard it appropriately. The standard process for new payer and digital health clients involves completing a survey describing the compliance program and security safeguards that are in place, which provides assurances that customer data will be well managed. These questionnaires are time consuming and can require a bit of back and forth until both security teams are aligned on risk. In order to short circuit this process, we have found that most of the questions and concerns in a risk survey are covered by our SOC 2® Type 2 report. We still get questionnaires from prospective clients, but it helps move the conversation forward to focus on scope and terms instead of getting held up in a security review. This can save weeks to months on a sales process, which should help prove the case that it’s wise to make this investment in security as early as possible!
Compliance is a team sport
Many of the members of our leadership team, as well as many of our engineers and contractors, come from a health care tech background and have deep experience achieving certifications and working in a heavily regulated environment. In addition to leveraging the crosswalk of best practices from HIPAA, we were able to rely on the fact that a lot of the expected controls were already designed into our platform and we had existing processes in place that would meet control guidelines. We also enlisted the help of a contracted Chief Information Security Officer, a compliance platform, and an audit partner. Vanta is a software service that helps automate and manage compliance for a number of different certifications. It connects to our cloud providers, project management, human resource systems, and other workflow tools. If you already meet a control or have a gap, a platform like Vanta rapidly identifies issues in need of remediation. Helping internal teams understand the importance of compliance brings security to the forefront and asks everyone to do their part.
Risk mitigation and security at Heartbeat
Recently, cybercriminals announced they had successfully breached both Microsoft and Okta, a widely used identity management platform that helps organizations prevent unauthorized access from digital intruders. Heartbeat was well prepared to respond to these hacks thanks to our ability to track and document issues as they were announced. With the processes in place to support our SOC 2® controls, we were protected from these public attacks by having best practices in place. As a growing company that relies on third party vendors to support technical and operational work, having plans around disaster recovery and steps to proactively mitigate risk using multi-factor authentication and limiting access are absolutely essential. Also, ensuring that every vendor is well vetted is an important practice that SOC 2® helps enforce. No company is safe from a breach or hack as threats can come from anywhere and are constantly evolving. However, having steps documented and tested in preparation for these types of events helps manage risks proactively and limit the impact of exposure to a security incident.
Development process and velocity
We are proud of the work that we do at Heartbeat and the platform that we have built to care for our patients. Enterprise companies put a lot of trust in us, and hitting this milestone is a testament to the diligence and care that we put into building our software and operational processes. Achieving SOC 2® certification is just a starting point. Renewing our certification is a recurring exercise and an opportunity to build on a strong foundation for risk management and data security. We were also mindful about not impacting our product or development velocity by introducing new policies and requirements for our teams too quickly and we counter that prospect by focusing on automation wherever possible. We brought in third party security firms to test our security, prove that our system is resilient, and remove avoidable bias from the process of penetration and vulnerability testing. The added assurances that we have implemented during our last audit period are now baked into the development process. Our teams are more productive and save time during architectural planning because the risks are managed.
We are already well into our next audit period, expanding our compliance programs, and continuing to raise the bar. The valuable and sensitive digital assets we are entrusted with are always at great peril because the risks of a cyberattack or other data disaster are sadly more elevated than ever before — which is why we pledge to continually invest in transparently building and deploying security programs that meet and exceed industry standards and keep our data where it belongs: in the hands of patients and providers to enable a new generation of digital healthcare.