SOC 2 Validation: It’s About More Than Compliance

July, 2017

Every once in a while, I learn something interesting from my friends in our marketing department. The other day I learned that when people search the web for information about Service Organization Control 2 (SOC 2), the most common phrase they use is “SOC 2 compliance.”

We were talking about this because in June, Vocera received a favorable SOC 2 Type II report as an outcome of an audit conducted earlier this year focused on our cloud-based applications: Vocera Secure Texting, and Vocera Care Experience.

If your health system stores patient data in the cloud, you are likely well aware of the SOC 2 report, which was developed by the American Institute of Certified Public Accountants (AICPA). Any company or health system storing customer data in the cloud must meet SOC 2 compliance requirements in order to minimize risk and exposure to that data.

The SOC 2 audit report is an extensive list of controls; and as a company, we either meet those controls or we don’t. We must demonstrate compliance with those controls during the audit to earn a favorable report. If someone says they are SOC 2 compliant, it can be taken to mean that they’re compliant with certain parts of the audit, but perhaps not with other parts.

So, for the record: Vocera has earned favorable SOC 2 Type I and now Type II reports. We’re proud of these achievements and will continue to maintain favorable SOC 2 reports for our clinical communication and workflow solutions.

SOC 2 Covers Our Cloud Infrastructure, Not Just Our Applications

Our SOC 2 report validates our cloud-based applications, but it’s about much more than that.

SOC 2 requires us to demonstrate that we establish and follow strict information security policies and procedures that encompass the security, availability, processing, integrity, and confidentiality of customer data. We had to prove, through rigorous evaluation over many months, that our information security measures are in line with today’s cloud requirements.

SOC 2 audits a company as an entity. It audits our corporate infrastructure and the enterprise technology we use. It audits the security controls at our corporate headquarters. It audits our employees, our HR processes for doing background checks, our IT department’s auditing access controls, our legal department, what we do in our remote sites across the country, and more.

Why SOC 2 Really Matters in Healthcare

The security of an application is important – and it’s equally important to think about the security controls of the corporation and the people who are building these applications. The SOC 2 report provides a view into what the company thinks about when it’s building technologies for customers.

Hospital leaders should care because a vendor supplying a cloud-based application has access to all their data; we’re hosting their data and building applications that access it. When nurses, doctors, and others use our applications to send secure messages, every one of those messages enters our databases and sits on our server, in the cloud.

Hospitals want to know that our applications are secure within the cloud infrastructure. They also want to see that we demonstrate commitment to the highest levels of security companywide. They want to know that we do background checks and that people who are accessing their database are authorized to do so.

Defense-Grade Security

All Vocera solutions are validated by a third party. For our cloud solutions, SOC 2 was the obvious choice – really the only choice – for validation.

We also have more validations in the works:

• We just finished our Joint Interoperability Test Command (JITC) certification. This certification validates and approves our core voice platform for use within the Department of Defense’s Risk Management Framework. 
• The Department of Veterans Affairs approved our core voice platform and Vocera Collaborations Suite application on the One-VA Technical Reference Model (One-VA TRM ).

We’re proud to call the security of Vocera solutions “defense-grade.” The security credentials we’ve earned from the U.S. Army, Department of Defense, and American Institute of Certified Public Accountants are unsurpassed.