How to Judge Security Level of Wearables Data?
Using wearables and mobile devices at work is becoming more common these days. However, the management of the army of BYOD (bring your own device) faces the security issues. The business owners need to deploy a mobile device management provider (MDM). Is there any way to judge how secure is the data management? They should have Statement on Standards for Attestation Engagements (SSAE) No. 16 standards compliance. The certification is awarded to organizations after a thorough assessment by auditors from the American Institute of Certified Public Accountants, and guarantees that the certified company is committed to the highest level of data security.
Here are some latest links on the subject.
HIStalk, healthcare IT's go-to site for news, rumors, and opinion since 2003, provides this post:
Health Data Security – Who Do You Trust?
By Jeff Thomas, MS, CISSP November 16, 2015
Naturally vendors are going to tell you that your data is safe with them. That’s what you want. But how can you tell if they are telling you the truth or not? Is there some “truthiness” going on? How can you tell those that are competent from those that are not?
… An important tool to get an insider’s view is a third-party audit report. Has your potential vendor had their data security procedures audited?
Everyone claims to be “HIPAA compliant.” But that gives you no real assurance that your vendor truly knows data security. Let’s look at one of the most widely-used and rigorous audits available, the SOC 2 Type II.
The SOC (Service Organization Controls) series of reports are governed by the American Institute of Certified Public Accountants (AICPA). These reports are designed to build trust and confidence between services organizations that operate information systems and their customers by having their service delivery processes evaluated by an independent auditing organization.
The SOC 2 is relevant for companies handling sensitive data as it reviews controls related to AICPA’s trust principals for Security, Availability, Processing Integrity, Confidentiality, and Privacy. (Controls may range from being technical in nature to manual processes). If those areas are of interest to you when choosing a vendor, reviewing their report is something you will likely wish to do.
Once you have the report, what should you look for? First, there will be a summary, in which the auditor will summarize the engagement to include information about the scope of the engagement, as well as their opinion of the controls audited. This is a good place to see if there are any overall concerns.
Read the full story HERE
Most popular storage services - Dropbox, Google Drive, Box - undergo regular SSAE 16 SOC audits, which generate SOC 2 Type II reports. As an example, here is Google announcement:
Google Cloud Platform provides support for HIPAA Covered Entities
February 5, 2014
When you’re building a healthcare-related application, not only do you need the right code and a reliable user experience, sometimes it feels like you need to be a lawyer too. Often, there are several additional steps to take to into consideration. In particular, some healthcare-related applications and services in the United States are required to comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations. HIPAA establishes standards around privacy, security, and breach notification to protect individually identifiable health information. When building in the cloud, it can be challenging to ensure that you’re complying with these regulations.
… SOC2, SSAE 16 & ISAE 3402: Companies use the SOC2, SSAE 16 Type II audit, and its international counterpart ISAE 3402 Type II audit, to document and verify the data protections in place for their services. We’ve successfully completed these audits for Google Apps every year since 2008 (when the audits were known by their previous incarnation, SAS 70) and we did so again last year for Google Apps and Google Cloud Platform.
HIPAA: Late last year, we started entering into BAAs to allow Google Apps customers to support HIPAA regulated data. This year we have begun entering into BAAs with our Google Cloud Platform customers.
READ THE FULL POST HERE
A very detailed explanation is here:
Service Organization Controls (SOC) Reports for Service Organizations
Service Organization Controls (SOC) reports are designed to help service organizations, organizations that operate information systems and provide information system services to other entities, build trust and confidence in their service delivery processes and controls through a report by an independent Certified Public Accountant. Each type of SOC report is designed to help service organizations meet specific user needs:
SOC 1® Report – Report on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting (SSAE 16)
Type 2 - report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period.
Type 1 – report on the fairness of the presentation of management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date.
SOC 2® Report— Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy
READ FULL TEXT HERE
Image by Various