Why SSAE 18 Should Matter to Your Practice

NetgainHealthcare IT, Performance & Availability

There is no shortage of security and compliance acronyms in today’s IT environment. You know the importance of HIPAA compliance within your practice, but for your service providers, there are also HiTRUST, SAS, SOC, SSAE and PCI standards that regulate how they handle your sensitive data to keep it secure at all times.

When you are evaluating service providers that have access to your sensitive data, it is important to assess their security protocols and review their certifications.

Netgain recently partnered with Lurie, an accounting firm that specializes in security audits, to attain SSAE 18 attestation, one of the most relevant and current security standards for service providers in highly regulated industries.

What is SSAE?

The Statement on Standards for Attestation Engagements 16 (SSAE 16) replaced SAS 70 in June 2011 with audit measures pertinent to service providers, notably those with data centers.

In April 2016, SSAE 16 was updated and clarified with the Statement on Standards for Attestation Engagements (SSAE) No. 18, Attestation Standards: Clarification and Recodification. The new SSAE 18 standard went into effect for any reports dated after May 1, 2017. 

How does SSAE 18 affect my organization?

Most of the changes in SSAE 18 apply to the audit process and the auditor’s documentation. However, the most significant change, subservice vendor management, affects every stakeholder who handles sensitive data.

Not all third-party vendors are subservice organizations. The only relevant vendors are the ones that impact the confidentiality, integrity or security of patient or client data.56

For instance, Microsoft is a subservice provider of Netgain’s. Their Azure platform and service is so ingrained in our cloud delivery that their security protocols will affect our clients.

The new SSAE 18 guidelines require service providers to evaluate the effectiveness of controls in place at their subservice organizations. This evaluation may include:

  1. Periodic phone calls between organizations to discuss changes to operations.
  2. A thorough review of the subservice organization’s SOC report.
  3. Periodic facility visits to evaluate controls.
  4. Review of the subservice organization’s reports to ensure completeness and accuracy.

Overall, the changes in SSAE 18 will provide a more comprehensive level of security for your practice than prior requirements.

Which service providers should be SSAE 18 certified?

Service providers that store or transmit your ePHI or sensitive client data should attest to SSAE 18 standards. In a healthcare practice, for example, this could include your EHR provider, practice management provider, PACS provider, lab partner, application hosting provider, cloud provider or healthcare IT managed services provider. For the security of your practice, you should require that these partners prove attestation to SSAE 18 standards.

What other security questions should I ask my service providers?

While SSAE 18 is the most comprehensive security protocol for service providers, these additional questions can help you choose a partner that values security as much as you do:

  • What internet monitoring protection does your organization provide?
  • How does your organization protect against malware?
  • Does your organization provide email encryption?
  • What is your organization’s disaster recovery plan?
  • What is your organization’s backup protocol?
  • Does your organization provide snapshotting?
  • What kind of application-level security does your organization provide?

Looking for more recommendations? Read about the physical, technical and administrative safeguards to consider for your practice.

The alphabet soup of IT security acronyms can be difficult to unscramble, but the impact these standards have on your practice is significant. Partner with service providers that are intentional about security and invest in attesting to the standards that impact your practice, like SSAE 18.

As you review your list of service providers, do you know what service providers they use to deliver their service? Are these subservice providers putting your sensitive data at risk?