SilverCloud Health completes SOC 2 + HITRUST security examination

Twitter-soc2

Author: David O’Callaghan, Chief Information Security Officer at SilverCloud Health

SilverCloud has successfully completed a SOC 2 + HITRUST examination of our SilverCloud Digital Mental Health Platform, which demonstrates our on-going commitment to security, confidentiality and availability.

SilverCloud understands the importance of protecting our clients’ sensitive health and wellbeing data and we are proud to announce this independent assessment.

From the start, we have built the SilverCloud platform with security and privacy in mind: from the hosting providers and underlying software framework to the design of the platform itself.

External validation of our security has also been critical in building trust with our customers and embedding continuous improvement in our information security practices. Since 2013 we have held the internationally recognized ISO 27001 certification, and we regularly work with consultants and security testers to ensure our systems remain secure. Our SOC 2 + HITRUST report is the next step in this process.

Performed by trusted Certified Public Accountant (CPA) firms, SOC 2 is the most widely accepted form of security assessment report for cloud service organizations like SilverCloud globally. HITRUST CSF is the leading security framework aligned with the specific requirements of the healthcare sector.

Formally, we have obtained a Type 2 Independent Service Auditor’s Report on Controls Relevant to Security, Availability, and Confidentiality and the HITRUST CSF Criteria from Schellman. So, what does this mean?

First, we opted for a “Type 2” report which examines the suitability of the design and operating effectiveness of controls over a period of time (August-December 2020 for our report) to provide more than just a review of policies or a point-in-time snapshot.

We were evaluated against the SOC 2 trust services categories of security, availability and confidentiality. In summary, the criteria are:

Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect our ability to meet our objectives.

Availability – Information and systems are available for operation and use

Confidentiality – Confidential information is protected

We also included the 75 HITRUST Security controls required for HITRUST certification. The examination gives us and our customers an objective assessment of the suitability and effectiveness of our controls. While not equivalent to achieving HITRUST certification, it does provide the auditor’s formal opinion on the HITRUST Security controls required for certification. This article from our auditor provides a good comparison: Which Way Do You Go? HITRUST Certification vs. SOC 2+HITRUST.

Finally, this achievement needed information and effort from across the business, including information security, engineering, HR and the leadership team, and would not have been possible without this collaboration and high-level support.

Customers and partners may request our restricted-use SOC 2 + HITRUST report by contacting us at security-team@silvercloudhealth.com

About the author

David O’Callaghan is Chief Information Security Officer at SilverCloud Health. David received his PhD in Computer Science from Trinity College Dublin in 2007. In SilverCloud he is responsible for information security and data protection across the business.