Recently the AICPA announced SOC 2+ for HITRUST which includes the following:
- This SOC 2+ framework is driven from Healthcare and protection of Personal Health Information (PHI)
- Impacts industries that are Business Associates (BAs) to covered entities
- Can be done as a SOC 2 + HITRUST Report or a HITRUST CSF Certification
Additional Criteria based on HITRUST Common Security Framework (CSF) Version 7 include:
- Clear Desk and Clear Screen Policy
- Remote Diagnostic and Config Port Protection
- Network Connection Control
- Mobile Computing and Communications
- Teleworking
- Contact with Authorities
- Contact with Special Interest Groups
- Addressing Security When Dealing with Customers
- Addressing Security in Third‑party Agreements
- Identification of Applicable Legislation
- Intellectual Property Rights
- Regulation of Cryptographic Controls
- Inventory of Assets
- Ownership of Assets
- Acceptable Use of Assets
- Cabling Security
- Outsourced Software Development
- Control of Technical Vulnerabilities
- Including InfoSec in the BC Management Process