HIE CyncHealth Beefs Up Cybersecurity With SOC 2, HITRUST Certifications
CyncHealth, the designated health information exchange (HIE) for Nebraska and Iowa, announced a milestone in its cloud platform security with the achievement of System and Organization Controls (SOC) 2 Type 2 Certification. Earlier this year, CyncHealth announced the achievement of its HITRUST Certification.
The internal controls were created by the American Institute of Certified Public Accountants (AICPA) and are designed to assess and prevent risk. Completing this certification better protects health information for the more than 5 million individuals and families across Nebraska and Iowa, CyncHealth said.
Jaime Bland, CEO of CyncHealth, says, “By adding SOC 2 to our growing list of data certifications, we’re demonstrating our commitment to safeguard and protect the data Nebraskans and Iowans entrust with us every day. As we continue to evolve and tackle new challenges, we’re prepared and dedicated to providing value for our communities.”
Omaha-based CyncHealth noted that cybersecurity breaches have hit an all-time high. From 2021 to 2022, cybersecurity attacks increased by 69 percent in the healthcare sector. Cyberattacks, data breaches and information leaks occurring in healthcare systems nationwide are exposing a record number of patients’ protected health information. This directly impacts the delivery of healthcare and patient access to healthcare services as well as the cost or billing of those services. For example, an individual may be billed for services not received, delayed in receiving care for necessary healthcare services or suffer poor health outcomes due to missing information.
“With the advancements of technology, cybersecurity incidents will continue to rise, but so will our technological defenses and collective ability to protect sensitive data,” said Robert Wagner, Chief Information Security Officer of CyncHealth, in a statement. “SOC 2 certification is a piece of that puzzle and we’re proud to demonstrate to public partners and participants that CyncHealth continues to meet and exceed complex privacy standards for data protection and information security.”
CyncHealth’s status of being HITRUST certified came after nearly two years of work by staff towards meeting the requirements to better serve the people, healthcare systems and other regional organizations whom CyncHealth is connected to. CyncHealth’s certification portfolio also includes:
- CMS Quasi-Qualified Entity
- CMS Qualified Registry
- CMS Qualified Clinical Data Registry
- NCQA Validated Data Stream
- NCQA Certified Data Partner
- Medicaid Enterprise System (MES) Certification
In a recent interview with Healthcare Innovation, Bland said that CyncHealth has started using the phrase “health data utility” to explain its services. She said that because Nebraska is one of the only states using a public/private partnership for electrical services, “we really started to make parallels when talking to legislators about the concept of a public/private partnership utility. Just like we need the same type of power resources across urban and rural, we need the same data to be available across sectors and across urban and rural environments. The alignment made a lot of sense, especially from a policy perspective.”
CyncHealth tries to understand what the health utility service needs are at the point of consumption, Bland said. From a provider's perspective, the data needs change, whether it’s for a payer, a primary care provider, ED physician or a nurse practitioner out in rural Nebraska. For instance, event notifications are needed by all of those different stakeholders, but the form and delivery mechanism may be different.
“With event notifications, we will deliver anything from workflow integration via APIs to a flat file or Excel document so they can manage their population,” Bland said. “I think it's the scale and right-sizing of the interoperability that has contributed to our growth, and this concept of utility has really been something tangible for people to understand better than the HIE because it's really not an exchange of information, right? You share your data, and we take all the other shares and package it back to you in a way that is consumable for you. So that's where the utility concept really took off for us.”