Data breaches have become so common, there’s a Wikipedia page devoted to cataloging them – to date, more than 300 breaches are listed. Types of industries affected include hospitality, travel, internet service providers, banking, social media, retail, and of course, healthcare, among others. The massive Equifax breach announced in September 2017 led the Federal Trade Commission to create a tool to help consumers easily determine whether their data had been compromised, and thousands have filed claims hoping for compensation connected to this breach.
Earlier this year, the French government went as far as fining Google $57 million for failing to properly disclose to users how data is collected via its services. Europe’s GDPR takes a strong stance with respect to data privacy and protection, and California’s CCPA, set to go into effect in January 2020, represents the United States’ first and most robust attempt at keeping consumer data safe. Until laws around data privacy are in full force nationwide, it’s up to individual companies to do as much as possible to keep data secure – particularly when it comes to information about personal health. Along with healthcare providers, pharmaceutical companies simply can’t afford to wait for state or national data-privacy laws to be passed; they need to independently ensure their customers’ health information is safe, NOW.
Along with healthcare providers, pharmaceutical companies simply can’t afford to wait for state or national data-privacy laws to be passed; they need to independently ensure their customers’ health information is safe, NOW.
At Intouch, we’ve always taken data privacy and security very seriously, and recently we took yet another step to make our clients’ – and their customers’– data even more secure. After a rigorous third-party audit that evaluated a year’s worth of our data-security practices, Intouch was granted SOC 2 Type 2 certification. Intouch’s audit was conducted by independent cybersecurity and compliance firm A-LIGN; the period evaluated was from July 1, 2018, through June 30, 2019. We’re proud to say we are among the first pharmaceutical advertising agency networks to achieve such a designation.
What’s SOC 2 Type 2 Certification, and Why Does It Matter?
SOC 2 stands for system and organization controls and was developed by the American Institute of CPAs (AICPA) and defines criteria for managing customer data based on five “trust service principles”:
- Security: Are system resources protected against unauthorized access?
- Availability: What is the accessibility of the system, products or services as stipulated by a contract or service level agreement?
- Processing integrity: Does the system achieve its purpose?
- Confidentiality: Is access and disclosure restricted to a specified set of persons or organizations?
- Privacy: Does the system’s collection, use, retention, disclosure and disposal of personal information conform with the organization’s privacy notice, as well as with criteria se forth in the AICPA’s generally accepted privacy principles?
HIPAA and HITECH, Too
Intouch also earned an independently verified HIPAA/HITECH compliance attestation. HITECH stands for the Health Information Technology for Economic and Clinical Health Act. Earning a HIPAA/HITECH attestation requires that Intouch has in place – and reviews annually — policies and procedures that define guidelines for the health information security program related to scope of services, which includes implementing and managing logical access security and controls, including:
- Health information security policy
- Asset management
- Data classification
- Business continuity
- Incident management
- Access control
- Physical security
As more and more data is generated, tracked, and transferred to the cloud — and as hackers get better at breaching systems — effectively securing data is an imperative, not an option. Pharmaceutical companies who aren’t scrutinizing their vendors/partners’ data security practices run the risk of putting the safety of their customers’ data in jeopardy.
“This is so much more than simply mitigating risk for our clients or for Intouch,” said Intouch CEO Faruk Capan. “Voluntarily going through this level of rigor may seem unusual for a pharmaceutical advertising network, but it demonstrates our sincere commitment to protecting our clients’ confidential customer data, including protected health information.”
Intouch’s SOC 2 Type 2 certification and HIPAA/HITECH attestation extend to Intouch Group and its six network affiliates, including Intouch Solutions, Intouch Proto, Intouch Media, Intouch International, Intouch Analytics and Intouch B2D. If you’d like to learn more about data security or the audit process, reach out to your account team today, or email email@example.com