The Real HIPAA / SOC2 Playbook

When I first embarked on this work at Bodport, I remember being so annoyed by everything out there. Pre-GPT era, the internet was flooded by auditors writing HIPAA/SOC2 playbooks that were nothing but a regurgitation of existing standards. Informative, but vague.

So if any of these sounds like your situation, please continue:

1. You're a founder / tech lead / engineer and you're also tasked with being the company's security or compliance officer
2. HIPAA / SOC2 and security are core to your business and you can't outsource it (most tech companies fall into this).

Why I Rolled It Out

There's lots of players in the space, and many of them are good, but I think a lot of players exist because they're able to capitalize on a relatively limited number of CISOs who will work with startups and still be cost minded.

• Drata
• Vanta
• A-Lign
• SecureFrame

From a security perspective, many of these services can give you a leg up, and there's never a right way to do things. But I think security conscious organizations that have their reputations on the line for customers would get the best mileage out of deeply understanding the standards and practices that come with SOC2 and HIPAA.

Hence why I wrote this guide. At the end of the day, regardless of what service or middleman you use, a security officer (typically a CISO, VP, or CEO/CTO) are ultimately responsible. The more your team can internalize the policies, the more you can actually have a security-minded organization.

Review the Standards

It's always good to review the actual source documentation. Honestly, it's pretty onerous and sometimes not very clear. The following are the best resources I've ever found that are succinct.

1. Best link for SOC2 (pay attention to the table at the end): https://www-assets.kolide.com/assets/marketing/documents/soc2-79f11e025b40c01566c1007ed1d5fe026aa92b6d.pdf
2. Best link for HIPAA: https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/combined/hipaa-simplification-201303.pdf

Operational Notes about SOC2

Very clearly, this is what you should expect:

1. A detailed report that outlines every policy you state against what the auditor observed in your development processes and stack.
2. Your goal is to have 0 findings. 0 findings means that your policies match perfectly with your practice. Sometimes certain standards can be waived because they don't apply, but the report will detail this. A single minor finding isn't a huge deal, but a lot of them will be.
3. Your first report reviews 3 months before an audit occurs. In those 3 months, a number of different activities should have taken place. This is called the monitoring period.
4. Your subsequent audits will encompass the entire year. Yes, SOC2 is a yearly audit done. Choose your auditor wisely.
5. Plan your audit in advance, and find an auditor as soon as possible. You might not need to do anything with them, but you do need to block off their time so you have know who the auditor is.
6. Audits change over time. From year to year, the auditor (if they're the same) will target different areas. The idea here is growth over time, and the intention here is simply to improve your security posture.
7. Plan your penetration testing in advance, again, this is about scheduling and having sufficient time to execute the remediation activities required in the findings of their penetration test.

Plan Your Dates and Scope

A lot of this will be come if you engage an auditor, and some of them might sell this as part of their service (sometimes this is called preparation, pre-audit, or scoping).

1. Make a system architecture diagram of your system and highlight all the blocks that interacts with patients, customers, or might handle confidential or mission critical data. Everything you highlight is now fair game ( something like Wordpress obviously isn’t).
2. Now map out who has access to those systems or processes, and now you have your mission critical people map, these people need extra training and you need to track them appropriately in your systems (like JIRA or Zendesk, etc).
3. Set a date for yourself for when you need the audit and certification in hand. This can be driven by some business requirement or need expressed by the customer.
4. Now backtrack by about a month (how long it takes to draft the report after your audit). That’s when your audit should be.
5. Now track back 6 months, and that’s when you need to start observing and implementing and policies. Even though your monitoring is 3 months, you want to allow ample time for your team to actually adopt the policies and internalize them.

Research & Tooling

Technical landscapes can be tricky, especially now in the AI boom. Depending on how much leeway you have here, this is what I recommend for the fastest implementation. In choosing your tools moving forward, always look for a BAA, especially if it's related to anything in your system architecture document. If they don't say anything about one, email their sales team.

1. Use Aptible or Heroku Shield. As of this writing, EBS isn't supported by a BAA, and AWS itself required a lot of custom network setup that you honestly don't want to deal with early on.
2. Use Vanta. Here's where it helps:
   1. Monitroing agent + Macs means no requirement for endpoint security (antivirus)
   2. Regular notifications for policy reviews
   3. Handles security training for the team
   4. Plugs into Heroku Shield to automatically monitor the configuration. If you use Aptible, you're still generally covered.
   5. Pre-baked policies that you can modify and approve.
   6. Asset management that will actively scan your machines, servers, and notify you of exceptions.
   7. Hooks into all your HR and communication settings
   8. They have a shortlist of auditors they work with that are leveraged on Vanta. You also snag a nice discount for going with one of those auditors. When you're talking to auditors, bring up the fact that you use Vanta.
3. Use JAMf, or something like it. You need it to be able to remotely manage laptops and mobile devices. The ability to remote wipe, manage software, and enforce policies is a huge part of SOC2 and HIPAA.
4. Use LastPass Enterprise and force everyone in the company to use if over chrome or keychain. It's great cause it has centralized password management that's another big area in SOC2.

Policies and Training

1. Through Vanta, have everyone go through security training. Make sure there’s some way to test people at the end for completion, log the training date. Set this in your calendar and make it a yearly thing.
2. For your devs, have them go through some sort of secure programming training. Also make this a yearly thing.
3. Go through the Vanta policies and start trimming and customizing them. Review them with your team only a weekly basis (3 or 4 at a time to keep it manageable), trim anything extra cause it can and will be held against you in an audit. If it doesn’t work that way, change it now. Accept the policies in Vanta. Pay special attention to how passwords and access are granted cause in your early audits they’re bigger deals. Train people as needed for confidentiality (set a calendar cause this is annual too)
4. Start writing your playbooks. You might write them in Vanta, or you might keep them somewhere separate. These playbooks should be as detailed as necessary for the people executing them. Review them with your team, set a calendar annually to review them. And most importantly, set a date to dry run them. Here’s the key stuff based off categories. Feel free to use GPT to come up with these.:
   1. Disaster Recovery
1. Business Continuity
1. Cybersecurity
   1. Phishing
   2. Denial of Service
   3. Admin Password Leak

Start Fetching Your Agreements

Run this part in parallel with everything else.

1. Remember that system diagram? Time to start mapping all the systems that get touched and getting BAAs in place or opting into their enterprise plans that can actual provide a SOC report.
2. Get ready to pay a couple thousands more a month just for an additional document. Sometimes sites have them already so pull them down and store them in Vanta. Read these agreements cause sometime they have technical implementations that are required as part of the agreement. 
3. This part can be time consuming depending on how much authorization you have to sign and adjust budget.

Check Your Development Processes

This part can take some time and require some development in your product. In many cases, you need to setup regular reviews to ensure that these activities are happening. In all your meetings, include the notes from that meeting, who attended, and detail to the best of your ability what work was actually completed or reviewed. This will go a long way if there's questions that arise from your audit.

1. Ensure our have MFA setup for your customers
2. Ensure your password policies match the requirements. If rotation is a part of your policy, set a recurrent calendar event.
3. Ensure keys for services are rotated on a schedule with documentation of who did it and when they did it. Set a calendar event to review this.
4. Ensure all access requests are thoroughly documented for who is requesting, who is authorizing, and when it is given and revoked. This is a huge area. Set a calendar event to review this periodically.
5. Ensure there’s no opportunity to see other group data in a multi-tenant environment. 
6. Ensure your policies are clearly visible and accessible somewhere (privacy, etc)
7. Ensure your development and release processes are being followed, this meant to commits to main and ensuring hotfix releases are labeled as such. This is a big area. Set a calendar event to review this periodically.
8. Make sure you don’t have any hard coded keys in your system.
9. Ensure you have set checkboxes for your PRs to make sure features were tested, and were checked for security gaps. This is huge. Make sure your documentation is in place. Set a calendar event to review this periodically.
10. If people leave or are fired, ensure that access is restricted in accordance with the policy, this is huge. Set a calendar to review this and other access periodically.

Choose Your Vendors

Run this in parallel with everything else.

1. Select an auditor. This will be about 10k to upper bound of 20k, but choose someone your customers will respect. You’ll likely use this auditor year over year and you'll need to develop a relationship with them.
2. Select someone to do your penetration testing, there’s actually individuals out there who specialize in startups and probably have experience with YC. This can range in price between $5k and $15k.
   1. Once you have a penetration tester, conduct the test ASAP (setup a dev environment, etc).
   2. When your get your list of remediations from the penetration tester, they'll also have a list of fixes they recommend.
   3. Make the fixes ASAP then reach back out to your pen tester for a retest. Often times this should be free or part of the original package.

The Audit

So now you did everything above and all your material is ready to go. Now what happens. Here's what typically happens:

1. Your auditor will review your documentation in Vanta for the audit period, again that's 3 months or a year.
2. Your auditor will reach out online with additional documentation requirements. This can be meeting notes, screenshots, emails, evidence of conversations, or more. The list can be lengthy depending on how much of Vanta you leveraged, so be sure to block off at least a week or 2.
3. Once everything is reviewed, your auditor will schedule a 1 or 2 week in-depth review where they'll ask to see things live. This may be them reviewing account access. Maybe this is reviewing code. Sometimes this can be reviewing access logs in a 3rd party service. Again, anything in your system diagram and anyone or any platform it touches is fair game.
4. Once that's completed, it'll have anywhere between 2 weeks to a month to complete the report documentation. They can fast track it if you need to, but try not to be a jerk about it. These reports, while straightforward, do take time and they have a review process of their own. They'll share a copy with you when its close to finishing, sometimes as for remaining items.
5. Once you receive your report, you need to start preparing for your next audit. Your auditor will likely have a list of things that weren't strictly findings, but are key recommendations for remediation. These will likely come up again next time.

And that's it!

In a year, you'll have to do the same again. Here's some key notes:

1. Make sure you're documenting throughout the year and monitoring your processes and customer/user access. This is now part of your job until you hire someone into it. You'll have to review your policies every year, conduct annual risk assessments, and make sure all the documentation is in place.
2. Remedy as much as you can, as early as you can. Don't wait till last minute to remedy something cause other than it presenting a security risk, the auditors will ask you why it took so long to actually resolve something and that's never an easy question to answer.
3. As you do more audits, you can basically expect to lose about a month to the process. Sometimes less, sometimes more.
4. You can just pay for a SOC2 to HIPAA requirements mapping. In some ways, SOC2 is more specific and more prescriptive than HIPAA.