Record Retrieval Services for Law Offices

YoCierge Received ISO 27001 and SOC2 Security Certificates: The Importance of These Certifications in Medical Record Retrieval

August, 13, 2021

Many law firms rely on medical record retrieval services to ensure they have easy access to the client records that they need. Anytime you deal with important records, cybersecurity becomes a huge concern. YoCierge recognizes the importance of strong cybersecurity, especially in medical records retrieval. That is why we recently secured competitive cybersecurity certifications.

YoCierge’s New Security Certificates

YoCierge recently completed the process of obtaining ISO 27001 and SOC2 certifications. Each certification requires a high standard of cybersecurity, which law firms will appreciate when using YoCierge’s services.

A Closer Look at ISO 27001 and SOC2

To better understand what the new certifications mean for YoCierge, take a closer look at each, including their requirements and what they mean.

ISO 27001

ISO 27001 is part of the ISO/IEC 27000 family of certifications. It is just one of more than a dozen standards within the family. This particular standard outlines requirements for information security management systems (ISMSs).

There is no requirement for companies to receive this standard. It is fully optional but provides reassurance to clients and customers.

The standard outlines requirements to establish, maintain, implement, and constantly improve the organization’s ISMS. It also features requirements to assess and treat security risks in a way that is adjusted to the organization’s needs.

Essentially, the ISO 27001 standard outlines best practices for organizations to manage information security. Certification requires meeting these standards.

When a company has an ISO 27001 certification, this indicates that they follow the best practices for information security.

SOC2

SOC2 is a completely separate information security certification. The American Institute of CPAs (ICPA) developed SOC2, and it has since become a standard.

SOC2 certification requires organizations to manage customer data with five principles of trust service. These include security, privacy, confidentiality, availability, and processing integrity.

Importantly, SOC2 adapts to each organization. This means that each SOC2 report will be unique to an organization and designed to comply with the various trust principles.

The term SOC2 itself refers to an auditing procedure that confirms an organization is compliant with these principles. By complying with those principles, organizations like YoCierge can ensure that they maintain your privacy, as well as that of the patients whose records you retrieve.

To receive a SOC2, external auditors assess an organization. They evaluate the organization based on the five trust principles. The goal is to confirm that vendors comply with those principles.

Like ISO 27001 certification, SOC2 certification is not a requirement in any field. However, it provides a great deal of peace of mind to clients and anyone who works with the certified organization. This comes via the reassurance that sensitive information remains secure.

The Increased Risk of Cyberattacks Recently

Cyberattacks continue to be a major concern as long as we use digital formats to store information. Recently, the risk of cyberattacks has increased.

One contributor to the rise in cyberattacks is the switch of more people to remote work. In the last year, people have been working from home more often, and this typically comes with a slight reduction in security measures. For example, some protection isn’t possible on a home network even though it is standard on a company network. Or perhaps security measures are just harder and more expensive to implement.

One report from the Association of Certified Fraud Examiners found that 52% of fraud examiners saw a significant increase in cyber fraud. Another 33% saw a slight uptick. In this context, cyber fraud includes ransomware, hacking, and similar efforts.

On top of this, Accenture reports that 68% of leaders believe their businesses have higher cybersecurity risks. RiskBased reports that in just the first half of 2020, 36 billion records were exposed via data breaches.

Electronic Medical Records Have a Higher Risk of Cyberattacks

While all industries have experienced a rise in cybersecurity risks and cyberattacks, this is especially true in the medical field. For example, in 2019 alone, ransomware attacks took about $25 billion from the health care industry. Or within the past three years, 93% of all health care organizations had at least one data breach.

The problem is not limited to companies in health care, though. It also happens to anyone interacting with health care, including electronic medical records.

The digitization of medical records has made it possible for cybercriminals to access the information. In the past, they would have had to go into the offices directly.

Criminals may have varying intentions. Some may want the personal information of patients for identity theft. Others may want to hold information for ransom or benefit financially in another way.

One estimate indicates that stolen health records can sell for as much as 10 times as much as stolen credit card information online.

The Increase in Available Information Makes the Records More Tempting to Criminals

Cybercriminals have been tempted by the availability of electronic medical records since they were first developed. As we continue to store more of the information electronically, they become even more appealing. The type of medical records law firms commonly use can be highly detailed and include numerous categories of sensitive information.

The average person does not necessarily realize how the smallest amount of information can pose a major security threat, including their identity. The government cautioning people not to post images of their vaccination cards is the perfect example of this. The information on it seems innocent enough, but cybercriminals could still use it for nefarious reasons.

Given that just the information on a vaccination card is enough to interest cybercriminals, it is not a stretch to say that they would consider electronic medical records a goldmine.

Exploring Specific Threats

Although there are numerous cybersecurity threats to electronic medical records, some are more of an immediate concern than others.

Encryption blind spots are a real concern. Most organizations rely on encryption, as it is an excellent way to keep sensitive information secure. The issue is that sometimes, encryption creates blind spots by making it impossible for security analytics to monitor databases. It can even prevent those analytics from detecting targeted attacks or breaches. As the use of encryption increases, so does the risk of blind spots caused by this encryption.

Malware is another major category of threat. Malware has become more common over the years, and it is now found in a much wider range of places than used to be the case. Certain types of malware can pull information, including that contained in electronic medical records. This can lead to privacy and HIPAA concerns. There is also the risk of ransomware, where the files or entire system is locked down until a ransom is paid.

Phishing also remains a cybersecurity concern for electronic medical records. Phishing can give criminals access to records they should not have access to. This creates a clear concern for privacy and HIPAA.

To make this point even clearer, consider some ways that cybercriminals may use medical records to their advantage. At the most basic level, they could use the information in the records to more accurately target patients with scams or fraud. They would find enough detail in the records to make their attempts seem legitimate.

They could also use the information to create fake insurance claims. This could potentially let them buy medical equipment then resell it or do the same with prescription drugs. Depending on the level of access, they could also change prescription information, including dosage, destinations, or payment instructions.

How Using a Company With Audited and Certified Information Security Credentials Provides Assurance to a Law Firm

At the most basic level, working with a company with strong cybersecurity certifications provides peace of mind by reducing the risk of a cybersecurity threat. You will not have to worry as much about cybercriminals targeting your law firm or your clients whose records you access.

This is especially important from a legal perspective. After all, you don’t want a cybersecurity threat to occur and your firm to be held responsible for it.

Even if you do not bear the legal blame for cybersecurity issues, you do not want your clients to experience problems caused by them. This could reduce their quality of life and make your job more challenging.

What Choosing a Certified and Audited Company Tells You

If a company chooses to get certified and be regularly audited, such as ISO 27001 and SOC2 certifications, this shows a dedication to security measures.

It lets you know that the company has measures in place to prevent unauthorized people, including cybercriminals, from accessing sensitive information.

It also lets you know that the information you receive in the electronic medical records is accurate. Specifically, you will know that only authorized users modified the information; cybercriminals did not have access.

You will also be confident that your chosen electronic record provider has procedures in place to mitigate the impact of a potential security breach. On top of this, they have already assessed the potential risks of a breach and taken steps to prevent it.

Most importantly, certification and auditing mean that you don’t have to take the word of the medical record retrieval company when it comes to cybersecurity. An independent organization confirmed that they meet the international standard.

Your Business Gets Secure, Accurate Information

The importance of having accurate information in medical records cannot be overlooked. You cannot craft a strong legal argument based on inaccurate information. It could make certain processes or claims invalid.

Even in the best-case scenario, having inaccurate information would hurt the credibility of your legal firm. Clients may not trust you to get accurate information or represent them.

Your Clients Have More Confidence in Your Firm

We already touched on the fact that you have accurate information that will increase your client’s confidence in your firm. They will be reassured that you take processes seriously and pay attention to details. Given the importance of attention to detail in a law firm, this reflects very well on your company.

But this is not the only way that choosing a certified record retrieval service boosts your clients’ confidence in your firm. They will also appreciate the fact that their personal and medical information is at a significantly lower risk than it could be. Savvy clients understand that anytime information is sent electronically, there is an element of risk. They will recognize that by choosing the record retrieval company you use carefully, you reduce this risk. Given their risk of scams or identity theft, this is a very important factor for many clients.

You could even explicitly mention this to clients. You could use it as an example of how your company protects their interests overall, not just for the process or claim they hired you for.

Multiple Certifications Is Even Better

While choosing a company with a single certification is great, choosing one with multiple certifications is even better. That is because although the ISO 27001 and SOC2 certifications overlap, they also have a fair number of differences. This means that a company with both certifications has a more robust cybersecurity system in place and is better equipped to avoid cyber threats.

Overall, the ISO 27001 certification process has more rigid requirements that are the same across organizations, while the SOC2 certification process adapts more to the needs of the organization. This combination provides reassurance that a company follows the overarching best practices but also implements procedures that are specific to the organization’s needs.

The fact that ISO 27001 and SOC2 certifications require audits by different sets of professionals should also give you peace of mind. Only an ISO 27001-accredited certification body can complete the certification for the ISO 27001 standard. On the other end, only a licensed CPA can complete the SOC2 certification. This means that at least two professionals have audited a company with the two certifications. More importantly, those professionals have slightly different perspectives due to their backgrounds.

The Bottom Line

YoCierge is proud to receive our ISO 27001 and SOC2 certifications. Our new certifications should provide law firms with peace of mind when working with us.

Sources: