When Truveta launched in late 2020, one of the first hires was its CISO Oscar Papel.
“With our vision of saving lives with data comes great responsibility,” said Oscar Papel, chief information security officer and vice president of engineering. “Healthcare data is arguably the most sensitive data there is, so we have the obligation and privilege to treat that data with highest levels of security and privacy. Trust is a core value at Truveta, and we have invested deeply in talent and technology to earn that trust from our health systems, customers – and ultimately, the patients we serve.”
Today, Truveta announced that the deep security and privacy processes, protocols, and controls it has put in place have earned it certification for three International Organization for Standardization (ISO) standards – ISO 27001, ISO 27018, and ISO 27701 – and completed Type 1 SOC 2 examination.
The team accomplished this arduous task within one short year.
“It was a collaborative effort amongst the team,” said Pradeep Surukanti, director of security and compliance at Truveta. He previously worked at Microsoft for about 16 years (learn more about his personal story in today’s Truvetan Spotlight). “We knew the trust the industry has in these standards, so we were committed to establishing the processes, protocols, and controls needed to obtain them as quickly as possible.”
The team, dedicated to the company and its mission, hunkered down and powered through.
“I am extremely proud of the team,” Papel said. “We lucked into some amazing people who were brought in on this — it all comes back to this mission where we’re really trying to revolutionize this industry and by building this data to help save lives. We’re making very significant changes to an industry that has been hampered by this lack of data.”
He continued: “I couldn’t ask the team to work this hard, yet they chose to work evenings and weekends. … They know what it means for us to achieve this.”
With the ISO certification and the Type 1 SOC 2 examination, it will make it easier to onboard more health care systems into Truveta’s mission.
ISO 27001 is an internationally recognized standard that signals to organizations and health care systems that an accredited third party has looked at Truveta’s information security management system and privacy information management system and determined that they are operating effectively and met the requirements of the standard.
“We’re dealing with a lot of data. Privacy is central to our story,” Papel said.
Surukanti joined Truveta in December 2020 to build out the digital and physical security systems used to achieve the company’s mission of saving lives with data.
Paramount to this goal, Truveta strived for globally recognized best practices that would signal to health care systems and patients alike that the company not only takes patient data seriously but also ensures trust and confidence that the data is de-identified, secure, and private.
ISO 27001, ISO 27018, and ISO 27701 certifications
ISO 27001 and ISO 27018 are the standards for information security management systems and protection of personally identifiable information in public clouds, respectively. ISO 27018 is an extension to ISO 27001.
There are less than 44,500 active ISO 27001 certifications worldwide, according to the global organization and a 2020 survey. This is up from about 39,500 in 2016, according to a 2017 ISO survey.
Furthermore, the ISO 27701 certificate speaks to the company’s privacy controls. This is an extension of the ISO 27001.
The ISO certifications were performed by an independent and third-party ANSI National Accreditation Board (ANAB) accredited certification body, Schellman & Company, LLC.
The ISO certification is a three-year certification that requires annual surveillance reviews of these controls; however, if there are significant changes to how Truveta grows, the company may expand their ISO audit scope to meet new objectives.
ISO, as of 2019, has 164 members, manages 22,500 international standards, adding 100 new standards each month. It is an independent, non-governmental organization with a global network of national standards bodies. The not-for-profit is coordinated by a Central Secretariat in Geneva, Switzerland.
The Truveta team, when trying to decide back in late 2020 what certificates would build trust and credibility, decided to go after the ISO certificate because it is a globally accepted best practice valued in technology.
ISO standards help make products compatible with each other; identify safety issues of products and services; and share good ideas and solutions, technical know-how and best management practices.
SOC 2 attestation
The Type 1 SOC 2 examination is an attestation governed by the American Institute of CPAs (AICPA) that states Truveta has a procedure in place to manage patient data and protect that data.
“We’re not done yet,” said Melanie Hundley, Compliance Lead, who joined Truveta in November 2020 to bring extensive audit, risk, and compliance management expertise to fast track the program. Hundley leads a committed and experienced compliance team with participation and support from across the enterprise. “We continue to work tirelessly every day to ensure we are upholding our commitment to trust across every facet of our business.”
SOC 2 defines criteria for managing customer data based key trust principles, including security. A Type 1 SOC 2 examination acknowledges that the company’s controls are designed to meet this criterion.
Building a security and privacy culture
The controls Surukanti and his team built ensure Truveta safeguards patient data to match its objectives and reflect its business acumen, Hundley said.
“Security and privacy are woven into the fabric of everything we do at Truveta,” said Papel. “It’s our culture.”