If you’re like many Omada staff, that news likely inspires two immediate questions:
What exactly is that?
Why does it matter?
Outside of security professionals, the acronym SOC 2 may not be well known. But within my world, it’s the gold standard for verifying that a system that houses and transfers sensitive data is prepared to protect it. SOC 2 means an independent auditor has reviewed our security against a rigid set of requirements. While most digital health providers have resisted having their systems reviewed at such stringent standards, we believe the industry should demand it of all providers to ensure the protection of sensitive Personal Health Information (PHI).
As part of the audit, the Omada team had the option of being judged on one, some, or all of five of the SOC 2 key trust service principles: security, availability, processing integrity, confidentiality, and privacy. In our case, we chose to have our system audited by an independent third party on all five principles. We met or exceeded the standards on all five. Coupled with the HITRUST CSF certification we achieved last year, Omada has now set a standard for data security unmatched by any other company in our space. While other digital health companies have achieved the healthcare-specific HITRUST certification, we couldn’t locate any other digital health provider which has completed both complementary standards
Our commitment to the highest levels of data security and privacy is part of our drive to continue leading the way among the new batch of cutting-edge digital healthcare providers. So why force ourselves to a standard none of our competitors have yet tried to meet? Two reasons.
First, SOC 2 is the standard most large companies (outside of digital health) use for their control framework, so our collaboration with enterprises like Lowe’s and Costco, or insurers like Cigna and others, achieve deeper integration when the IT leaders at those organizations know we match their security standards. It will allow us to implement deployments more quickly, and connect more deeply with our customers and partners.
Perhaps more importantly, data is the foundation of everything we do at Omada. As the evolution of healthcare continues to accelerate, patients are demanding that their personal health information be accessible at a moments notice, and travel with them wherever they go. But we’ve also seen a proliferation of incidents where a lack of system security has put the most personal details of an individual's health at risk. Put simply, trust and security must be table stakes in digital health - and it is on those of us in the industry to establish that trust.
The promise of digital health is the ability to deliver customized, personalized healthcare at a population health scale. That’s what we’re doing at Omada -- driving continuous improvement in how our program meets the needs of each individual user by utilizing the largest data set on behavior change in human history. Every individual at risk for, or with, a preventable chronic disease deserves to have access to a clinically-proven digital program that will adapt itself to his or her unique circumstance, and deliver an effective intervention leading to better health. We’re working to build exactly that future.
But in order for the promise of digital health to be realized, providers must ensure their patient’s data is secure, always available, free from errors. Beyond security, providers must also maintain the confidentiality and privacy of the patient’s data. Anything less is unacceptable -- and that’s why we’ve invested heavily to make sure Omada’s systems have been certified by the leading third-party security experts.
If you’d like to learn more about Omada’s commitment to security, and how we protect our participant’s data, click here to receive a copy of our full IT/Security white paper.
Bill Dougherty is the Vice President of IT and Security at Omada Health