Cybersecurity and data privacy must be of the utmost importance to any software and technology company, and FSI is certainly no different. In fact, FSI just completed an SOC 2 Type 1 audit, which is recognized as one of the highest recognized standards of information security compliance in the world.
To better understand what takes place during the SOC 2 Type 1 certification process and how FSI plans to continue prioritizing cybersecurity and data privacy moving forward, we spoke with Derek Smith, FSI’s Director of Technology.
What is an SOC 2 audit and how does it reflect a company’s commitments to data privacy?
SOC 2 stands for System and Organization Controls, and it was developed by the American Institute of CPAs. During a SOC 2 certification, a third-party auditor reviews internal controls, including policies, procedures and infrastructure for data security, firewall configurations, change management, logical access, backup and disaster recovery, security incident response, and several other critical areas of business.
There is Type 1, which pinpoints a specific point in time in which to assess a company’s security processes, and then Type 2, which assess these processes over an extended observation period. FSI has completed Type 1 and is pursuing a Type 2 audit next.
As for reflecting FSI’s commitment to data privacy, one of the important distinctions of a company like ours, which creates software as a service, is that we are stewards of the data in our systems.
While our product, CMS, doesn’t hold patient data, we have access to important customer data, and our priority is protecting the customer’s interest. I look at it from the perspective of, where does customer data come from, where does it go, who at FSI has permission to view and modify it? SOC 2 helped establish standards and structures around defining those data flows and permissions.
We are adhering to industry best practices and our security stance is embedded in every step of the software development process – the way we develop, test, deploy our product, and the permissions and roles, these policies are applied internally every step of the way.
How else is FSI maintaining cybersecurity and privacy?
As a company, we have monthly security awareness training. All new employees and contractors are vetted and required to abide by security policies.
For privacy, we are continuing to work closely with our technology partners around leveraging their tools to ensure our production environments are monitored and secured.
We’re now in the age of AI, so as FSI considers the way AI could be used, either for internal processes or our product line, protecting customer data is first and foremost. This includes not using customer data in publicly available AI models or submitting data for training purposes of AI models.
Why should data privacy and security be top of mind for healthcare systems evaluating a CMMS partner?
FSI makes a clear delineation that we will not and do not store protected patient information. The information we store about a customer’s facilities is important.
We recognize that harm could be done if someone gains access to facilities information, like floorplans or life safety drawings. If you put your asset and facility data within the CMMS, we want to protect the customer from any cyber-attack or physical attack. Just because this isn’t regulated data like a medical record, we still have a lot of organization data that could be used for malicious purposes.
Some of the measures we have in the product are strict access and permissions for all our modules. Our role-based security model allows us to work with our customers to define a “least privilege” scheme where users only have access to the minimum amount of data necessary for their particular function or role.
Organizations looking to use a CMMS should consider a vendor’s entire security stance, and favor those who can demonstrate a commitment to protecting their facilities and asset data throughout its entire lifecycle. Our SOC 2 certification highlights that it’s not just us saying we have security policies, but that our practices have been proven and confirmed by a third party.