back to Blog Posts

We’ve always been committed to data security. Now we have the audit to prove it.

We’ve always been committed to data security. Now we have the audit to prove it. thumbnail
By Michael W. Levin, co-founder and CEO of Vericred.

Our overarching goal at Vericred has always been to improve the experience of buying and using health insurance, which more than anything means getting the right information to the right people and places at the right time. But even as we’ve forged new paths in digital connectivity in pursuit of this goal we have never lost sight of the profound responsibility our mission entails. Trusted with highly sensitive information about millions of people—including medical, identity and employment data—we have from our earliest days felt obligated to do all we can to ensure that our systems are as secure as possible.

Never an easy task, our efforts to protect the data we handle has grown more challenging every day, as increasingly devious cybercriminals launch the kinds of attacks that now regularly make news. But in recent years and months we have invested thousands of person-hours in both the “hardening” of our information technology and the tightening of procedures in every aspect of our business. 

The result of this often burdensome work is the internal certainty that in this realm, too, we are setting industry standards and, now, important external confirmation of that belief. Vericred’s data security initiatives, I can report, were recently validated by a new System and Organization Controls 2 Type II (SOC 2) examination for security, availability, and confidentiality, conducted by a public accounting firm specializing in information-security audits.

The American Institute of Certified Public Accountants (AICPA) developed the SOC 2 process to reassure customers of cloud computing and other digital services that their information is secure. As with an accounting audit, in which an independent firm examines a company’s procedures before issuing an opinion on the accuracy of that company’s financial statements, a positive SOC 2 report reflects an auditor’s confirmation that a company meets the AICPA’s Trust Services Criteria. 

Vericred has always aspired to the highest standards of transparency and integrity. From our earliest days, we had our financial statements audited, a process young private companies rarely undertake. And once we began to build our enrollment and member management API, we knew we had to invest in state-of-the-art information security. Health insurance carriers, benefit administration platforms, and employers would be trusting us to safeguard personally identifiable information (PII) and protected health information (PHI) of plan members.

Frankly, meeting the standards for the SOC 2 report was more involved—and invasive—than we expected. In addition to investing the resources necessary to harden our technology, we also instituted background checks for employees, added access controls for our facilities, and installed software to track what employees do on their work-issued computers. We have imposed a clean-desk policy to ensure that no confidential information ever lingers on a Post-it note or in an unlocked file. If we were to ever experience a breach, we have a detailed contingency plan, not to mention forensic experts on retainer to minimize any potential damage. 

If this all seems a bit over the top, maybe even obsessive, that’s largely the point. We’ve gone to such great lengths—and will continue to do so¸— both because it’s the right thing to do and because we want to be the model on security in our industry as with all other aspects of our operations. Over the years we’ve played a central role in building a community of carriers and technology companies, coming together to develop an interconnected ecosystem of powerful health insurance and benefits applications. Security needs to be part of this conversation, a top-of-the agenda item. 

Because a breach of the weakest link in the chain can undermine the credibility of every participant.

At Vericred, we want to help facilitate this mindset and support the industry as it strives to keep moving forward safely. Reach out to us with any questions and ideas at security@vericred.com.