The Ongoing Security Process: Backupify Achieves HIPAA Compliance

Headlines this year have been littered with brand name vulnerabilities such as Heartbleed, Shellshock, and Poodle. More than ever, Backupify’s customers are looking to have conversations about our ability to respond to vulnerabilities quickly, our SOC 2 compliance, and our approach to encrypting backed up data. Security has always been a major component of our offering and we recognize the need to continue pushing forward. This is why Backupify was recently audited against the HIPAA Security Rule. Meeting HIPAA compliance was another important security marker for Backupify and for our customers.

At Backupify we know there will always be new vulnerabilities, new legislation, and new requirements from customers and so we’ve constantly strived to stay ahead of the curve. About a year ago we completed our first SOC 2 Type II audit. It was a major milestone because it was the first time we had a third party validate that our security policies and procedures were designed and operating in-line with industry best practices.

We had previously been through several external penetration tests and were confident in our technical and application controls, but knew it wasn’t enough as we continued to experience rapid growth. We needed to design an information security management system that identified emerging risks and mitigated them quickly. A high growth technology company must be prepared for all of the risks associated with fast change and distributed workforce.

We recently completed the renewal of our SOC 2 Type II audit. The testing included a full assessment of our infrastructure, software, people, policies, procedures, and data. It’s a test to verify and report that we have been operating securely for the past year. Our SOC 2 Type II audit gives customers the assurance that we have the right controls and diligence in place to properly protect their data and everyone can sleep a little better at night knowing this.

After the penetration testing and SOC 2 Type II, it was time to focus our energy on becoming HIPAA compliant. Although we’re not a “Covered Entity” we recognized the importance as a service provider of mitigating HIPAA security risks with the standard administrative, technical, and physical controls. We have a large number of customers in the healthcare industry and felt it was critical that our compliance strategy be aligned.

Inside of Backupify, we preach, “security does not mean compliance; and compliance does not mean security.” Security is a process and compliance is a tool to ensure that the major components are covered. Managing our information risks not only means we have all of the right policies and procedures, but also we carefully manage technical change.

Monitoring and testing for vulnerabilities is more important than ever. And security is more important than ever. At Backupify, we’re committed to continually reevaluating our security posture and making on going improvements.