Case Studies

Situation

A nationally recognized healthcare provider had a business impacting breach. Once mitigation was complete, they determined they needed to assess the business and apply a Risk Management Framework.

Challenge

• Regionally distributed clinics don’t appreciate the need for RMF or security
• IT team doesn’t have the time or capability to address control requirements
• Overall, the provider didn’t know how to act or where to start

Approach

Initial Approach

• Perform security testing and full NIST CSF assessment
• Collect the results and create a formal report
• Identify the control gaps to be remediated
• Create a roadmap to address control gaps

Adjusted Approach

• Apply the identified control gaps to HITRUST readiness
• Gamify the process of readiness using a concept that resonates with the audience
• Publish the results monthly
• Educate the IT team as the readiness progresses

Conclusion

• Successfully integrated initial NIST gaps into HITRUST readiness
  • Easy alignment between frameworks
• Designed and rolled out internal education / engagement
  • Using gamified approach and structure that resonated
  • Conducted readiness leading to validated assessment
• Gained the Board of Directors support for project
  • Leveraging HITRUST capabilities and approach to the industry
• Conducted HITRUST validated assessment
• Instituted a continuous improvement process and governance to continue to address changes in cybersecurity and regulatory landscapes

Key Success Factors

• Addressing client challenges using HITRUST readiness as a gamified activity to engage employees
• Working with the client to sell HITRUST and the approach
• Leveraging HITRUST announcements and improvements to demonstrate the industry leading approach