“We were not aware of the evolving regulatory requirements. ” – Customer’s Compliance Officer

 

Challenge

 

The Healthcare sector is a very old sector that was able to conduct their business by using pre-historic means of storing their data - by paper. Once the HITECH rule was released, this forced all entites to move their data from the physical state and transform the data into electronic. What the government failed to mention to healthcare firms was their adherance to multiple compliance mandates. Knox's client had this struggle as they house an enormous amount of healthcare data and they process an enormous amount of credit cards. This introduced a huge challenge to this firm in attempting to comply with two regulatory bodies that are completely divergent from one another. 

 

Solution

 

Upon entering the facilites, Knox had developed a strateic roadmap for the client based on the data they housed and injected a security program and strategic roadmap. Knox aligned the client with the PCI DSS, ISO and NIST framework as a guideline to security and compliance. In meeting with the business and tecnology units during the risk assessment process, we were able to gain a solid undestanding of the inner workings of the business and began to outline the risks throughout the business. By gaining a solid understanding of overall risks, Knox was able to quantify those risks and begin to strategize technical and non technical solutions based on cost. The segmentation of the data was paramount as finanical data should not be comingled with healthcare data and employee data. The strategy reduced the risk to each data set, improved operability and security. (segmenting data correctly is the key...)

 

Lastly, the most crucial step was meeting with the Board, setting up a governance team and getting approval. This process allowed members of the team to work together to improve their efficiency and tackle security holistically.

 

Execution

 

Knox identified all third party vendors and began to call those vendors and gauge their security posture alignment. The Board was behind Knox in understanding that if the third party was not following a security program that the best option was to walk away. If the company decided to enter our program, we would enforce first party compliance on the third party for adherance. This test case resulted in the client releasing engagements with risky vendors and decreasing their risk profile.

 

Other steps in the process included meeting with Finance and Human Resources to gain a solid understanding of inputs and outputs. Once we had a solid understanding of this flow, we were able to change some operational processes to increase efficiency and security. Another crucual meeting took place with the mail room as they were a crucual handler of medical data and by improving some of their operational processes and flows, we were able to minimze risk to a workable level.

 

Meeting with the IT department was crucual as they did a great job setting up the systems, but never maintainted the systems for security or refreshed the resources. {Security solutions impemented were endpoint encryption on all servers, laptops and deskptops along with email encryption, digital signautes, redundant Cisco firewalls with intrusion prevention seyctems, vulnerability assessments and more.

 

Traveling to the client's branch offices were no challenge because the risk assessment (the blueprint) was performed with extreme excellence, so Knox understood where the issues resided and what to secure. 

 

Conclusion

While there is never a conclusion for information security and security must evolve throughout the lifetime of the business, we can say that the client has seen more business through a sound security protocol. These days, larger firms want to vet information security as part of the sales process and if the security is not up to standards, you will loose the opportunity to do business with medium to larger firms.

 

Once the client realizes the power of security and all the ways it can help the business, the clients actually become the biggest advocate and internal regulator to ensure all employees are following set standards.