When it comes to patient health information, more security isn’t just better, it’s must. As cybercrime becomes more innovative, any organization dealing with healthcare data has to be at the top of their game with data security.

When you’re a small IT team with few resources to manage a comprehensive cybersecurity program, it’s easy to get benched. Healthcare organizations want to see proof their data will be safe. And when you don’t have the internal resources to prove your business is compliant, you can lose potential partnerships.

Our vCISO portal provided the under resourced IT team of a leading healthcare data and analytics firm with the means to:

• Save $150K+ a year by not hiring an in-house CISO
• Finalize an outstanding contract with a major client
• Save hundreds of hours manually translating compliance documentation for different clients
• Reduce the time and effort that their COO was spending manually creating and distributing compliance reports

The Challenge: Rising Cybercrime and Heightened Security Regulations

Amitech is a data, analytics, and automation consulting firm based in St. Louis. They specialize in using Robotic Process Automation (RPA) and AI to help healthcare organizations streamline their data management and analytics and build a better, less expensive healthcare system.

But increased security regulations caused by rising cybercrime was making it difficult to keep getting new clients. Complying with HIPAA has always been a high priority for Amitech, since they host sensitive patient health information on their platform.

Potential clients have  more and more been requiring higher level security controls like ISO27001 and SOC2, which Amitech didn’t have. One of these potential clients was Bluecross/Blueshield of Tennessee, who Amitech was going to lose a major contract with if they didn’t get these protocols in place.

Amitech was also struggling to provide evidence of the controls they did have in place. All of their clients have different controls they want to see and different preferences for how Amitech provides proof of compliance. Because Amitech lacks a large IT department and resources for a cybersecurity program, their chief operating officer, Michael Demos, was spending countless hours manually translating everything for each client.

Amitech not only needed a way to get compliant ready with the higher controls the market was starting to demand, they needed a system for documenting their compliance that wasn’t totally overwhelming for their team to implement.

Prioritizing Critical Controls: Creating a Roadmap for Compliance

While Amitech had basic cybersecurity tools like antivirus and email security in place, they didn’t have anything nearly mature and robust enough to be considered ISO27001 compliance ready. They were concerned about the time and budget they would spend getting where they needed to be. They also didn’t want spend the annual $150-200K it would take to hire an in-house CISO.

We knew we could help Amitech build a roadmap to get compliance ready for a fraction of that cost through our vCISO services. Through a free 3 month demo, we demonstrated the value of our vCISO portal for:

• Tracking, validating, and creating reports for different compliance controls
• Building out your entire compliance roadmap
• Assigning owners to different tasks
• Setting short and long-term goals and due dates for both
• Viewing security controls from multiple frameworks
• Streamlines the process of collecting compliance evidence and sharing it with clients

Our Director of Cybersecurity and CISO, Mike Brimberry, walked Amitech through the onboarding process using a 17-question onboarding questionnaire to understand their organization’s needs and structure. Mike has a solid understanding of the different security frameworks, how they apply to different industries and organizations, and how they should be prioritized to meet an organization’s needs. Mike helped Amitech:

• Identify the most relevant tasks for their goals
• Pick tasks that would build a useful foundation for future initiatives (even if they aren’t listed in the protocol)
• Build a roadmap for finding which critical controls to prioritize

A More Mature and Robust Cybersecurity Program: Essential Proof for Potential Clients

In just one month, we helped Amitech get enough controls in place to finalize their contract with Bluecross/Blueshield of Tennessee. They were able to implement 64 controls across 10 categories and then build a compliance roadmap for the remaining controls. Now they can attest to having a comprehensive cybersecurity program and easily provide evidence of their compliance to clients. If they don’t have a control implemented yet, they can provide the client with specific details about when it will be in place.

To boost security in their environment further, we also helped Amitech develop a cybersecurity awareness plan for their employees. Phishing and inconsistent patch management are the 2 most common causes of data breaches. By teaching their employees to identify phishing schemes and follow standardized patching schedules, Amitech significantly decreases their risk of a breach.

Amitech now has a more mature and robust cybersecurity program that appeals to potential clients. They also have a way to provide documentation to current clients in a way that’s much less time consuming for their CIO. They can:

• Conduct business more securely
• Get new business more easily
• See how to continue expanding their cybersecurity defenses
• Easily assure new and current clients that their data is always safe

…without the massive 6-figure yearly expense of hiring an in-house cybersecurity professional.

From Cybersecurity to Infrastructure: Ongoing Support for Continued Improvement

We continue to help Amitech boost their security and identify areas for improvement by helping them with:

• Penetration Testing: Our team tests certain IP addresses to see if they can be broken into in a controlled environment. Then we provide Amitech with a list of where the gaps in their security are and what they can do to improve their defenses.
• IP Address Configuration: When Amitech’s job recruiting system was updating IP addresses, they came to us for a configuration that would allow the system to send from those addresses.
• Incident Alerting: We implemented incident alerting in Amitech’s environment so we can act immediately if they do have any issues.
• Weekly Check-ins: Every week we make sure that Amitech’s progress is still on track towards their goals

Amitech has been so pleased with the level of support that we’ve provided that they now rely on us for tasks beyond cybersecurity, such as performing an Azure review (which is in the process of saving them 6 figures a year in unnecessary spending). Amitech has confidence in us as a trusted partner who can address any issues that come up in their environment.