How SDS Helped a Health Plan Meet HIPAA and HITECH Requirements while Serving Patients Efficiently
Secure Digital Solutions (SDS) has served Fortune 1000 companies in the healthcare sector, including healthcare researchers, providers, and insurance companies. Founder and CEO Chad Boeckmann headed IT security for a major pharmaceutical company, so SDS is familiar with this unique environment.
SDS brings deep experience to compliance with HIPAA Security and HITECH Act, ISO 27001, and NIST 800-53. We understand the challenges of protecting confidential information across multiple sites while delivering efficient patient care and member service.
SDS recently provided a comprehensive healthcare information security assessment for a health plan with 1.5 million members, 27,000 providers and 4,000 offices across the Upper Midwest. As part of a three-year strategic plan in IT, the project goal was to measure the maturity of the company’s information security program against industry frameworks, including ISO 27001, HIPAA Security Rule and HITECH Act.
Comprehensive assessments “addressing everything that needs attention”
“Our assessments are designed to cover a wide range of preparedness,” says Mike Edlund, practice manager at Secure Digital Solutions. “Organizations that do not have access to a proven process and personnel with specific experience in comprehensive information security assessments would have a really difficult time addressing everything that needs attention.”
At the outset, the client requested an important deliverable: a clear summary that would equip the Information Security Director to demonstrate her organization’s information security capabilities and future needs to the company’s internal stakeholders.
Over a period of six weeks, SDS performed a “deep-dive” on both the technical and business aspects of the information security program, evaluating more than 30 benchmarks in five high-level categories:
- Security Program Leadership
- Compliance Management
- Security Operations
- Security Architecture
- Business Continuity and Disaster Recovery
Balancing security with business speed
Within these five areas, SDS reviewed policies, organizational structures, asset management, human resource security (awareness training), communications and operations management, access control, systems acquisition and maintenance, incidence management, and compliance. All capabilities were mapped against ISO27001 control framework and the HIPAA Security Rule.
“It’s always a challenge integrating security with business activity to avoid slowing it down,” says Edlund. “You have to try to find that balance of the needs in security to protect the assets of the business.”
After thorough analysis, SDS delivered its findings in a detailed Information Security Program Capability Report. Each opportunity for improvement was detailed with rationale, roles and resources required. A special section on architecture and operations detailed technology recommendations.
Delivered with clear, executive reports
TO translate its long report into a clear communications tool for use at all levels, SDS created a highly visual one-page Information Security Dashboard. Under the five major categories of maturity, each benchmark received a green, yellow, or red score, along with a “high, medium, or low” ranking on impact to the business. Areas marked red and high-impact were flagged as priorities.
“A weakness in many companies is a lack of connection or discussion with upper management about security strategy,” says Edlund. “You need to align security with the business.”
The Information Security Dashboard made next steps very clear not only to the Information Security Director, but also to key non-IT executives. The specific plan was powerful in obtaining needed investments and changes.
“[The dashboard] is such a good and quick picture of where our information security posture stands,” says the director, who continues to use the tool to guide her company’s security vigilance.
Just over a year later, SDS was invited back to the health plan to do a follow-up assessment, which proved considerable progress and a clear return on investment.