Security Assessment Helps Professional Services Firm Meet HIPAA and NYDFS Cybersecurity Compliance
Gap analysis approach allows firm to measure, manage and prove compliance
|Number of employees||150|
In addition to being concerned about protecting their network and data from evolving cybersecurity threats, the firm had a more immediate concern surrounding HIPAA and NYDFS compliance. The firm has been required to be HIPAA compliant for years and did not have a way to quantify, measure, or show compliance. The firm was also concerned about new regulations from New York State where it has a customer base. The number of requirements and controls were overwhelming and they needed help to wade through the HIPAA Security Rule and the new requirements of the NYDFS Cybersecurity Regulation (23 NYCRR Part 500).
In response to NYDFS requirements, the firm needed to be able to immediately show a plan of action for resolving any areas of high risk. SWC delivered a security assessment and compliance roadmap as well as control matrices for both the HIPAA Security Rule and NYDFS Cybersecurity Regulation. This allowed the firm to measure their level of compliance, make wise investments to maximize risk reduction, and manage their compliance levels going forward. SWC also able to help the firm reduce some significant gaps to meet the deadline of February 15, 2018 for NYDFS compliance.
|Technology & Services||Information Security - Compliance|
Prior to partnering with SWC, this Chicago-based firm was using various security assessment tools and approaches with little success. The results were often overwhelming and lacked a clear path towards prioritizing and resolving the issues at hand.
With an increase in cybercrime and pending HIPAA and NYDFS compliance laws, the firm knew they needed to take action. However, like most midsize organizations, they did not have the time or resources in-house to identify, prioritize, and remediate risks surrounding network security, platform security, application security, and industry-specific compliance. They were looking for a partner to provide the specialized expertise necessary to do justice to the critical tasks of protecting their IT assets from external threats.
SWC has customers in many types of industries which face many types of compliance requirements (HIPAA, NYDFS, PCI, GDPR, etc.). SWC’s advisory services are commonly leveraged by midmarket organization to provide many of the strategic services that would be found in a CISO (Chief information security officer) role.
Creating Measures of Success
In order to improve on or achieve a goal in cybersecurity (really, any area of business), you must first establish how success will be measured. If there are no native metrics associated with the desired outcome (for example, network bandwidth), a system of measurement must be created.
SWC worked with the firm to develop these metrics for measuring their levels of HIPAA and NYDFS cybersecurity compliance. The system can also be used by the firm and SWC for ongoing risk assessment.
Meeting the Challenges of NYDFS
During the initial conversations, SWC and the firm verified they fell under one of the NYDFS exemptions. This significantly reduced the scope of requirements.
The remaining requirements are what SWC would consider the core of any mature cybersecurity program, including an Incident Response Plan. Even with the reduced set of requirements, SWC found some significant gaps. The time was ticking as the March 1, 2018 deadline for NYDFS compliance was soon approaching.
As soon as the roadmap engagement was over, SWC started on remediating the gaps using both advisory and engineering resources. The firm was ultimately able to meet the deadline and confidently state they met the initial phase of NYDFS requirements. The filing was submitted in advance and a weight was lifted off of the compliance officer’s shoulders.
Even though the firm met the initial deadline, there remains more work to be done. The roadmap also includes the steps and timelines required for meeting the 3 remaining deadlines over the next year. These steps are prioritized among other cybersecurity, IT, and business goals to allow the organization to remain on track while continuing to tackle the requirements laid out in NYDFS cybersecurity regulations.
Meeting the Challenges of HIPAA
During SWC’s gap analysis and risk assessment, it was discovered that the firm’s HIPAA compliance was sufficient on paper, but each area typically had only 1 layer of defense. SWC raised the concern, “what happens if the 1 layer of defense fails or breaks down?” These type of questions helped to bridge the conversation from compliance to real cybersecurity protection.
Beyond Compliance – the Future of cybersecurity
Beyond compliance, a proper cybersecurity roadmap often includes the following steps: moving from on-premises systems to the cloud, securing your data in the cloud, fixing other leftover issues, and finally establishing a Security Managed Services program to help maintain a high-performing, agile IT system.
For example, this firm resolved many compliance and security assessment issues found by moving email and unstructured data (file system) to Office 365 and SharePoint Online, respectively. Once the data was in Office 365, there were many more robust and easy to use security and compliance tools built in.
In addition to Office 365, SWC recommended Enterprise Mobility + Security (EMS) E5 to take advantage of the identity-driven security, mobile device management, and information protection. In addition to being an easier platform to secure, Office 365 is easier to use and maintain; it sets the stage for improved employee productivity.
Once the new system was secured, the firm was able to better prepare for more detailed verification such as penetration testing.
By measuring compliance and risk, the firm is now able to act fast to meet new regulations. It has also allowed the firm to show and improve upon HIPAA compliance and avoid HIPAA violations. This helps the firm avoid security breaches and avoid or minimize any compliance fines in both the short and long term.