Situation
A large healthcare organization with locations across the U.S. needed to ensure HIPAA compliance after suffering a significant data breach. A number of phishing and ransomware attacks had exposed sensitive data and the organization was facing multiple fines. In response to this, the company engaged Strategic Alliance Consulting’s (SAC) principal consultant to assess its vulnerabilities, create a response plan, and guide the organization to HIPAA compliance.
Solution
The principal consultant immediately stepped into the role of a Virtual Chief Information Security Officer (vCISO) for the healthcare organization. During the vulnerability assessment phase, the consultant found a variety of gaps which impacted HIPAA compliance, including:
Lack of an internal cybersecurity team and program, including documentation and procedures for response plans.
Lack of network segmentation, which meant that their corporate network was exposed to internet traffic.
Their Palo Alto firewall systems had not been updated in several years, which exposed their networks to unauthorized access.
Following the vulnerability assessment, the vCISO partnered with executive leadership to create a comprehensive cybersecurity program that addressed the organization’s HIPAA compliance gaps. This included:
Redesign of entire information security structure
Development of incident response and business continuity plans.
Creation of over 80 pieces of documentation for new policies and procedures
Creation of network segmentation and access controls, firewall rulesets, and end-point protection
Deployment of Managed Detection and Response (MDR) solution
Development and implementation of hiring process for full-time information security team
Results
Following the year-long cybersecurity transformation, the healthcare organization was HIPAA compliant and faced no further penalties. The vCISO was successful in implementing a complete overhaul of the organization’s information security, which prevented further successful attacks and ensured its business, technology, and people were prepared for emerging threats.