In 2018, RIS met with a startup in the Healthcare IT space. This startup was seeking the HITRUST Alliance's HITRUST r2 Certification. Being a startup, they had no formal security process in place. We decided the NIST risk-management framework was the best fit for this case.
RIS began by standing up an Information Security Risk Management Group within the organization. This group comprised members from the product, development, and clinical teams. The Information Security Risk Management Group was tasked with championing security program development throughout the organization. It is vital to have buy-in across the organization - including champions in each of the reporting lines.
Next, RIS set up a Computer Incident Response Team (CIRT) within the organization. Comprising enthusiastic volunteers, the CIRT is specialized in handling cybersecurity incidents. Their inherent interest in the subject proved invaluable. To ensure the team's effectiveness, RIS provided comprehensive training materials and administered quizzes to track their progress. Over time, a healthy competitive spirit emerged within the CIRT, serving as a catalyst for continuous self-improvement and skill enhancement.
RIS leaned hard into administrative controls to keep the budget under control. Although adminstrative controls are not as effective as technical controls as a preventitive measure, they can be combined with supplemental detective and corrective controls to improve their effectiveness. Until the company can justify the resources to mature the technology, it was deemed a fair trade to perform recurring detection processes in areas like access control. RIS strategically prioritized administrative controls to manage costs effectively. While administrative controls might not offer the same level of prevention as technical controls, their efficacy can be enhanced when paired with supplemental detective and corrective measures. Until the company can allocate the necessary resources for more advanced technological solutions, it was considered a reasonable approach to focus on regular detection procedures, especially in areas such as access control. There is always a balance to be struck when deciding on controls.
In the final stage, RIS collaborated with a specialist agency to engage with the HITRUST Alliance. This involved intricate dialogues between the specialist, HITRUST portal requirements, and the startup. Multiple rounds of clarification led to further refinement of control measures. Ultimately, the startup successfully obtained their HITRUST certification. Building on this achievement, they later adapted their existing information security risk management program, with minor adjustments, to successfully complete a SOC 2 audit.