Prior to the COVID-19 pandemic, Brio Systems’ business was focused on helping individuals access diagnostic testing more easily to improve their health and manage their fitness and wellness efforts.
When COVID-19 hit in early 2020, the company realized it had an opportunity to help. Initially, it was very difficult to access diagnostic tests in the United States. Brio quickly pivoted his business to help employers with employee bases that would be at risk of asymptomatic spread easily and consistently access testing.
“While security and privacy had always been important to our business, previously we’d been a direct-to-consumer service and as such, health data was accessed only by the individual account holder managing their own biomarker results,” explained Thos Niles, co-founder of Brio Systems.
“During the pandemic, we needed to share health data not just with the individual, but with the organizations that were now our customers,” he continued. “This created enormous pressure to build a more robust security and privacy program and demonstrate compliance with health laws and regulations like HIPAA.”
Every time a large company or government agency would look to work with Brio, the testing provider was confronted with intimate security questionnaires and rigorous audit calls.
“These are extremely daunting with hundreds of high-stakes questions,” Niles said. “As a nimble start-up, we were in over our heads. We lacked the internal resources, expertise and policies to showcase a strong security posture. And with prospects including Fortune 500 companies and government agencies, we risked losing significant opportunity in failing to yes
“We knew we needed to build a strong security foundation that could grow with our business, as well as hands-on support to ensure we efficiently and accurately managed the compliance process and could quickly prove our security posture,” he added. “This was no small feat and time was of the essence.”
For help, Brio Systems turned to Carbide, a vendor of an information security and data privacy management platform.
“The catalyst for engagement came as we were in discussions with an established healthcare company,” Niles recalled. “We knew we couldn’t win this business piece-mealing together a checkbox-style security and privacy program. We turned to Carbide to guide us through the complexities of HIPAA compliance and to help us demonstrate a strong security posture.
“Because Carbide was built for companies like ours that have a need for enterprise-class security, but not necessarily the dedicated team to achieve it, it seemed like a great fit,” he continued. “The platform breaks down best practices, industry frameworks and government regulations into clear, digestible tasks with an actionable project plan.”
To support Brio’s lean team, the security vendor offered hands-on expert support to guide Brio through every phase. Brio used the vendor’s DRIVE methodology, which stands for Design, Review, Implement, Validate and Evolve.
“It helped us concentrate our efforts on what was most important, rather than dispersing our efforts on a million things that we couldn’t make enough progress on,” Niles said.
Relying on Carbide, he added, Brio hoped to:
- Leverage an information security management platform that captures requirements, generates policies, tracks progress and drives next steps
- Build comprehensive security policies customized to Brio’s business and the data it collects
- Automate and create efficiencies to serve as a force multiplier for Brio’s small team
- Gain access to security specialists and consultants to guide the team in achieving company goals by conducting risk assessments and penetration tests
MEETING THE CHALLENGE
In the first part of Phase 1 (“Design”), the vendor team met with Brio’s team to assess its existing security posture and from there helped define, design and review a security program to fill gaps and meet outlined security objectives.
“The policy builder was quick and easy to execute,” Niles noted. “Carbide automatically generated a set of policies that were unique to our situation, with aligned tasks managed within the platform helping to move us quickly from policy development to security program implementation.
“Knowing HIPAA was critical to our success, the team of experts also helped define goals and realistic timelines to demonstrate compliance,” he continued.
In the second part of Phase 1 (“Review”), the vendor team led Brio through working sessions on information security, including employee security, software development security, physical/asset/network security and security management, all of which helped to define the foundation of Brio’s program. Brio’s team then was empowered to review and manage progress as security controls were implemented.
In Phase 2 (“Implement”), Carbide generated an implementation plan, customized to Brio’s needs – a checklist to help demonstrate the testing provider’s security posture to prospects and customers, prepare for and manage the internal audit process, and showcase a commitment to security .
In Phase 3 (“Validate”), Brio worked with the vendor to validate its posture against HIPAA and ISO27001 through a gap analysis followed by an objective third-party audit process.
Today, Brio is in Phase 4 (“Evolve”), which is about both evolution and operationalization, Niles said.
“As we continue to work with large companies, grow and expand, we need to constantly be evaluating how our security program needs to evolve to keep up,” he said. “Even with a robust security and privacy program in place, our team continues to work with Carbide on recommendations on how to improve program effectiveness and project efficiency over time, as well as looking at how our program meets the stringent requirements of other security and privacy standards such as SOC 2 and CCPA.”
Niles said Carbide has been indispensable in helping Brio strengthen his security posture, quickly demonstrate compliance, and operationalize and advance security.
Within months of working with the vendor, Brio achieved and demonstrated HIPAA compliance and closed deals with multiple Fortune 500 companies and a federal agency, all of which needed confidence that Brio’s security controls and posture were mature enough that they could trust Brio with their employee health data.
“Plus, we’ve cut the time to complete security questionnaires from weeks to hours,” Niles noted. “Now we let the platform do the work for us. The questions are probing what our security policies are and by having the platform guide us and provide a system of record for those answers, it makes it as easy as pointing at security policy 1.2, as opposed to writing an essay for each question.”
Additionally, the security platform helped Brio accelerate compliance efforts by providing an easy-to-follow framework and a comprehensive task management system designed to effectively manage the density of requirements, sharpen focus on what matters most and stay on schedule, he said.
“Another key outcome has been in communicating our security policies to our team, obtaining their sign-off in a system of record, and providing periodic security awareness training,” he added. “Today, our whole team understands our policies, can easily log in to Carbide to review policies and take quizzes on security awareness training content to ensure both our compliance and their understanding.”
ADVICE FOR OTHERS
“For any organization dealing with sensitive data such as PHI, as they consider tools to manage their security and privacy program, do not go it alone,” Niles advised. “Starting your security journey from a blank slate, no matter where your maturity level is on day one, is just too daunting.
“Having a single system, accessible by all your team, where you can manage policies and procedures in a straightforward way, will save an enormous amount of time,” he concluded. “Working with a partner who can provide not only a platform, but also humans in the loop to provide guidance and knowledge, will help you move quickly and with greater confidence.”
Email the writer: firstname.lastname@example.org
Healthcare IT News is a HIMSS Media publication.