How to Turn Cybersecurity Compliance into a Health Care Growth Strategy

Anna Fowler:

Hi everyone. My name's Anna Fowler. I work with Kate at EisnerAmper in the Technology Assurances Group. I have about 13 years of experience in professional services with the past six years primarily focused in cybersecurity and healthcare.

Kate Siegrist:

I think today first we'll start talking about the challenge that startups face in this space. Any company, whether they're med tech, health tech, med device, anything that's kind of innovative in the healthcare industry, there's a challenge.

There's a conundrum, a chicken or the egg, if you will, which is in order to grow, small startups need to be able to meet the cybersecurity compliance requirements of their customers, which are typically going to be payers and providers. Those payers and providers, they're regulated, so they care about the protected health information of the patients or the customers that they serve.

Startups want to get into those industries, want to get in with those companies, but they have limited resources. They have small teams, teams of 10, 15, 20 people and limited funding. They might be at a seed stage. Maybe they don't have a Series A yet, maybe they're not getting funding, whatever that might be. And so in order to afford the cost of cybersecurity, they need that cashflow, but they can't really bring in business until they have the compliance.

I think that's the challenge we're going to talk about today, which is there's a starting point for startups. There's a place where startups can start that will allow them to grow their compliance as they grow their business.

So Anna, you said that you have worked in the industry for 13 years and you've been focusing on healthcare for a while. Maybe talk a little bit about some of the clients that you've worked with, any in particular that have also faced a similar challenge.

Anna Fowler:

Sure. We have a great example of a client that came to us during the COVID pandemic. They're a startup small business. They have a medical device that is used on a daily basis by pretty much everyone. So they had a lot of opportunities during the pandemic to work with bigger companies, providers, payers, and their customers were asking them to show some level of assurance through a certification or attestation.

They were trying to go for HITRUST at first. We actually looked at their current security posture and the size of their company and complexity and ended up presenting them with some different options.

Kate Siegrist:

I am interested in hearing where that client ended up going from a compliance perspective. Maybe before you finish that story, it would be good to kind of talk a little bit about what some of the options are for companies that are in this space.

I think talking about at the most basic level, companies are required to be compliant with the law. So HIPAA, HIPAA is really important to any startup in this space. The reason why it's important other than the fact that it's a law, is when they engage with customers, they're going to be asked to sign a business associate agreement. That business associate agreement is going to say you have to be HIPAA-compliant. Most of the time when people say HIPAA, they're referring to the HIPAA Security Rule, but there are actually two other rules. There's privacy and breach notification.

When we work with companies and they say, "Hey, we want to get HITRUST," which of course is considered the gold standard in healthcare security, sometimes we say, "Let's crawl before we walk, and let's walk before we run." And so just starting companies out with that is sometimes the best start. On average maybe it takes our clients about three months to get there, so it's not a significant effort, but it's really, really important.

Then once companies get to that point, they typically need some sort of an audit or a certification, and that's where something like a SOC 2 is really nice. The reason why I always like to use my hands when I talk about this is the requirements of SOC 2 blend really nicely with the requirements of the HIPAA Security Rule. So you can blend those together to do one audit that covers both because there is no such thing as being HIPAA-certified and/or there's really no true HIPAA audit.

So if a company says that, you might want to sort of question what they mean because there's no such thing as being HIPAA-certified. But that's a great stepping stone for a company that needs to get some sort of third-party assurance or comfort but again, isn't ready to go to the biggest and the best, which of course is HITRUST.

Now, historically, HISTRUST was considered to be an extremely difficult kind of endeavor, and that's why SOC 2 was kind of a nice alternative. I will say though, HITRUST in the last couple of years has responded and they've come out with a couple of easier options.

Thinking about that story, each one of those standards builds upon the next. Might take you about three months to get to HIPAA, maybe another six months to get to SOC 2. HITRUST, you're looking at closer to 12 to 16 months. So for many of our clients, I think it's a nice, gradual stepping stone where you would start simple, and then over the course of a few years as companies grow, they would kind of get to those higher, more stringent standards.

Anna, you take a lot of clients through this process. Maybe talk about how a company would go about this. When you've never thought of cybersecurity before and now suddenly you want to get some sort of compliance so you can grow your organization, how would you typically take a company through that process?

Anna Fowler:

You really want to go through a three-step process, readiness, remediation and the actual audit or assessment. Our approach during readiness, we take the client through a series of interviews and also review policies and procedures, maybe a little bit of light evidence review depending on the level of assistance they need.

After that, we will generate a list of gaps and move on to the remediation phase. The client can work on that independently or we can come in and provide as much guidance as possible, but we still have to follow AICPA and HITRUST independence rules. So we can't do things like operate controls for clients or implement controls or make decisions on behalf of management.

Kate Siegrist:

Maybe talk a little bit about the audit process, so maybe the difference between, say, a SOC 2 and a HITRUST and sort of what that audit process might feel like.

Anna Fowler:

During the audit or assessment, we will do some deeper testing of the controls to make sure they're operating effectively and they're truly implemented. At the end of the audit, we will issue a report or work with a third party to have a certification issued.

Kate Siegrist:

With HITRUST, how is HITRUST the organization involved with the audit?

Anna Fowler:

Well, HITRUST gets involved with the assessment. After we submit it to them, they actually review the assessment. So we're going through several layers of review. It's what they call the QA phase, where they will interact directly with us to clarify any details as needed and then finally issue the certification.

Kate Siegrist:

That would explain I think why HITRUST is considered more difficult, the fact that HITRUST is coming in, they're sort of overseeing the process, trying to create consistency across the industry so that way no matter what auditor is performing the work, it's consistent. There's a reason why it's the gold standard in the industry.

Now that we've explained what the standards are and how you would take a client through the process, I'm curious to hear that story that you were telling about the med device company. What options did they end up going with?

Anna Fowler:

Sure. They ended up going with a SOC 2. It was just a much more feasible, cost-effective option for them at the time. Now they're pursuing a HITRUST certification. Their clients have been really happy with their progress, and we've been able to help them improve their security posture as they grow as a company.

Kate Siegrist:

That's a great story. I love to hear the fact that you were able to do exactly what we're talking about today, which is really start the clients at a simpler level, and then as they grow, obviously they had a lot of growth with their product during the pandemic and it's continuing on for them.

I have a similar client, kind of a similar story in that they also are a med device company, but they're unique in that they're actually based in the UK. Their med device actually helps with medication compliance. It's a device that essentially knows what your prescription is and it knows when you should take your medication. Then it also would track once you've taken your medication.

The challenge that they were having was they wanted to enter the US market, but in order to do that, of course they had to meet the US expectations for compliance here in the US. They already had an ISO 27001 certification because they were already doing business in the UK. That isn't necessarily a replacement for the expectations within the US, but it gave them a good headstart.

Because they were ISO 27001 certified, it meant that they were pretty close to being HIPAA-compliant and were really ready to move right on to the next phase. They initially came to us saying, we want to do HITRUST, but they were still in growth mode, and their challenge was they needed compliance as quickly as possible.

For them, the best option, again at the time, HITRUST didn't have the easier options, was again, to do a SOC 2. But this time, instead of doing a SOC 2 plus HIPAA, we actually did something called a SOC 2 plus HITRUST. Some people might hear that and think that's crazy, why would any company choose to do both?

But it actually is an easier option than a HITRUST. With a SOC 2 plus HITRUST, you again blend the requirements of SOC 2 with the minimum requirements needed to get a certification with HITRUST, but we perform the procedures more under the SOC 2 standard.

So that was a great starting point for them, and actually as soon as they completed that audit, they were able to start getting data feeds from their customers, because before they had that certification or that audit, they had to have people manually key in people's prescriptions into the system. It was inefficient, it required more people, and of course there's room for error.

By getting that certification, they were now able to start getting feeds from payers and providers so that they could take on mass numbers of new customers within their customer base. So it was a huge, huge growth opportunity for the company that they were not going to be able to do without that compliance.

Maybe let's wrap this up and talk about what the next steps would be for a company that is facing these challenge. Do you maybe want to talk about a roadmap or some things companies should think about?

Anna Fowler:

Absolutely. It's really key to have a good plan in place. You want to make sure that you have buy-in from leadership and stakeholders, investors, and also make sure they understand the importance of compliance. You also want to have a cost-effective budget in place.

Also, make sure that your information security program is documented through policies and procedures. You want to make sure that that information security program is built into the design of your system. So if you're cloud-based, make sure that you're taking advantage of security tools that are available and built into the cloud platform.

Finally, you want to prepare for the actual audit or assessment, and whether you do it internally or with a third-party consultant, you want to make sure that those controls are implemented and you're able to provide the documentation.

Kate Siegrist:

I think it's important related to that, in terms of timeline, companies don't have to sort of do all three things at the same time. Often we get clients that need to do that because they've kind of kicked the can down the road for too long, and now they're in a position where they might lose a deal with a customer because they don't have the compliance that they need.

The smarter way to do it is engage early and maybe just do the gap assessment. That way, you're building your product, you're taking your product to market, you know what resources you're going to need in order to be compliant so that when the day comes, then you can engage to do the audit or the certification.

I think it's important that companies realize that you shouldn't wait until someone asks you for it. If you have protected health information or even PII, a company needs to understand that they're not going to grow unless they've really planned compliance into their strategy.

Well, I think that wraps it up for us today. I hope that you were able to come away with some ideas and thoughts around how to plan for growth taking cybersecurity compliance into mind. Really appreciate everyone joining. Anna and I are always available for questions, so you can always feel free to reach out, and we're happy to give some advice on where to start.

Anna Fowler:

Thanks, everyone.