The client

Our client is a national healthcare services provider controlling the infrastructure and services to over 1200 clinics across the United States. The company leverages a broad range of third party and proprietary software solutions, with a mixture of on-premises and cloud infrastructure, hosting a broad range of health and other personal identifying information.

The challenge

Due to rapid growth and acquisition, the client’s infrastructure continues to rapidly change. The client sought a partner that could not only handle Health Insurance Portability and Accountability Act (HIPAA) regulated data but implemented strong controls to ensure no extraction of data outside the client’s system.

Our approach

Our staff are all trained in the carefully handling of sensitive information – whether HIPAA, PII, or classified information. And our business is built on strict compartmentalization of user access to all information. In our approach to penetration testing for all clients, we strictly control access into client systems through heavily controlled and monitored gateways and establish protocols to ensure no PII or other sensitive data or files are extracted (even for analysis purposes) outside the client’s network perimeter.

To optimize the client’s budgets and security spend, we worked with the client’s IT and security team to design a multi-year testing program. Each test included a robust perimeter test and additionally deep diving into the effectiveness of different security controls each year. The tested controls and testing approach were changed each year as the client’s security maturity evolved and their system and data priorities changed.  In each successive year, we also tested that the client had learned from the previous year’s testing approach and demonstrated an ability to apply those lessons learned to other parts of its network.  At the end of each test, the client and the assessment team brainstormed together additional controls and processes that could be implemented that would not only harden the system, but also would share the assessment learning across the enterprise.

The results

Through this carefully designed multi-year assessment program, the client was able to quantifiably measure and demonstrate its commitment to evolving its security posture to its board and regulators.  This strategy also enabled the IT team to optimize spend, adopting a rotated sampling approach, while implementing learnings and security improvements across the entirety of its complex network. Despite its modest-sized IT team, the client now demonstrates a security posture that is well above those of similar organizations in the healthcare industry.

* We do not publicly reveal clients' names for security reasons but can always provide references.