BUSINESS DRIVER FOR ISO 27001 & HIPAA

Organizations in the healthcare industry are becoming increasingly interested in protecting their patients’ information all over the world; however, in the United States, this need dates back to 1996, when HIPAA (Health Insurance Portability and Accountability Act) was enacted, regulating the use and disclosure of protected health information of U.S. citizens. This use case represents the combined implementation of HIPAA and ISO 27001:2013 for an organization that deals with medical data.

KEY PHASES

Scope:

Everrtech’s vision and mission are focussed on delivering the best medical-software solutions to their clients, as they are based in India and working with clients in the US and other countries, the top management of Everrtech was keen and focused on a meaningful scope that would cover the entire organization, given the commercial goal of adopting best practices viz. ISMS and HIPAA for the development of the organization and their ability to serve society in their field.

The Chief Information Security Officer (CISO) appointed by the management of Everrtech for implementing the compliance states that “It was critical to creating an all-inclusive strategy to ensure the business process adapts to HIPAA and ISMS where all personnel felt engaged in the process of compliance”

Consultancy Partner:

Everrtech at the beginning of the certification process realized, that it will benefit from the experience and skills of a consulting and training firm with a track record of establishing management systems or improving existing systems in regard to both ISMS and HIPAA. Before fine-tuning and adapting existing documentation, filling in gaps, and assisting in the establishment of the management system in line with the requirements of both Standards, the consultant has to spend extensive time studying the culture and existing processes of the client. Therefore, Everrtech decided to partner with CertPro, as they are ideal and provide world-class consulting services with a systematic and gentle guiding approach.

Analysis:

Everrtech was no stranger to risk assessments, given it worked in a highly regulated industry. Despite this, it found this stage of risk analysis helpful and benefited from CertPro’s experience and skills, notably in meeting ISO 27001 and HIPAA requirements.

The experienced consultants at CertPro combined their work mechanism for Plan-Do-Check-Act (PDCA) for risk assessment concerning both ISMS and HIPAA. This reduced the time constraints on Everrtech’s managers while also allowing them to produce meaningful assessment reports and all of the relevant documentation required by the Standards.

Awareness:

Bringing awareness of the sensitivity of working with medical data and the importance of information security is a major milestone in this project. Accordingly, this was attended by all members of staff from bottom to top.

Developing an Integrated Management System:

Everrtech as an organization has previously built a variety of excellent policies, processes, and implementation strategies for ISO 13485:2016* prior to the initiation of the ISO 27001 and HIPAA certification programs. The company had always put a high value on protecting and safeguarding client information. CertPro was able to aid in advising Everrtech’s management system to adopt continuous improvement features, ensuring that best practices were followed consistently. The integration of the incident reporting process, as well as remedial and preventative processes, was the best example of this.

Everrtech on the advice of CertPro implemented reporting mechanism where employees were urged to submit any incidents to a central location monitored by CISO and a review team so that the Information Security and HIPAA could be dealt with at once.

SUCCESS FACTOR

Involvement of Staff and Top Management

Since the first day of initiating the HIPAA and ISMS project, the Executive Management Team was unanimous in its support for both frameworks. They were always seen as a logical extension of the organization’s commitment to protect its members’ interests, avoid complacency and continually improve management systems, and adopt best practices in securing information.

The absolute commitment of senior management to the projects ensured a clear, unmistakable message about the importance of HIPAA and ISMS at Everrtech.

VALUE DERIVED FROM CERTPRO

Ever-ready:

The integrated management system involving HIPAA and ISMS incident reporting and incident management system has aided in the streamlining and simplification of corrective and preventative action procedures. Hence, the Everrtech’s team is ever-ready to restrict any breach of data.

Classification of Information:

The establishment of compliance to HIPAA and ISMS for processing and managing client information benefitted Everrtech by enabling the hassle-free implementation of data. This was addressed by the implementation of an organization-wide “information classification and handling process,” which encouraged employees to be more aware of and evaluate how best to communicate information externally. Protection of PHI in all forms became an utmost priority as all the members at Everrtech became of the classification of such information from the rest of the data fields.

Confidence:

Overall, Everrtech believes that by implementing a more structured approach as suggested by CertPro, it will be better prepared to avoid disruption in the first place and be confident in minimizing disruption in the case of an occurrence. This particularly benefitted them with US based clients, who saw Everrtech fit to handle PHI without any discontinuity in their service.

Business Point of View:

HIPAA is known as the most effective law in place that secures medical data and ISMS is the epitome standard for securing information defined by the International Organization for Standards (ISO). Therefore, the continuous improvement platform set by CertPro will enable Everrtech to succeed without flaws in securing data and abide by the regulations of different countries, and will open up new markets worldwide. *ISO 13485:2016 – Medical Devices – Quality Management System