US-Based Tech Company Hires vCISO: A Case Study

By Adam Kehler on September, 3 2020

Get latest articles directly in your inbox, stay up to date

Over the last few months I have had the opportunity to work with a health technology company based in California who was looking to break through in the healthcare space. I wanted to share the highlights of their story today as their challenge is one we see within many organizations.

Our client approached us with a very common need: 'We are required to comply with HIPAA and potentially HITRUST, SOC2, and ISO and we need help to get there.'

This isn’t an uncommon request for our Risk, Security and Privacy team and we quickly worked with the client to respond.



Let’s address the immediate need and put out the fire.


Our client was required to pass a rigorous vendor security questionnaire. They had a strong technical team including Software Engineers and Architects; however they did not have the sufficient in-house experience to document, describe, and explain security controls in a manner that regulators and auditors expect. Online’s team of security experts worked with their in-house team to log and translate existing security controls, document gaps, and oversee remediation.


Achieve HIPAA Compliance


The client’s next priority was HIPAA Compliance. Compliance is critically important but can’t just be looked at in isolation. With that in mind, we encouraged them to take a look at the bigger picture and set up a formal security program to put them on a trajectory to meet compliance requirements and questionnaires now, and in the future.


I think this is important. When companies look only at checking compliance and vendor checkboxes, they end up in a reactive mode with each new requirement as they appear. By setting up the security program strategically, companies will be ready for the questionnaires and compliance requirements and it won't be a fire fight every time they are presented with a new request. A security program is the key to regularly manage and measure information security as the organization grows and matures.


Our team immediately started the process of putting a security program in place, while ensuring that it also met the requirements of the HIPAA Security Rule.


Initial steps were:

  • Document and approve a comprehensive Information Security Policy
  • Conduct a Security Risk Assessment
  • Implement a Security Risk Management process
  • Setup a Security Team to track remediation and make risk-based decisions


By performing these steps, we were able to help the organization achieve compliance with the HIPAA Security Rule in seven months and when the next vendor security assessment occurred, the team was well prepared and able to quickly address minor remediation steps required. Additionally, by performing these actions, the organization was well on its way to achieving and maintaining ISO 27001 and SOC2 Type II Certification.


How Online’s RSP team can help with compliance needs

Many organizations, whether healthcare providers or the vendors that support them, have regulatory compliance requirements such as HIPAA, but often don't have the in-house expertise to achieve and demonstrate that compliance effectively.


Our vCISO team has a proven track record of not only helping these clients achieve and maintain compliance, but also building a security program that:

  • Fits the organization's needs without being overly burdensome
  • Implements reasonable security controls to help protect the organization against the most likely threats
  • Lays the foundation to grow as the business grows


If you are a healthcare organization that is looking to avoid compliance penalties but aren’t able to employ a full-time CISO to implement the appropriate security strategy; our security team can provide you with a complimentary assessment that will help you identify your needs and threats.

Click here to receive a complimentary scope assessment.

Submit a Comment

Get latest articles directly in your inbox, stay up to date