HIPAA and ISO 27001 Compliance for a Mental Health Organization

Industry

Healthcare, Education

About Our Client

The Client is a nonprofit membership association for mental health and addiction treatment organizations across the US. For over 50 years, the organization has advocated for lifesaving legislation and provided state-of-the-science training on mental health and substance use challenges.

Lack of HIPAA and ISO 27001 Competencies Raised Compliance Concerns

The Client had security policies in use and under development but lacked in-house compliance competencies to ensure adherence to HIPAA and ISO 27001 standards. To close the knowledge gap, the organization was looking for a cybersecurity consulting provider with hands-on experience in healthcare compliance.

Seeing ScienceSoft’s 18 years of experience in healthcare IT and 20 years in IT security consulting, the Client approached us to review and improve its security policies.

Security Policies Assessment and Enhancement

ScienceSoft’s auditor assessed the compliance of the Client’s IT security policies with HIPAA and ISO 27001 requirements. The assessment revealed that the organization lacked policies and supporting documents for IT security risk assessment and management required by both HIPAA and ISO 27001.

As a next step, ScienceSoft drew up the missing documents, including:

An asset inventory comprising asset passports with unique asset identifiers, asset assignment data (e.g., asset owner and custodian, asset use, storage), and asset security details (confidentiality, integrity and availability ratings, security class).
A data classification policy based on the level of data sensitivity, value, and criticality to the organization’s operations and business continuity. This classification is fundamental to IT asset management and helps identify the risks associated with different data types and determine appropriate security controls.
A risk management policy defining how to identify, assess, prioritize, manage, and mitigate information security risks under ISO 27001 and HIPAA. It presents a framework with templates and practices for performing, documenting, and monitoring risk management activities.

After creating the missing documents, ScienceSoft’s team conducted training on the new policies and procedures for the Client’s IT security team. During the training sessions, the Client’s team learnt about potential threats to the organization’s IT assets and how to perform cybersecurity risk assessments and asset management.

ISO 27001- and HIPAA-Compliant Security Policies Implemented within a Month

In just four weeks, ScienceSoft assessed and enhanced the Client’s IT security policies’ compliance with HIPAA and ISO 27001. The Client got a complete picture of its IT assets, gained practical knowledge of cybersecurity risk assessment best practices, and established robust risk management procedures.

The Client is fully satisfied with our cooperation and plans to engage ScienceSoft again for penetration testing.

Cybersecurity Frameworks Used

FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.
NIST SP 800-30 Guide for Conducting Risk Assessments.
NIST SP 800-39 Managing Information Security Risk.
ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management.

Healthcare IT Case Studies Education Case Studies

Have a question to our team or need help with your project?

Our team is ready to provide client references, estimate your project, or answer any other question related to your IT initiative.

How can we help you?

Full name

Company

Work email

Phone

Get in touch instantly

Call us Email us WhatsApp Live chat