Introduction
In the healthcare industry, health insurance plan providers often rely on third-party
suppliers for essential services. This case study focuses on a supplier providing
healthcare repayment services including Health Savings Accounts (HSA), Flexible
Spending Accounts (FSA), and Health Reimbursement Arrangements (HRA) to a not-for-profit health insurer in Pennsylvania, USA. The supplier faced intense scrutiny to
provide an independent third-party assessment related to HIPAA, PCI DSS, and a
SOC 2 Type II. Failure to meet these requirements threatened their relationship with
the client.
Challenge
A risk assessment revealed that the supplier’s information security posture required
significant improvement. The initial evaluation highlighted an inability to meet HIPAA
and PCI DSS compliance, exposing numerous gaps and vulnerabilities. Both senior
leadership and middle management lacked accountability, and the staff’s technical
skills were insufficient to meet compliance requirements and best practices.
Solution
A thorough risk assessment identified and prioritized critical noncompliance issues
related to healthcare and payment card information handling. The most challenging
hurdle was explaining senior leadership and the board of directors the risk of these
noncompliance issues and the importance to the business, our clients, and our
clients customers. Simple risk reporting and visualizations helped secure the
necessary funding and resources to implement a tailored treatment plan.
To achieve HIPAA compliance, policies and standards were revamped, and
technology support was enhanced. In some cases, risk was avoided and transferred
by outsourcing in-house payment processing and implementing a records/media
destruction procedure of the payment records. The transferring of these
responsibilities to a third-party processor, including call center technology.
Cybersecurity insurance was established to accurately reflect the company’s risk
appetite.
For long-term solutions, a governance framework was created to oversee
information security initiatives and ensure alignment with business goals. A risk
management program was implemented to continuously identify, assess, and
mitigate risks. Annual independent assessments ensured ongoing compliance with
HIPAA and PCI DSS.
Business Outcome
The implementation of the action plan led to significant improvements in the supplier’s information security posture. Accurate risk reporting and annual independent assessments enabled the board of directors to make informed decisions. Anthony’s leadership was instrumental in ensuring regulatory compliance and maintaining a critical client relationship. Under his guidance, the organization not only met all regulatory requirements but also fostered sustained growth and trust with the client for many years.
Conclusion
This case study demonstrates the importance of a comprehensive and strategic approach to information security. By performing internal and independent risk assessments in line with regulations, the supplier was able to turn around their compliance status and build a stronger relationship with their client.