A global independent, not-for-profit innovator in health and health care education and training knew it needed to update its current processes and procedures for privacy, security, and compliance to meet evolving regulations and legislation. At the worldwide organization’s core, it believes everyone should get the best health care possible, while maintaining and protecting privacy. With the explosion of new privacy laws and regulations, the organization needed an expert to help navigate current requirements and create a plan that prepared for future changes for each nation in which it operates.
Our team, in collaboration with a cybersecurity partner, executed a comprehensive assessment of current practices related to privacy, security, and integrity of personally identifiable information (PII) related to various country regulations. We began with an assessment of the data, rather than with the regulations, which streamlined our compliance analysis to keep it strictly relevant to the activities of organization. We determined how applicable data privacy regulations of each nation, such as the General Data Privacy Regulation (“GDPR”) of the European Union and similar statutes and regulatory schemes, apply to the organization’s data and data handling procedures.
Our team mapped data flows and handling of PII and created Data Flow Diagrams (DFDs) which supported the assessment of legal requirements, including GDPR. Then we leveraged the DFDs and Center for Internet Security (CIS) Critical Security Controls (CSCs) framework to uncover any problematic gaps in privacy or information security to recommend remediation actions. The CIS CSCs are a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber-attacks.
This effort led to the design of a worldwide compliance program to cover all of the organization’s data collection and handling activities, even if it means doing more than is required in some nations. Additionally, we created a robust information security program to maintain compliance and readiness to respond to current and potential future legislation and regulations.
Benefit to Client
The not-for-profit innovator in health and health care education and training is now equipped with a complete assessment and plan for privacy compliance, information security, and procedures that will address current requirements and meet future needs. We provided a strategic roadmap that includes priorities, level of effort, defensive value, and more to facilitate remediation economically and effectively. The plan addresses both strategic and tactical aspects to aid in the evolution towards a proactive cyber defense posture.
We also provided updated information security policies and GDPR and risk assessment checklists to use in maturing their Information Security Management System (ISMS). As a part of this effort, we also provided an incident response and training for new internal processes and requirements to appropriate stakeholders.