HIPAA and ISO 27001 Compliance for a Mental Health Organization

About Our Customer

The Customer is a nonprofit membership association for mental health and addiction treatment organizations across the US. For over 50 years, the organization has advocated for lifesaving legislation and provided state-of-the-science training on mental health and substance use challenges.

Lack of HIPAA and ISO 27001 Competencies Raised Compliance Concerns

The Customer had security policies in use and under development but lacked in-house compliance competencies to ensure adherence to HIPAA and ISO 27001 standards. To close the knowledge gap, the organization was looking for a cybersecurity consulting provider with hands-on experience in healthcare compliance.

Seeing ScienceSoft’s 18 years of experience in healthcare IT and 20 years in IT security consulting, the Customer approached us to review and improve its security policies.

Security Policies Assessment and Enhancement

ScienceSoft’s auditor assessed the compliance of the Customer’s IT security policies with HIPAA and ISO 27001 requirements. The assessment revealed that the organization lacked policies and supporting documents for IT security risk assessment and management required by both HIPAA and ISO 27001.

As a next step, ScienceSoft drew up the missing documents, including:

• An asset inventory comprising asset passports with unique asset identifiers, asset assignment data (e.g., asset owner and custodian, asset use, storage), and asset security details (confidentiality, integrity and availability ratings, security class).
• A data classification policy based on the level of data sensitivity, value, and criticality to the organization’s operations and business continuity. This classification is fundamental to IT asset management and helps identify the risks associated with different data types and determine appropriate security controls.
• A risk management policy defining how to identify, assess, prioritize, manage, and mitigate information security risks under ISO 27001 and HIPAA. It presents a framework with templates and practices for performing, documenting, and monitoring risk management activities.

After creating the missing documents, ScienceSoft’s team conducted training on the new policies and procedures for the Customer’s IT security team. During the training sessions, the Customer’s team learnt about potential threats to the organization’s IT assets and how to perform cybersecurity risk assessments and asset management.

ISO 27001- and HIPAA-Compliant Security Policies Implemented within a Month

In just four weeks, ScienceSoft assessed and enhanced the Customer’s IT security policies’ compliance with HIPAA and ISO 27001. The Customer got a complete picture of its IT assets, gained practical knowledge of cybersecurity risk assessment best practices, and established robust risk management procedures.

The Customer is fully satisfied with our cooperation and plans to engage ScienceSoft again for penetration testing.

Cybersecurity Frameworks Used

• FIPS 199 Standards for Security Categorization of Federal Information and Information Systems.
• NIST SP 800-30 Guide for Conducting Risk Assessments.
• NIST SP 800-39 Managing Information Security Risk.
• ISO/IEC 27005:2018 Information technology — Security techniques — Information security risk management.