A major U.S. city's health department reduces personal health information security risks with Everforth Apex’s assessment and mitigation strategies.
SITUATION
Our client required a comprehensive security program risk assessment to examine their electronic personal health information (ePHI) security systems. The CIO sought a third-party security provider capable of conducting an in-depth analysis of their existing security controls and providing a strategic plan for remediation, aligned with Health Insurance Portability and Accountability Act (HIPAA) requirements. Everforth Apex was chosen to complete this critical risk and advisory engagement due to our specialized team and proven track record.
Identified and Remediated 13 Critical Security Gaps
The Everforth Apex risk assessment process strategically identifies potential cybersecurity and IT system vulnerabilities and implements measures to manage and mitigate these risks effectively. Utilizing the HIPAA Security Rule framework, we meticulously evaluated our clients', and the city IT department’s, ePHI security controls. The Everforth Apex team collaborated with key units—cybersecurity, technology, HR, and compliance—to map out technology insights, identify risks, implement controls, and conduct risk workshops with technical evaluations. The Everforth Apex team also performed a complete physical and logical controls walkthrough of the client's facilities, further advising on enhancements to physical security measures, such as advanced camera systems and locking mechanisms.
RESULT
The assessment identified 13 critical risks within the client's ecosystem and a disconnected communication channel between IT and security. Everforth Apex developed a robust risk tool to highlight security gaps and provide mitigation strategies, aligned with industry best practices and regulatory mandates. This tool offered our client a comprehensive mechanism to document, track, and oversee security risks. It became the centralized hub for increasing visibility and communication on security risks within the IT and security groups. Additionally, it served as a dynamic instrument for the client to continuously monitor and guide remediation initiatives. The significant reduction in risk exposure, coupled with the closure of several security gaps, immediately earned our client’s trust, resulting in a strong ongoing partnership.