Since the COVID-19 pandemic, many not-for-profit healthcare companies that offer comprehensive health insurance and administrative services to patients have been adding a virtual primary care practice available to health plan members making it easier for patients to obtain care remotely, eliminating the need to travel.
Healthcare industry leaders agree that people deserve an enhanced, modern care experience that meets their expectations, needs, and preferences for choice in how they connect and experience care. It is estimated that nearly 40% of patients using these services don’t have a primary care physician (PCP). These virtual services help fill critical gaps for many patients, particularly those who lack a PCP, by expanding the network of providers and making it easy to access the care they seek 24 hours a day, seven days a week.
The healthcare facilities usually make their patient-access app available for download on both the Android and Apple App stores. The service is available 24/7/365 staffed by high-quality providers.
Plan to Add In-Person Clinics Requires Technology Expansion
While this healthcare facility’s virtual service has always recommended in-person healthcare visits where and when needed, after years of successful operation the company decided to acquire a group of existing physical “brick-and-mortar” healthcare provider clinics to merge and vertically integrate with their virtual service.
Integration of these locations would include the need to integrate their information processing and communications capabilities, along with alignment and improvement of security and compliance systems in place to satisfy regulatory requirements and assure patient privacy. They had several top-priority issues:
- Achieving HIPAA and other applicable security and compliance levels.
- Immediately close critical security and compliance gaps.
- Transition operations with minimal impact on the business and make this a non-event for the acquired company’s clinical and administrative employees.
- Establish a base foundation to integrate the physical healthcare services with their virtual primary and urgent care services into a hybrid healthcare delivery model.
AIS Ensures Effective Cybersecurity and Regulatory Compliance
AIS was engaged to accomplish these and many subsequent related objectives. AIS has completed several critical projects for this healthcare client recently and has proven to be the preferred provider for integration of the acquisition. We have consistently delivered impactful results to commercial and federal clients in the healthcare sector, ensuring HIPAA compliance and fulfillment of other healthcare requirements while securing data and information from threats, demonstrating comprehensive capabilities providing and managing IT and security programs.
AIS launched the project by first helping the healthcare company meet its near-term objectives of transitioning the newly acquired clinics into their IT operations while closing high-priority security and compliance gaps. This initial project also informed us on how to work with the client to best structure a newly joined Managed Services Operation (MSO) which would help them to most effectively achieve the longer-term roadmap of vertically integrating the virtual and brick-and-mortar components into a highly efficient hybrid healthcare delivery model.
Having established an MSO that would allow the newly joined operation to function in practical alignment and compliance with all necessary regulations, we set about their customary approach for assuring continued compliance:
- Conduct onsite security assessments for each location.
- Development of a security action plan.
- Security and risk advisory consulting services.
These steps would result in the development of the Security Action Plan that would be used to plan and prioritize all tasks in subsequent phases of the work.
AIS also helped plan for the continuing management and securing of all physical devices, including laptops, mobile phones, servers, and the applications running on them along with secure, efficient access to all of them. These would all be logging into a centralized security incident and event management (SIEM) system.
Structuring Around the AIS Security Delivery Framework
The proprietary AIS Security Delivery Framework (SDF) draws upon forty-plus years of securing highly regulated industries, providing a proven, reliable security delivery framework supported by repeatable processes and expert guidance to successfully overcome the many challenges involved. Our framework also aligns with industry standards like the NIST Cybersecurity Framework, Healthcare Cybersecurity Framework, NIST 800-66, Center for Internet Security/Critical Security Controls (CIS), and Zero Trust. AIS’s SDF supplies a managed repository of playbooks, patterns, and templates to guide security teams effectively for swift, efficient execution.
Given the need to integrate the existing security and compliance operations of the newly acquired locations into the company’s operations, including the demanding requirements of the Health Information Portability and Accountability Act (HIPAA), AIS chose the National Institute for Standards and Technology (NIST) SP 800-66 HIPAA questionnaire and checklist to evaluate their current cybersecurity compliance. This approach allows for the mapping of HIPAA compliance activities to other standards in use.
Assessing the Current State of Security for the New Locations
We begin every project of this nature with a systematic, rigorous, and comprehensive assessment of security posture. This includes the gathering and review of existing documentation, capturing of the existing baseline inventory, categorization of systems based on security levels and data types, and a full assessment of existing security and data protection measures already in place.
Developing the Security Action Plan
Based on a careful analysis of the results of the current state assessment, AIS developed a detailed security action plan using a phased approach that strategically targets each identified security gap. This plan was meticulously tailored to align with the organization’s specific business needs to provide a roadmap from which to systematically enhance security measures and achieve compliance with regulatory requirements.
Joint Plan Deployment Assures Thorough Knowledge Transfer
Upon acceptance of all plans, deployment was executed by the client’s IT staff, the IT personnel just joining from the acquired locations, and the AIS team. This made it easy for AIS to ensure effective knowledge transfer to provide the onboard personnel with the ability to operate the resulting systems and ensure effective security and compliance in the long term.
The healthcare company will continue to avail itself of the many ongoing support and service programs provided by AIS, including extensive IT Operations and Service/Asset Management Services and Security Operations Center-as-a-Service (SOCaaS) services, which provide 24-hour a-day, 7 days-a-week security monitoring with threat-detection and response services. This enables rapid vulnerability identification, risk mitigation, and management to reduce the risk of a data or security breach.
This healthcare company benefited greatly from their partnership with AIS, which was powered by our team’s innovative solutions, robust methodologies, and, most importantly, our exceptional and skilled team members. Their new hybrid virtual and physical service model thrived as a result of this collaboration.
Seeking similar outcomes?
Learn how AIS can help you implement technology solutions that deliver real business results.
Contact Us to Get Started