Here at BlueSteel Cybersecurity, we have leveraged Ostendio to develop a humanized security program for CareSight and our journey is depicted in the following article.
Seeking Virtual CISO to launch, manage, and scale CareSight’s cybersecurity and compliance program
Caresight is an advanced reporting and analytics-as-a-service solution that works with healthcare institutions across the US to deliver actionable data to reduce risk and improve caregiver and patient experience.
In order to properly conduct business with these institutions, CareSight was looking to expand and enhance its security program so that it would protect patient data using a contemporary approach that aligned with the health systems and hospitals that they serve. As a smaller organization with limited internal resources and no dedicated in-house security personnel, the patient care analytics company looked outside their team to us for support.
CareSight decided to conduct a search for a virtual CISO to address their cybersecurity needs and BlueSteel’s strengths in control monitoring, policy and procedure management, information repository, and security consulting aligned perfectly with what CareSight was looking for.
Ali Allage, CEO of BlueSteel Cybersecurity, shared that when CareSight reached out, they knew they needed a robust security program, but were not sure where to begin. “CareSight was looking for an organization to help them navigate a compliance journey for which they didn’t have a dedicated internal resource or existing provider. At the same time, they wanted to work with tools and resources that enabled failsafe workflows and could make maintaining compliance easier for them in plain view.”
Ostendio is a people-first, technology-driven risk management platform and BlueSteel was able to leverage this platform to deliver an operationalized security program centered around CareSight’s people to ensure an always-on and always-auditable security posture.
BlueSteel Cybersecurity guides CareSight to NIST 800-171 with frictionless, humanized security and compliance utilizing a centralized people-first risk management solution
After determining that a NIST 800-171 Security Program would satisfy CareSight’s business requirements, BlueSteel started to create new policies and procedures for a variety of control groups, which included Access Control, Security Awareness Training, Configuration Management, Identification and Authentication, Incident Response, Risk Assessment, Hardware and Software Security and Asset Management, and System and Information Integrity.
Allage stated, “Once we identified the necessary controls and gaps, we were able to help navigate and utilize some of the tool sets that we have to fit the control requirements that aren’t currently in place.”
BlueSteel implemented CareSight’s security program using the Ostendio platform to operationalize the consolidation and management of key documents, training, reports, and security workflows as well as helped to onboard CareSight’s team to the platform, ensuring that their staff members were fully trained in security awareness to satisfy their compliance. Putting in place these processes not only ensures the security of every piece of information but also the organization and accessibility for team members.
“We’re using most if not all the modules that are available to manage CareSight’s security and compliance,” Allage said. “We’re trying to leverage every aspect of it that we can.”
Ostendio has been a critical tool in capturing key data that may have otherwise slipped under the radar, including identifying excess active software licenses, software, and managing hardware life cycles.
“Ultimately that’s one of the challenges when it comes to a security program – the amount of information and the number of swim lanes that must be wrangled together in a central place to provide intuitive visual communication for the organization’s security,” Allage stated.
BlueSteel Cybersecurity found that implementing the program using Ostendio also created a much more collaborative environment for CareSight where they are not overwhelmed by hundreds of controls. “Imagine what a spreadsheet could look like when you’re trying to manage all those swim lanes. It’s a nightmare,” mused Allage. “Ostendio has supported our promise of humanizing cybersecurity, allowing us to represent the security program in a consolidated and clear communicative space.”
CareSight gains/has gained peace of mind with its cybersecurity, allowing more time to focus on its primary business objectives
In a featured BlueSteel Cybersecurity review, CareSight shared that even as a boutique company, it is important for them to operate at the same security level as multinational corporations. “BlueSteel has delivered on this objective, with exceptional project management and effective communication.”
BlueSteel’s approach combined with people-first tools like Ostendio ensures that every aspect of the security program feels connected, giving CareSight confidence that the program will succeed. A particular favorite of their team has been the ability to edit and manage documents without ever leaving the platform. Allage reflects on the project stating that the caresight team loves the platform and that they have the ability to log in and easily find what they are looking for.
They no longer have the stress of thinking about their security with the tools and experts supporting them, which has allowed them to get back to focusing on their business and scaling their products with full confidence that they are secure and in compliance at all times. They also have the security of knowing if they ever need to pivot how they do business or add new technologies to their product line so that their security program can easily scale with them.
Allage urges other clients who were in CareSight’s position to focus on proper time management and preparation in building their security programs.
“It is important to be selective about the companies they partner with, as companies that see their security program as an investment can make their compliance journey pain-free and even implement a serious security program in less than a year. Waiting until the last minute is painful for everyone and is probably the most expensive decision or mistake that any organization can make.”
“There’s a lot of promises of Quick certifications and quick audits – they never seem to work out the way they’re intended. Being able to tout the fact that you are a secure operation and that you are able to follow guidelines and rules that are set to protect the information of your end customers is key.”