AristaMD’s care transition solutions, including eConsult and referral management tools, empowers providers to conduct electronic physician-to-physician consultations, facilitates the selection and scheduling of in-person specialist visits, triggers automatic follow-up activities critical to patient care, and schedules peer-to-peer reviews for insurance authorization. Electronic referral management and eConsults significantly improve the patient referral process and deliver greater access to timely, equitable, high-quality care.
AristaMD, a digital healthcare company specializing in care transition solutions, including referral management and physician-to-physician electronic consultations, was starting to scale its solutions rapidly across the country when it recognized the need for a robust solution on which to manage its security program. This solution ultimately needed to streamline the company’s SOC 2 audit readiness and regulatory compliance efforts.
AristaMD sought out a solution that could tie all of its security must-haves into one platform to replace the inefficient and time-consuming process of using a disparate file share system.
“There was no question that we needed more automation and controls around the process,” said Jim Nathlich, Director of Information Systems at AristaMD. According to Nathlich, compliance audits involved “a collection of files organized but difficult to manage. There were more iterations, more back and forth, and more work to try and get the evidence that [auditors] wanted.”
Nathlich said training, acknowledgment and ease of collaboration with external auditors for the company’s SOC 2 Type 2 were the driving factors that influenced AristaMD to choose Ostendio.
“Ostendio helped us during every step of the process - setting up policies and procedures, as well as finding a good assessor that would work with MyVCM."- Jim Nathlich, Director of Information Systems, AristaMD
“If you need to justify your compliance, if you actually need to work with potential clients and customers and communicate that you understand the guts behind the compliance, as well as doing it in spirit, instead of just talking the talk, then you need an actual toolset and a platform like Ostendio’s MyVCM.” - Jim Nathlich, Director of Information Systems, AristaMD
As a first order of business, Ostendio worked closely with AristaMD to identify A-LIGN, an auditor that was not only reputable in their field, but also familiar with the MyVCM platform, to drive further efficiencies in the process of requesting and sharing relevant security and compliance information.
From the beginning, MyVCM was instrumental in helping AristaMD not only pass the SOC 2 audit for the last three years, but also streamline audit preparation.
"Ostendio helped us during every step of the process - setting up policies and procedures, as well as finding a good assessor that would work with MyVCM,” Nathlich said. “We used MyVCM to collaborate during the external assessment and review the evidence of SOC 2 implementation."
Nathlich attributes the efficiencies and ease of completing their SOC 2 audit to being able to easily track user training and policy acknowledgement.
“MyVCM was helpful with training,” he said. “They’ve connected AristaMD with KnowBe4, which allowed us to administer and track the training that our users complete during onboarding, and the annually.” Nathlich is able to easily track the entire organization's training progress and tie everything back to AristaMD’s SOC 2 controls.
AristaMD reduced their SOC 2 preparation time significantly with the use of MyVCM.
Now that AristaMD can easily collaborate with A-LIGN within the MyVCM platform and reduce the need to manually compile and demonstrate evidence, Nathlich attributes at least a 30% savings of time and related costs to prepare for a SOC 2 audit.
A process that once required hours to prepare and assign evidence is now streamlined, and has made subsequent decisions more predictable and stress-free. As a result, Nathlich can now devote more time to DevOps while maintaining confidence in the audit results.
“My team is responsible for security and infrastructure, as well as compliance. For us to be able to handle the breadth of all those disciplines wouldn’t be possible without the kind of efficiencies we get out of MyVCM,” Nathlich said.
Beyond completing the SOC 2, AristaMD also works with Ostendio Professional Services to complete other risk exercises and framework preparation, including completing a Business Continuity Plan and HITRUST readiness. MyVCM’s Crosswalk functionality and Ostendio’s engagement in these processes have further increased efficiencies and created less redundant tasks for the organization.
While Ostendio has significantly helped speed up AristaMD’s SOC 2 and other compliance audits, Nathlich says he’s confident that the integrity of its reports remains intact.
“When you have a hosted collaborative process, you learn more about it, you have a better idea of what’s going on, you understand what controls are there and what they’re there for,” Nathlich said.
MyVCM has also brought certainty and confidence to AristaMD’s SOC 2 completion and recommends the platform to any organization that wants to justify its SOC 2 or regulatory compliance.
According to Nathlich, Ostendio’s platform just adds a unique level of care to compliance and security.
“If you need to justify your compliance, if you actually need to work with potential clients and customers and communicate that you understand the guts behind the compliance, as well as doing it in spirit, instead of just talking the talk, then you need an actual toolset and a platform like Ostendio’s MyVCM.”