HRS Builds Up Security Program Within 6 Months

The Challenge

Seeking a solution to replace ad hoc systems, improve evidence collection and deliver expert guidance on SOC 2 compliance project

When Health Recovery Solutions (HRS), a telehealth solutions provider, began
preparation for its SOC 2 audit, they identified a major gap in their internal organization. The team was stretched thinly using disparate systems to collect evidence which reduced the ability to collaborate with an auditor and submit evidence for SOC 2.

Another key challenge stemmed from HRS’s organization size. With 150 employees,
HRS lacked the same level of resources as that of a larger organization. Requests were
often sent using Slack and important documents were kept in file share systems. This meant no tracking mechanisms or version control were in place.

Richard Gaglio, Vice President of Information Security at HRS, said improving access
requests, change management, and documentation management were top priorities to address these challenges and work toward a stress-free SOC 2 audit.

“SOC 2 doesn’t care if you’re a 150-person company, or a 15,000-person company,”
Gaglio said. “The bar’s the same. And trust me, at a 150-person company, it’s harder
because we have to do it all.”

Gaglio said the organization had agreed to push back its SOC 2 audit a few months to
“work with professionals who really know how to do this.” Ultimately, HRS landed with
the Ostendio platform and Professional Services.

The Solution

Initiated disciplined security procedures across the entire company, supported by an always-on, people-first risk management platform and expert guidance

Once HRS had access to the Ostendio platform, they jumped into action.

“The first thing we put into the platform was change management,” Gaglio said. “We
had to formalize our change management process because it was just ad hoc. It was all
over the board.”

In addition to change management, HRS utilizes multiple modules and features within
the Ostendio platform, including documentation, audit tasks, smart tickets for
onboarding and onboarding, asset management for access and business criticality, and
the built-in policy and procedure templates.

Ostendio also worked closely with HRS to identify A-LIGN as their SOC 2 auditor. HRS
collaborated with A-LIGN within the platform. This allowed them to have all their
evidence available and ready to present at any given moment.

Ostendio has been instrumental in ensuring that everyone throughout the organization
is trained and in compliance with the organizations’ policies and procedures.

Gaglio credits the combination of the platform and improved security disciplines to
empower the HRS team to be secure. This has come in the form of the platform’s built-
in notification reminders, compliance reports, acknowledgement requirements, and
smart tickets for onboarding and offboarding for an organized audit trail.

It wasn’t long before HRS went from 50 licenses to licensing the entire company to
ensure that everyone on the team could take advantage of the Ostendio platform.

The Result

HRS Achieves SOC 2 with less stress, uses repeatable workflows to scale for future security frameworks

Within six months, HRS built up its security program from scratch, and passed their SOC
2 Type 1 audit with the help of Ostendio and its Professional Services. Two months
after reaching their Type 1, they were able to get to the finish line with SOC 2 Type 2
compliance.

“[Our auditor praised us as] so well organized. But it wasn’t us–it was Ostendio and the tool that got us organized for this audit,” Gaglio said. “I can’t imagine anybody not wanting to do this. If an auditor has to hunt for evidence and ask questions, they get
irritated.” By leveraging the platform and Ostendio’s Professional Services as an
extension of their team, Gaglio said they not only impressed their auditor, but they could see progress in real-time as evidence was received, reviewed and accepted.

Using audit tasks across the entire organization also ensured everyone was organized and up-to-date on SOC 2 tasks.

Within six months, HRS achieved a 180-degree turnaround of its security program,
Gaglio said. “I’m very satisfied knowing that we started in December with 198 red audit
items and [passed our] SOC 2 Type 1 Certification in June.”

“[Ostendio] is really making sure we’re secure in our patients’ data and our clients’ data,”
he said. “That’s what it’s all about at the end of the day.”

HRS Security Engineer Michael Dadurian summed up his experience working with the
platform and Ostendio professional services, stating, “It felt like a partnership from the
beginning.”

HRS now uses Ostendio for all its audit functions.

"[Ostendio] is basically our foundational audit tool right now,” Gaglio said. The team now uses the platform for quarterly self-risk reviews by departments and relies on the built-in reminders to ensure the team is up-to-date on compliance and training.

“We’ve taken the tool and really embraced it and are using it to the best that we can at
this point. And I’m sure there’s so many more things we can do with it.”

“[Our auditor praised us as] so well organized. But it wasn’t us–it was Ostendio and the tool that got us organized for this audit. I can’t imagine anybody not wanting to do this."

Richard Gaglio, Vice President of Information Security, HRS

About Health Recovery Solutions

Health Recovery Solutions (HRS) supplies leading health systems, physician groups, and home health organizations with the most advanced remote monitoring platform focused on changing patient behavior to reduce readmission and improve clinical outcomes. HRS' disease-specific telehealth solutions are customized with educational videos, care plans, and medication reminders, while also integrated with Bluetooth peripherals for advanced clinical monitoring.

Case Study