SilverStay implements robust InfoSec program to protect PHI

The Challenge

In need of a highly scalable, robust security and compliance program to meet the needs of health system customers

SilverStay, a healthcare organization specializing in arranging care solutions for complex patients exiting the health system, identified the need to improve and scale their security and compliance across the organization as they attracted new clients.

Customer growth was driving a rapid increase in clinical documentation and PHI, and the organization recognized a need to enforce HIPAA compliance more rigorously, but didn’t have the bandwidth to get started.

“Working in healthcare, we’re seeing a tremendous amount of protected health information,” said Patrick Mish, CEO of SilverStay. “I knew that we were evolving to a point where we needed to get a more robust security framework that aligned with guidelines provided by HIPAA.”

While SilverStay already practiced security across the organization, they were now focusing on a more stringent framework with the goal to strengthen evidence collection to easily demonstrate their security.

According to Mish, the turning point came after receiving an 80-question security questionnaire. Without a dedicated security team on staff, he turned to Ostendio Professional Services for support.

The Solution

SilverStay tackles incoming security questionnaires with improved evidence collection and people-first policies and procedures to align with HIPAA

When Mish approached Ostendio, CEO, Grant Elliott candidly described what HIPAA would entail.

“Grant indicated this is not a black and white kind of thing. HIPAA’s more of a journey,” Mish said. “And he laid it out in a way that made a lot of sense and highlighted the framework that Ostendio has in place with the user-friendly platform and services that bring it all together very easily.”

Upon implementing Ostendio’s platform, SilverStay began prepping assets and evidence with the help of Ostendio Professional Services. Professional Services provided what Mish described as an “outsourced co-CISO” that helped architect the compliance process and, in hands-on fashion, guided SilverStay through the nuanced details of document collection, configuration updates, audit tasks, on-boarding and off-boarding, process control, and many other time consuming yet critical tasks.

“We were very quickly able to get this questionnaire done, and then shift to building the processes and procedures needed to demonstrate compliance over time and signal to our customers that yes, [SilverStay] is taking information security very seriously and working with us is something that you won't regret because of that,” Mish said.

Training, documentation, tracking assets and scheduling processes have been key for SilverStay. The team can now easily upload documents for acknowledgements, run team training, set and execute routine audit task, and pull evidence when needed as part of the operationalization of their security program.

We were very quickly able to get this questionnaire done, and then shift to building the processes and procedures needed to demonstrate compliance over time and signal to our customers that yes, [SilverStay] is taking information security very seriously and working with us is something that you won't regret.

Patrick Mish, CEO, SilverStay

The Result

SilverStay generates additional business opportunities and sets sights on SOC 2 by demonstrating secure processes for handling Protected Health Information (PHI)

“[Being on the platform] definitely reduces friction in closing deals,” Mish said. “We can very readily point to the system processes and architecture that is in place, provide evidence of our process, and otherwise speak with great confidence in managing a future customers PHI.”

SilverStay is taking all the right steps to ensure that they are handling PHI correctly and are able to demonstrate their security posture at any point. Ultimately having HIPAA policies in place within the Ostendio platform enables Mish and his team to “sleep better at night.”

And the benefits for SilverStay are two-fold.

While establishing these policies helps close deals, it also ensures that SilverStay’s reputation. The SilverStay team knows they’re taking the right steps everyday to protect their customer’s PHI.

“Ultimately, SOC 2 is where we’d like to go,” Mish said. Adding another framework to the mix will only further demonstrate how seriously they take security.

With Ostendio’s crosswalk functionality, SilverStay will be able to cross reference what evidence they still need for SOC 2 now that they’ve taken on HIPAA, and quickly prepare for a SOC 2 audit when that time comes.

“The processes, the procedures, the tools–everything is there,” he said, adding that there is no barrier to getting started now that they have the foundation from HIPAA.

Mish advises organizations in healthcare looking to build up their security program to explore solutions backed by experts.

Attestation badges and icons on your website are great, he said, but “they don’t really protect data unless you’re running the processes.” With Ostendio, Mish says SilverStay is continuously demonstrating security.

“I feel very fortunate that we landed on [Ostendio],” Mish said. “It’s been a terrific collaboration. I think Ostendio does a great job of threading the needle–being affordable, being mindful of the budget, and providing the expert tools and resources to get it done.”

[Being on the platform] definitely reduces friction in closing deals,” Mish said. “We can very readily point to the system processes and architecture that is in place, provide evidence of our process, and otherwise speak with great confidence in managing a future customers PHI.