Managed Detection and Response Services
How BestSelf Met New Healthcare Compliance Requirements and Improved Security Posture With Managed Detection and Response
Summary
BestSelf Behavioral Health is the largest community-based behavioral health organization serving children and adults in Western New York. Their 20 locations provide easy access to a full continuum of person-centered, trauma-informed behavioral health treatment, rehabilitation, and recovery services.
Due to the nature of their work with the New York State Health Home program, BestSelf handles a significant amount of Electronic Protected Health Information (ePHI) and Medicaid Confidential Data (MCD). Therefore, they are required to meet strict standards set by the New York State Department of Health’s (NYS DOH) Office of Health Insurance Programs (OHIP).
BestSelf chose to invest resources into their security program to ensure compliance and secure ePHI across the organization. They hired an in-house security analyst and outsourced Managed Detection and Response (MDR) services to ProArch for a more integrative security strategy.
Situation
Organizations receiving healthcare data as part of the New York State Health Home program must create a System Security Plan (SSP) that proves they are properly protecting Medicaid Confidential Data (MCD).
BestSelf’s Health Home program has over 2,400 patients, and they need to protect the data of each. NYS DOH requirements include receiving a third-party risk assessment and a subsequent comprehensive security audit.
To meet the new compliance regulations and keep up with the evolving threat landscape, BestSelf needed to take a proactive approach and find a way to implement these controls efficiently.
To satisfy NYS compliance requirements, including the National Institute of Standards and Technology (NIST) framework, the team knew comprehensive vulnerability management and 24x7 security operations center (SOC) capabilities were necessities.
Approach
The first step was to assess what data they receive from the State and where that data was stored in order to establish their information system boundary. With an understanding of the boundary, and knowledge of how they operate internally and share data, BestSelf was able to develop an effective security approach.
They chose to advance its overall organization-wide security posture rather than only focusing on the narrower scope of the NYS DOH requirements.
“We considered our entire organization, rather than just securing our Health Home data." Kevin Wiese CIO at BestSelf said. "We decided to deploy these controls organization-wide because it felt wise and prudent to do so. It was to our benefit to accelerate planned enhancements to our security program.”
Next, they determined whether they could manage these processes internally through their 15-person IT team or if outsourcing to a third-party SOC would be more feasible. Their team has a wide breadth of experience, but it was clear that they couldn’t support 24x7 security operations without outside help.
BestSelf put together a checklist of services they’d require of a third-party vendor and began the search for a security partner to augment their internal capabilities.
Solution
BestSelf took a two-pronged approach: hire an in-house security compliance analyst and outsource security tasks to ProArch that they didn’t have the capacity to handle internally.
They had previously worked with ProArch on cloud-based projects, including a SharePoint Online deployment. Based on the positive results, BestSelf enlisted ProArch as their long-term security partner to help enhance protection against cyber threats and maintain compliance with NYS security requirements.
“For us, it came down to, ‘Who do we think the best long-term partner is going to be?’ The answer to that question is ProArch.” Wiese said.
The solution includes components of ProArch’s Managed Detection and Response (MDR) services, including:
- SOC Security Analysts performing endpoint alert management, threat investigation, and response 24/7/365.
- Daily vulnerability management scanning plus dashboard visibility.
- Quarterly reporting to review security posture and plan of action for remediation.
- Security Orchestration, Automation and Response (SOAR), which utilizes automation for malicious activity remediation through playbooks tied to known activities.
- Security Information and Event Management (SIEM) to collect and aggregate security logs that identify, categorize, and analyze events and incidents across servers, workstations, and firewalls.
Benefits
As a result of their partnership with ProArch, BestSelf has improved its overall security posture and is ensuring that it maintains compliance with security rules and regulations.
BestSelf has secured benefits such as:
- Responsive round-the-clock SOC team monitoring, containing, and responding to threats
- Security program alignment with compliance obligations and preparedness for future audits
- Insight and feedback for security and compliance initiatives
- Visibility into threats and faster response times with centralized security information event collection enriched by threat intelligence
- Direct access to SIEM/SOAR tool for real-time threat metrics
- Quarterly reporting including remediation priorities and metrics to present to leadership
- Timely notification of zero-day vulnerabilities
- Secure transition to a remote workforce during the COVID-19 pandemic
“We’ve made a lot of big strides on the security side in the last year, and ProArch has been a big part of that.”