Pervasive Health Protects Data with ISO 27001
This case study shows how IT Governance helped Pervasive Health to achieve ISO 27001 certification. Enter your email address at the bottom of this page if you would like a PDF version of this case study. Call us on 00 800 48 484 484 to discuss your own ISO 27001 consultancy requirements.
Pervasive Health Case Study
Handling sensitive health data requires the implementation of rigorous technology, standards and processes. For Pervasive Health, it’s business as usual, as they empower health enterprises and professionals to discover health insight every day. Pervasive Health chose IT Governance to help them gain.
ISO 27001 accredited certification for the organisation’s US and European operations – making their platform the first in the field to achieve this.
Background
Pervasive Health is a US company with a global customer base that provides the breakthrough platform for health, Apervita®. Apervita is powerful and secure, allowing health enterprises and professionals to connect evidence-based insight to health practice anywhere. The platform saves doctors and clinicians time and money with fast, smart access to a unified source of all patient information. Data is natively stored in standard health concepts that any health professional will be familiar with, rather than in proprietary data structures. Any health professional can author, publish, and share health insights on the platform. Health insights take raw health data, and transform that into what you need to know, when you most need to know it. The Pervasive Health team capitalises on experience from multiple industry sectors including healthcare, telecoms, banking, algorithmic trading, and airline. As a result, the Apervita platform is a thoroughbred, incorporating best-of-breed technologies to handle big data, privacy, Personally Identifiable Information (PII), Protected Health Information (PHI), HIPAA, authentication, permissions, auditing, data encryption, global scalability and unified operations management.
Rinaldo Tempo, Information Security Manager at Pervasive Health, was responsible for implementing ISO 27001, working with colleagues in Chicago, an important and growing life sciences hub in the USA. ISO 27001 is the best practice specification that helps businesses and organisations throughout the world to develop a best-in-class Information Security Management System (ISMS). Information and information systems are vital to all organisations. ISO 27001 sets out specific requirements, all of which must be followed, and against which an organisations ISMS can be audited and certified.
Requirements
The nature of the data that Pervasive Health processes and protects on behalf of its clients makes certification to the ISO 27001 a wise move in security and business terms.
Pervasive Health's mantra is to empower health enterprises and professionals to create and share health insights so they can excel every day. At its core, the Apervita platform comprises an integrated health record of all current and historical patient data. It connects this data to a powerful community of computable health insights, authored by partners on the platform. The approach, embodied in the company’s platform, unlocks the value of patient information, unifying the patient journey across care settings and bringing together clinical, financial and operational data and connecting it to a marketplace of health insights.
Process
Pervasive Health contacted IT Governance to provide the consultancy support to create ISO 27001 compliant ISMS. This required the identification of any interfaces and dependencies with functions or services falling outside the scope, and consideration as to how these might be addressed. The exact scope of the project and the objectives for information security which led to the information security policy was determined by Pervasive Health’s senior team with support from IT Governance consultants. This included helping to develop the risk assessment framework required and recommendations for risk acceptance criteria.
The work under this phase of support also assisted Pervasive Health’s Information Security Manager in developing the profile of the project team and an outline project plan. IT Governance provided ‘Mentor and Coach’ consultancy support. In order to comply with the ISO 27001 standard and the Health and Social Care Information Centre (HSCIC) IG Toolkit requirements (formerly the NHS Connecting for Health CTP requirements), an asset based information security risk assessment was conducted. This was achieved through carrying out interviews with asset owners to produce an asset register and then assessing potential risks to the assets. Once the risks were identified and decisions made on how to manage them, a full Risk Treatment Plan was produced, which in turn led to the development of a Statement of Applicability to comply with the standard.
Rinaldo explained that, “Pervasive Health already had strong internal processes to protect data; however, ISO 27001 helped us to consider all the risks that we faced with the benefit of the rigor of what is, we believe, the most demanding security standard.”
Click here to read more »
Aaron Symanski, Pervasive Health’s COO added “Our team has extensive experience across sectors where information security is a paramount concern, including healthcare, telecommunications, and finance. We deeply understand the concept of data walls, security entitlements, and the granular security measures that health enterprises require to be implemented and maintained as part of an Information Security Management System. Developing and managing software that handles sensitive data with excellence is the nature of how our team operates. ISO 27001 enabled us to formalise and continue to improve our processes.”
IT Governance assisted Pervasive Health in creating ISO 27001 documentation in conjunction with the team, who committed resources to introduce the security controls while IT Governance developed the associated documentation identified as necessary.
Rinaldo commented, “IT Governance kept us on the road all the way – right up to the arrival of the external auditor. The training that they provided was very useful, as were the document templates. Having a different set of eyes at every stage was one of the reasons that we felt confident throughout, and the result of the final audit justified this.”
Aaron echoes Rinaldo’s faith in the IT Governance approach, “Information security is an essential part of our business, so we wanted every aspect of our ISMS to be right. Connecting health professionals to health insights is essential to ensure the delivery of the best possible outcomes, while minimising costs. As health insights become more pervasive, we must ensure the integrity of the data and the platforms that deliver the insight.
A viable health platform has to be designed around the C-I-A principle of Confidentiality, Integrity and Availability, which is the central tenet behind ISO 27001 policy-based information security compliance. Using the Apervita platform, Pervasive Health’s customers and partners can author comprehensive patient, population and performance insights and connect those to their workflow. This is thanks to Pervasive’s new generation platform-as-a-service, and the trust of knowing that information security is an integral part of our organisation and processes.”
Rinaldo concluded, “We would recommend that security-conscious managed service providers adopt ISO 27001 best practice and gain accredited certification with support from IT Governance. Their consultants have shown us how to embed information security into our practices at all levels in the organisation, so that our people, processes and technology work together to protect our partners’ confidential healthcare records.”
Outcome
Pervasive Health successfully passed the second stage ISO 27001 audit on July 19, 2013. As a result, the organisation was recommended for certification by Det Norske Veritas Ltd (DNV).
Next Steps
Pervasive Health intends to actively promote its ISO 27001 certification on its new website and explain to prospective partners why its approach is rigorous and effective.
“The response from our partners has been positive and reassuring,” says Aaron Symanski. “We anticipate gaining more business opportunities and growing faster because we have taken a responsible stand on security in a market that is naturally sensitive to data protection concerns. Pervasive Health is proud to be an ISO 27001 certified organisation and we are looking forward to partnering with IT Governance Ltd to maintain our ISMS.”
Download this case study now
To get a PDF version of this case study enter your email address below and we will send you a copy straight away.