CaringWays partners with Clearwater to help develop and implement a cloud-based security program for its AWS-based fundraising platform
CaringWays is a privately-held fundraising platform that works with healthcare organizations and others to assist patients in raising funds to pay for needed medical services. As a cloud-based solution using Amazon Web Services (AWS), the CaringWays team knew it was imperative to build and implement cloud-based security best practices and controls into the platform’s architecture.
While an array of skilled professionals supported the team, they quickly realized they did not have the resources, time, ability, or knowledge to develop this program internally from the ground up.
Faced with having to hire several new employees to fill the gap in the midst of an industry-wide employment shortage of skilled security professionals, CaringWays instead sought to partner with Clearwater to establish its cybersecurity program, one that not only keeps sensitive and protected data safe, but also meets all regulatory and compliance requirements.
“The Clearwater team has been extremely helpful in enabling us to build infrastructure and security around the business from the first building block up.”
-Kristi Morrow, CaringWays President/Founder
The Cloud Security Gap
Before engaging with Clearwater as its partner on this cybersecurity and HIPAA compliance journey, CaringWays had not yet implemented any AWS Foundational Security Best Practices and had few CIS AWS Foundational Benchmarks in place.
Looking at its platform architecture and production environment, the CaringWays team understood it needed to develop a secure AWS platform to protect ePHI, reduce breach risks, and decrease the likelihood of negative financial, compliance, and reputational impacts on the company.
Among the goals the company wanted to achieve were:
- Stand up the CaringWays platform and develop a secure perimeter around sensitive data in its “Red Zone,” with advanced security recommendations and components
- Implement a full range of AWS security best practices and CIS Foundation controls to defend and protect this environment including:
- Strong Identity and Access Management (IAM) capabilities, such as root account use, access controls, password requirements, and multi-factor authentication (MFA)
- Continuous logging and monitoring based on AWS best practices
- Monitoring critical account activity, such as unauthorized API calls or unauthorized management console and root account access.
- Drive secure network configurations and limit access to vulnerable ports
- Quickly visualize all changes to users, roles, access policies, and access control lists
- Receive notifications for access tampering or customer master key tampering
- Be able to withstand attacks
- Proactively seek out vulnerabilities and other weaknesses to decrease the likelihood of a successful breach
- Facilitate constant, comprehensive attack surface monitoring
- Facilitate routine evaluations with context-aware security gap identification to prioritize mitigation and remediation plans
- Enable customized reporting, both for internal metrics and regulatory and compliance obligations and eliminate repetitive or irrelevant results
- Enable customized alerts
- Conduct regular AWS security configuration audits with continuous updates and patches
- Implement and maintain a resilient AWS security architecture
Challenges
The CaringWays platform handles a range of sensitive data-ePHI; personally identifiable information (PII) such as names and addresses; and financial information, such as bank and credit card information.
The company also routinely engages with healthcare covered entities and related business associates to handle HIPAA covered data, and has a responsibility to ensure patient privacy and security remain top of mind.
“When you talk about something like cybersecurity, it’s hard to stay on the leading edge,” Kristi Morrow, CaringWays President, explained, “for example, knowledge of all of the threats that exist and how to address them.”
The CaringWays team stepped back and looked at how they could build a cloud-security program internally using its existing team members and resources, which is a similar challenge for many fast-growing digital health companies where employees often wear multiple hats with a range of responsibilities.
“For us to have been able to build a team to have the variety of experience and skills that the Clearwater team brings to the table, we would have had to hire, I don’t know, eight, 10, 12 different people to play all of these different roles.”
In addition to the challenges created by a lack of staffing, skills, and resources, the team knew it faced an uphill battle related to the increasing number of security threats for all organizations, especially in healthcare, which, since the pandemic, has seen an uptick in attacks such as phishing, ransomware, and credentials stealing that often leads to lateral network movement, data exfiltration, and sometimes complete system take-overs and shutdowns.
These challenges are further complicated by the rapid evolution and adoption of new technologies in the healthcare industry, including more third-party vendor relationships across a range of services for both covered entities and their business associates.
“Because of there being so many third-party outsourced vendors available now, and all of the problems that have happened with hacking and exposures-and the downstream liability that exists every time you partner with somebody-you’ve just added a bunch of different doorways for somebody to get back home to a source where you have data, and it has become much more difficult,” Morrow said.
As a result, the partners CaringWays works with, such as hospitals and other healthcare providers, now see companies like CaringWays as an extension of themselves, and as a result, a potential point of exposure.
“The process today to go through the security questionnaires is much, much more difficult than it was five years ago, 10 years ago,” Morrow said. “It’s certainly layers-deep about actually how you’re handling the data and how you’re protecting the data.”
The Solution
When it comes to highly sophisticated, multi-layered cloud environments such as AWS, Clearwater demonstrated to the CaringWays team it had both personnel and expertise to provide CaringWays with unified and transparent cloud security services.
Clearwater’s team committed to developing cloud security services to help CaringWays’ identify, analyze, monitor, and report on its AWS system status, all configuration changes, vulnerabilities, and behavioral anomalies to ensure its staff could focus on its core business operations, strategy, and objectives-and create alignment between those company objectives and its security program.
With known challenges in sight, CaringWays decided to outsource development of its AWS security capabilities to Clearwater. In return, Clearwater committed to delivering CaringWays a comprehensive and continuous end-to-end AWS cloud security solution with configuration support for both infrastructure and identity management in its AWS environment, including:
- Establishing a secure foundation using AWS/CIS controls and best practices
- Securing AWS architecture based on CaringWays’ business and applications development processes
- Providing on-going technical testing and monitoring with cloud security consulting
With CaringWays’ objectives front-of-mind, Clearwater first conducted an AWS security assessment based on AWS Foundational Security Best Practices v1.0.0, CIS AWS Foundation Benchmark v1.2.0, and the NIST Cybersecurity Framework (CSF) to determine the platform’s existing security posture.
Next, Clearwater focused on developing and implementing a secure AWS architecture drawing upon the aforementioned security best practices and frameworks. Once in place, Clearwater then turned its attention to ensuring implemented controls worked effectively and as designed by conducting a range of technical vulnerability assessments and penetration tests for all critical systems that create, store, or transmit sensitive data.
During testing, Clearwater established and evaluated safeguards to detect and identify suspicious behaviors and potential attack characteristics and then made contextually relevant plans for prioritized remediation and to mature CaringWays’ security posture.
Over time, Clearwater will continue to work with CaringWays in a variety of functions including:
- AWS security architecture reviews
- AWS vendor requirements reviews
- AWS privacy and security compliance reviews
In addition to these reviews, it is expected that over time CaringWays’ technical environment will change and with these changes new threats and vulnerabilities may emerge. As a result, the team will need to continuously monitor the AWS environment to protect it against threats and remediate vulnerabilities and other security issues before attackers exploit them.
Clearwater and CaringWays will continue their partnership to ensure ongoing monitoring and maintenance and provide support that includes:
- Continuous, proactive, patching and updates to maintain system integrity
- Monitoring and Logging – Host Intrusion Detection, Network Intrusion Detection, and Log Management
- Security Information and Event Management – Real-Time Alerts, Trend Analysis, and Threat Intelligence
- The management of a Virtual Security Operations Center to continuously monitor and improve the organization’s security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents
The Results
Clearwater levered its cloud-based platform expertise and broad security and risk management capabilities to deliver unmatched value to CaringWays as it addressed the company’s AWS security concerns while helping it build a strong overall cybersecurity and HIPAA compliance program.
With the establishment of a secure AWS environment, including a hardened AWS “Red Zone” based on AWS Foundational Security Best Practices, and a dedicated team of experts continuing to manage the company’s ongoing security and compliance needs, CaringWays is now better positioned to:
- Protect its assets and reduce risks related to storing sensitive information in the cloud, including reputational damage and potential OCR fines
- Avoid preventable breaches
- Demonstrate to customers and federal and state regulators that the company meets industry standards for protecting sensitive information in the cloud
- Stay ahead of its evolving threat environment with the ability to identify technical vulnerabilities before exploitation
- Support secure development practices with automated security monitoring across build, test, and production environments
- Have clear visibility and control of AWS security and compliance
- Facilitate regular reporting and prioritized recommendations for on-going security posture improvement
- Reap the benefits of cost-savings and improved efficiency through a unified, centralized cloud security monitoring program
- Adhere to regulatory or industry compliance mandates, such as HIPAA, CCPA, GDPR, and others
- Provide verifiable evidence CaringWays proactively identifies and addresses critical vulnerabilities
- Effectively respond to security questionnaires and address concerns when acquiring new customers and supporting existing clientsEffectively respond to security questionnaires and address concerns when acquiring new customers and supporting existing clients
“We feel like we understand much better what’s going on with our data,” Morrow said. “And as we’re making decisions, what to do, Clearwater is helping us weigh the pros and cons-the benefits and the risks that exist-and helping us think through ways we can get done what we need to get done. What are the alternatives? How do you choose the best one for what you’re trying to accomplish? That’s allowing us to feel like we’re in much better control of where we’re headed.”
Morrow said the company is now more confident in its ability to answer security questionnaires, which, as a startup, helps give them a leg up when competing against larger companies for new business.
“Our partnership with Clearwater is a key part of our growth strategy as it reinforces to our hospital partners that CaringWays is committed to being a good steward of the patient data they maintain,” she says. “By working with Clearwater and leveraging their expertise and software, we believe we’ve been able to transform HIPAA compliance and cybersecurity from a potential liability into a competitive advantage.”
Conclusion
Clearwater’s ClearAdvantage Program
Led and executed by expert healthcare privacy and security professionals leveraging our award-winning SaaS-based software platform IRM|Pro®, the ClearAdvantage program provides organizations with the benefits of an integrated and efficiently executed, best-in-class cybersecurity and HIPAA compliance program at 25% – 50% of the cost of traditional approaches.
Program components include:
- Program leadership from an experienced Virtual Chief Information Security Officer and Virtual Chief Privacy Officer
- On-demand access to subject matter experts with a vast knowledge of security and compliance concerns
- OCR-Quality® Risk Analysis and Risk Management leveraging Clearwater’s proprietary software
- Vulnerability assessments
- Incident response support
- Policies and procedures development
- Workforce training
To learn more about the ClearAdvantage Program and Clearwater’s cloud security expertise contact us at info@clearwatercompliance.com.