Health Care Management Organization Performs Gap Analysis to Modernize and Mitigate Data Security Risks

Professional woman and man using post-its on a kanban board
Kanban Your Way to Effective Project Management | How Change Practitioners, Project Managers, and Organizational Leaders Can Use Kanban to Achieve More, Faster
December 3, 2020
Remote workers on laptops
How positive business outcomes shine through a global pandemic
March 4, 2021

The client: A health care medical management and administrative services organization that supports health insurance companies.

Given the competitive environment in which the shared services corporation operates, the client moved to an eighty-six vendor, hybrid cloud enterprise that allowed for greater availability, scalability, and maintainability.

The new technology environment introduced compliance, data governance, and risk management challenges. Given the sensitivity of the member health care data, they required capabilities and processes that would provide high levels of security and privacy in order to maintain confidence and trust their customers expect and demand.


Client challenge: plan a path forward to correct data and security risk analysis audit findings

After a risk analysis auditing company completed an assessment of their foundational processes and controls, the client approached FarWell with the assessment results looking for a path forward.

Strategically, the client sought to modernize their security capabilities and member health data controls, while building a mature, digital business that provides fast, secure, and personalized digital customer experiences.


FarWell solution: modernize health care security controls and build a digital customer experience

After completing a Right-Fit™ Discovery, FarWell recommended the following approach:

Perform a Gap Analysis

Working with the client, FarWell identified thirteen key risk- related business capabilities, six of which were prioritized as critical or high. The Gap Analysis assessment provided the current state of the capabilities; the FarWell Senior Advisor then identified the desired end state and maturity level to meet industry security standards.

The goal was to achieve an operational maturity level that would ensure sound foundational controls. Ongoing maturation would be achieved through a one- to three- year roadmap.

Gap Analysis Demo Chart Business Capability vs. Maturity Level, Status across a variety of Issue Focus Areas
Example Gap Analysis Chart: The first step in the process was to perform a comprehensive Gap Analysis, determine how to Right Fit a capability to solve the gap, and then determine the needed maturity level of the capability to meet control requirements.

Architect compliant and sustainable program objectives

Once the gaps were identified in the Gap Analysis, the FarWell Senior Advisor determined that the three 3 key program objectives were to:

  1. Create a Cyber Security Program
  2. Create an IT Risk Management Program
  3. Create Main Policy & Procedure Documents

Each objective adhered to LEAN principles to make the resulting program efficient, cost effective, and sustainable.

Most importantly, the nature of the client’s business required compliance with industry and government specific standards.

Execute the 3 key program objectives

As a digital compliance transformation, there were two aspects of the plan that could be labor intensive for the hybrid cloud enterprise that had a lot of vendor data integrations: third party risk management (vendor compliance) and policy, process and procedure creation. To give the program a quick lift, FarWell researched and found two compliance accelerators as partners who specialized in these areas.

The vendor compliance partner was critical to creating a LEAN risk assessment process for the 86-vendor enterprise allowing focus on the highest risk vendors and related necessary mitigations. The niche, compliance policy partner allowed rapid creation of policy, process, controls and procedures from customizable templates.

Provide a roadmap for self-reliance

FarWell delivered a comprehensive plan and roadmap for how to achieve required maturity levels. The plan was facilitated by FarWell in the first year, while the team collaboratively built policies, processes, and controls and the related organizational committees, practices and owners. At the handoff, the client had an established, trusted path to effectively mitigate critical and high risks by the end of year two on their own.

Over the course of the project, FarWell was able to provide support in the form of team led by a Senior Advisor with deep experience in IT and IT security, as well as a background in business and practical application of technology, who was supported by a Business Analyst. Having a single leader/team manage the project from strategy development to solution architecture and through to execution allowed for a highly coordinated, holistic approach.

Digital Compliance: Security & Business Service Management Architecture
The client focused on building the operational aspects of process improvement, dashboards, and reporting in order to provide the kind of state-of-the-art user experience customers demanded. They were looking to FarWell to help craft the foundation of frameworks, policies, processes, and controls as well as the organizational structure to manage governance and program sponsorship into the future.

Client results: revamp the health care management organization’s digital compliance and security program in six months

The project started mid-year. During the first two months, the team’s focus was on vulnerability and patch management, developing a Security Operations Center (SOC) roadmap, and building an Infrastructure and Security portfolio and roadmap.

During the next two months, the team focused on vendor management, establishing a security program and governance, developing an enterprise architecture team, building out application and data portfolios and roadmaps, drafting an IT service management roadmap and an incident/response management plan, completing a network security assessment, and creating the following year’s budget and plan.

By year end, the team had finalized identity and access management, drafted a data protection and governance policy/process, and established a security steering committee.

With FarWell’s help, the client revamped their entire digital compliance and security program over the course of six months. Per the solution design, which ultimately focused on self-sufficiency, the client has now hired their own security manager who is following the roadmap developed by FarWell to grow and mature the program.

64% Increase in digital compliance post-implementation

The client recently passed their first post-implementation compliance assessment audit and saw a 64% improvement, with all critical issues and all but one of the other identified issues having been addressed completely.

Action