King’s Daughters Health System

The Need

As a mid-size community hospital, King’s Daughters had undergone unexpected resource losses resulting in a void of key personnel and an inability to recruit and rehire top tier security talent in the foreseeable future. King’s Daughters had recently lost their CISO to a larger academic center. Recruiting for a new one proved difficult due to salary expectations in a volatile security market.

Additionally, the organization had already put in significant investments over the past three years, including updating the security strategy, change management, alerting, investigations and reporting.

Leaders considered accepting candidates with related but not exact experience, but there was the risk that lack of expertise might leave the organization vulnerable. Subsequently, they explored the possibility of an outside partnership.

King’s Daughters realized that an industry-proven partner was needed to help mitigate the CISO resource void; reliably identify, prioritize, manage, and mitigate security risks (administrative, physical, and technical) across the organization; and streamline the Risk Management process.

The Solution

Fortified Health Security’s Virtual Information Security Program” (VISP) Services worked in collaboration with King’s Daughters C-Suite, IT, Clinical, and Compliance departments to implement a focused HIPAA Risk Analysis process that assessed the top risk areas in the client’s healthcare enterprise.

Within this structure, a vCISO reports “solid line” to the CEO and “dotted line” to the CIO. Fortified acts as an advisor, providing risk assessment (new and existing systems) and subject matter expertise while directing IT security resources to accomplish approved security efforts.

The process included:

• Weekly calls with IT Security team and CIO
• Monthly reporting to CEO, CIO and Risk Executives on efforts, priorities, shortfalls and new threats that are shared quarterly with the KDMC Board
• Working directly with the IT Security team to assess, remediate, plan and execute security efforts

The Outcome

Fortified Health Security assisted King’s Daughters in strengthening its HIPAA security and compliance program through our VISP services.

Benefits to date include:

• Stability: Added stability of the CISO position with highly-experienced security professionals
• Checks and Balances: Outstanding checks and balances for the King’s Daughters board and C-suite through ongoing Risk Management and Risk Status reporting
• Budget Neutral: enabling key professional CISO services to be attained at King’s Daughters rate, circumventing the volatile compensation requirements in today’s security market
• Mentor for IT Security Team: Administrative, Physical, Technical, and Compliance mentoring above and beyond the minimum checklist requirements
• Mentor and Advisor for the CIO: Strategy, design, and advisement on the procurement of security and risk management systems and processes
• Alignment Around Mitigating Risks: vCISO does not “over-architect or oversell needs” and acts as an advisor, not an enforcer

Through this streamlined and innovative relationship with Fortified’s VISP services, King’s Daughters was able to meet their immediate HIPAA Security Compliance requirements and fill the CISO resource void, as well as bolster their enterprise security environment above and beyond the minimum checklist requirements while providing consistency within the Information Security domain.

“Fortified Health Security’s vCISO worked very closely with our team to establish an innovative Security Risk Management process tailored perfectly to our unique environment and needs,” says Ebaugh. “Their VISP alignment around mitigating risks without over-architecting or overselling our needs has been invaluable to us in this process.”