Pervasive Health protects data with ISO 27001
Handling sensitive health data requires the implementation of rigorous technology, standards and processes. For Pervasive Health, it’s business as usual, as they empower health enterprises and professionals to discover health insight every day. Pervasive Health chose IT Governance to help them gain.
ISO27001 accredited certification for the organization’s US and European operations—making their platform the first in the field to achieve this.
This case study shows how IT Governance helped Pervasive Health to achieve ISO 27001 certification. Download the case study for free now.
Pervasive Health is a US company with a global customer base that provides the breakthrough platform for health, Apervita®. Apervita is a powerful health care analytics software platform that allows health enterprises and professionals to connect evidence-based insight to health practice anywhere. The platform saves doctors and clinical staff time and money with fast, smart access to a unified source of all patient information. Data is natively stored in standard health concepts that any health professional will be familiar with, rather than in proprietary data structures. Any health professional can author, publish, and share health insights on the platform. Health insights take raw health data, and transform that into what you need to know, when you most need to know it. The Pervasive Health team capitalises on experience from multiple industry sectors including healthcare, telecoms, banking, algorithmic trading, and airline. As a result, the Apervita platform is a thoroughbred, incorporating best-of-breed technologies to handle big data, privacy, Personally Identifiable Information (PII), Protected Health Information (PHI), HIPAA, authentication, permissions, auditing, data encryption, global scalability, and unified operations management.
Rinaldo Tempo, Information Security Manager at Pervasive Health, was responsible for implementing ISO 27001, working with colleagues in Chicago, an important and growing life sciences hub in the USA. ISO 27001 is the best practice specification that helps businesses and organizations throughout the world to develop a best-in-class Information Security Management System (ISMS). Information and information systems are vital to all organizations. ISO 27001 sets out specific requirements, all of which must be followed and against which an organization's ISMS can be audited and certified.
The nature of the data that Pervasive Health processes and protects on behalf of its clients makes certification to the ISO 27001 a wise move in security and business terms.
Pervasive Health's mantra is to empower health enterprises and professionals to create and share health insights so they can excel every day. At its core, the Apervita platform comprises an integrated health record of all current and historical patient data. It connects this data to a powerful community of computable health insights, written by partners on the platform. The approach, embodied in the company’s platform, unlocks the value of patient information, unifying the patient journey across care settings and bringing together clinical, financial and operational data and connecting it to a marketplace of health insights.
Pervasive Health contacted IT Governance to provide the consultancy support to create ISO27001 compliant ISMS. This required the identification of any interfaces and dependencies with functions or services falling outside the scope, and consideration as to how these might be addressed. The exact scope of the project and the objectives for information security that led to the information security policy was determined by Pervasive Health’s senior team with support from IT Governance consultants. This included helping to develop the risk assessment framework required and recommendations for risk acceptance criteria.
The work under this phase of support also assisted Pervasive Health’s Information Security Manager in developing the profile of the project team and an outline project plan. IT Governance provided "Mentor and Coach" consultancy support. In order to comply with the ISO27001 standard and the Health and Social Care Information Center (HSCIC) IG Toolkit requirements (formerly the NHS Connecting for Health CTP requirements), an asset based information security risk assessment was conducted. This was achieved through carrying out interviews with asset owners to produce an asset register and then assessing potential risks to the assets. Once the risks were identified and decisions made on how to manage them, a full Risk Treatment Plan was produced, which in turn led to the development of a Statement of Applicability to comply with the standard.
As Rinaldo explains: “Pervasive Health already had strong internal processes to protect data; however, ISO27001 helped us to consider all the risks that we faced with the benefit of the rigor of what is, we believe, the most demanding security standard.”
Aaron Symanski, Pervasive Health’s COO added “Our team has extensive experience across sectors where information security is a paramount concern, including healthcare, telecommunications, and finance. We deeply understand the concept of data walls, security entitlements, and the granular security measures that health enterprises require to be implemented and maintained as part of an Information Security Management System. Developing and managing software that handles sensitive data with excellence is the nature of how our team operates. ISO27001 enabled us to formalise and continue to improve our processes.”
IT Governance assisted Pervasive Health in creating ISO27001 documentation in conjunction with the team, who committed resources to introduce the security controls while IT Governance developed the associated documentation identified as necessary.
Rinaldo commented, “IT Governance kept us on the road all the way – right up to the arrival of the external auditor. The training that they provided was very useful, as were the document templates. Having a different set of eyes at every stage was one of the reasons that we felt confident throughout, and the result of the final audit justified this.”
Aaron echoes Rinaldo’s faith in the IT Governance approach, “Information security is an essential part of our business, so we wanted every aspect of our ISMS to be right. Connecting health professionals to health insights is essential to ensure the delivery of the best possible outcomes, while minimising costs. As health insights become more pervasive, we must ensure the integrity of the data and the platforms that deliver the insight.
A viable health platform has to be designed around the C-I-A principle of Confidentiality, Integrity and Availability, which is the central tenet behind ISO27001 policy-based information security compliance. Using the Apervita platform, Pervasive Health’s customers and partners can author comprehensive patient, population and performance insights and connect those to their workflow. This is thanks to Pervasive’s new generation platform-as-a-service, and the trust of knowing that information security is an integral part of our organisation and processes.”
Rinaldo concluded, “We would recommend that security-conscious managed service providers adopt ISO27001 best practice and gain accredited certification with support from IT Governance. Their consultants have shown us how to embed information security into our practices at all levels in the organisation, so that our people, processes and technology work together to protect our partners’ confidential healthcare records.”
Pervasive Health successfully passed the second stage ISO27001 audit on July 19, 2013. As a result, the organisation was recommended for certification by Det Norske Veritas Ltd (DNV).
Pervasive Health intends to actively promote its ISO27001 certification on its new website and explain to prospective partners why its approach is rigorous and effective.
“The response from our partners has been positive and reassuring,” said Aaron Symanski. “We anticipate gaining more business opportunities and growing faster because we have taken a responsible stand on security in a market that is naturally sensitive to data protection concerns. Pervasive Health is proud to be an ISO27001 certified organization and we are looking forward to partnering with IT Governance Ltd to maintain our ISMS.”