A diagnostic testing company offers security lessons for all providers

When Brio Systems took on COVID-19 testing, it suddenly had employers and agencies as customers, which required a whole new view of security. It turned to a security platform vendor for help.

"While security and privacy had always been important to our business, previously we'd been a direct-to-consumer service and as such, health data was accessed only by the individual account holder managing their own biomarker results," explained Thos Niles, cofounder of Brio Systems. Every time a large company or government agency would look to work with Brio, the testing provider was confronted with intimidating security questionnaires and rigorous audit calls. For help, Brio Systems turned to Carbide, a vendor of an information security and data privacy management platform. In the first part of Phase 1 – design – the vendor team met with Brio's team to assess its existing security posture and from there helped define, design and review a security program to fill gaps and meet outlined security objectives. "Carbide automatically generated a set of policies that were unique to our situation, with aligned tasks managed within the platform helping to move us quickly from policy development to security program implementation. In the second part of Phase 1 – review – the vendor team led Brio through working sessions on information security, including employee security, software development security, physical/asset/network security and security management, all of which helped to define the foundation of Brio's program. Brio's team then was empowered to review and manage progress as security controls were implemented. In Phase 2 – implement – Carbide generated an implementation plan, customized to Brio's needs – a checklist to help demonstrate the testing provider's security posture to prospects and customers, prepare for and manage the internal audit process, and showcase a commitment to security. Niles said Carbide has been indispensable in helping Brio strengthen its security posture, quickly demonstrate compliance, and operationalize and advance security. Within months of working with the vendor, Brio achieved and demonstrated HIPAA compliance and closed deals with multiple Fortune 500 companies and a federal agency, all of which needed confidence that Brio's security controls and posture were mature enough that they could trust Brio with their employee health data. Additionally, the security platform helped Brio accelerate compliance efforts by providing an easy-to-follow framework and a comprehensive task management system designed to effectively manage the density of requirements, sharpen focus on what matters most and stay on schedule, he said.