Elevating Healthcare Security and HIPAA Compliance for a More Resilient Organization

Situation

Wesley Family Services (WFS) is a nonprofit organization dedicated to providing behavioral healthcare and therapeutic support to individuals and families across Western Pennsylvania. Serving over 20,000 people annually, WFS prioritizes offering critical services while maintaining compliance with regulatory frameworks like HIPAA. However, as a nonprofit, their small security team faced unique challenges in maturing their information security program.

WFS initially faced significant challenges in building a mature information security program. As a nonprofit with a small security team, WFS required a methodical, resource-conscious approach to meet regulatory requirements and mitigate risks effectively.

Key challenges included:

• Limited Resources: Prioritizing security improvements while balancing operational constraints.
• Security Awareness: Addressing vulnerabilities caused by human error.
• Technical Gaps: Improving logging, monitoring, and risk management processes in an under-resourced IT environment.
• Change Management: Managing change related to the introduction of policies and controls.
• Executive Communication: Demonstrating security program progress to the Executive Management Team and Board of Directors with clear metrics and actionable insights.

Solution

Seiso helped WFS create a more mature information security program by addressing the highest-impact areas of risk. Using an initial risk assessment based on NIST SP 800-30 standards, Seiso prioritized improvements and laid the foundation for a structured, long-term security strategy. Throughout the engagement, Seiso focused on simplifying security processes, aligning technical recommendations with business impacts, and empowering WFS to communicate these improvements effectively to executives and stakeholders.

 

Risk Assessment / Risk Management

Seiso conducted a comprehensive Security Risk Assessment to identify areas of non-compliance and high-risk vulnerabilities. Reassessments were performed every two years to track progress and guide ongoing improvement efforts.

Deliverables included:

• A detailed gap analysis with actionable recommendations.
• Development of a risk register to track WFS’s ongoing security risks.

 

Awareness and Training

Seiso designed and delivered customized security awareness training to address gaps in employee behavior, such as susceptibility to phishing attacks and improper handling of sensitive data.

Deliverables included:

• A tailored training deck and webinar.
• Practical recommendations to encourage secure behaviors, such as locking workstations and protecting printed materials.

 

Vendor Risk Management

Seiso streamlined vendor risk management by simplifying the process to fit WFS’s operational needs.

Deliverables included:

• A slimmed-down vendor risk questionnaire with 20-30 critical questions, adapted from Seiso’s more comprehensive templates
• Development of a risk register to track vendor-related risks efficiently.

 

Document Governance

Recognizing WFS’s need for simplicity, Seiso tailored document governance to their scale.

Deliverables included:

• A reduced governance stack, consolidating 40+ standard documents into a manageable set aligned with WFS’s priorities.
• Updates to policies and procedures to enhance compliance continuity across teams.

 

Logging and Monitoring

Seiso guided WFS through a log management exercise used to inform the organization as they navigated their decision-making process for procuring a SIEM.

Deliverables included:

• Developed a detailed inventory of logging source capabilities, assigned logging requirements aligned with HIPAA, and provided guidance on a project plan to implement a centralized log management system.

 

Vulnerability Management

Seiso supported WFS in strengthening its vulnerability management practices.

Deliverables included:

• Implementation of an enhanced vulnerability management program.
• Detailed guidance on addressing technical risks to align with HIPAA standards.

 

Advisory (M&A)

Seiso provided advisory support during a key acquisition to evaluate and mitigate cybersecurity risks.

Deliverables included:

• Risk assessments of the acquired organization’s security posture.
• Strategic recommendations to address identified gaps.

 

Business Continuity Planning and Impact Analysis

Seiso helped WFS formalize and strengthen its business continuity program with a detailed business impact analysis to assess risks to critical operations.

Deliverables included:

• A business impact analysis to identify continuity gaps.
• Documentation of business-critical dependencies and vulnerabilities.
• Recommendations to mitigate operational disruptions.
• Creation of a disaster recovery plan for two critical business processes.

 

Tabletop Exercises

Seiso conducted tabletop exercises to prepare WFS for incident response scenarios.

Deliverables included:

• Simulation reports with actionable recommendations.
• Hands-on training for teams to improve readiness.

 

Executive Management Team / Board of Directors (BOD) Reporting

Seiso supported WFS in presenting security progress to their Executive Management team and preparing materials for the Board of Directors, emphasizing the connection between technical improvements and business outcomes.

Deliverables included:

• Quarterly strategy sessions with a focus on maturity metrics.
• Clear, visual reporting that showcased a steady improvement from 0–2 maturity levels to 3+ across all controls.

Results

WFS achieved significant improvements in their information security program, demonstrating the impact of Seiso’s focused, simplified approach. By prioritizing high-risk areas and aligning technical strategies with business outcomes, WFS has matured their cybersecurity posture while maintaining operational efficiency.

Key results include:

• Improved Compliance: WFS reduced overall risk levels by addressing high- and medium-priority issues and control gaps first. They were able to improve the overall control compliance, bringing 15 additional controls to an effective operational status, and reducing risks to a level leadership could approve.
• Boosted Security Awareness: Through targeted training and awareness initiatives, WFS employees developed better cybersecurity habits, reducing the likelihood of falling victim to phishing and other social engineering attacks.
• Streamlined Risk Management: WFS adopted simplified risk management processes, including a tailored vendor risk questionnaire and risk register, enabling them to manage third-party risks more effectively.
• Stronger Technical Controls: Logging, monitoring, endpoint protection, perimeter security, identity management, and vulnerability management practices were enhanced, reducing the likelihood of undetected threats and compliance failures.
• Enhanced Business Resilience: With a formalized business continuity program, WFS gained the ability to respond more effectively to potential disruptions. Deliverables, such as disaster recovery plans and tabletop exercises, have strengthened preparedness across critical business processes.
• Executive Communication: Quarterly strategy meetings and Board of Directors presentations ensured WFS leadership had clear visibility into the security program’s progress. Visual reporting and metrics demonstrated a steady shift from early maturity levels (0–2) to a more robust state, with most areas now at level 3 or above.
• Cultural Shifts: By working alongside WFS to align security measures with their operational priorities, Seiso helped foster a culture of continuous improvement.

Despite resource limitations, WFS remained committed to maturing their program steadily and methodically. This collaborative approach not only reduced risk but also enabled WFS to better protect sensitive patient data, meet regulatory requirements, and position themselves as a trusted provider in the healthcare space.