As I write this memorandum, Epiphany Healthcare is the only vendor in our market niche with an ISO 27001 certification. We are excited to be able to demonstrate our commitment to our own security and our customer’s security with this certification.
When selecting a security certification body, we evaluated the top three golden standards for information, cyber, and infrastructure security:
ISO 27001; HITRUST; and SOC 2. All three are remarkably similar.
“Each certification has similar controls and requirements, with SOC and ISO being remarkably equal, and HITRUST intensifying the “How” [in how] requirements are met.” https://apgarandassoc.com/certification-readiness/
Medical device companies, with a Class II or Class III FDA-registered devices, utilize ISO 13485 certification to meet Quality Management System (QMS) requirements. Having familiarity with the ISO QMS certification process led us to select ISO 27001 for cyber and physical security certification.
In adopting the ISO 27001 standard, a company must consider risk assessment and treatment options. Epiphany chose to establish a low-risk tolerance, which was the most demanding standard. We implemented all recommended controls in ISO 27001, including those for cloud, creating a total of more than 121 controls. We also chose to apply these controls to all aspects of our business and products, including Epiphany Cloud Services. The investment in this certification, including man-hours, staff training, and registrar expenses exceeded $300,000. Over 1,000 pages of documentation were either modified or created to meet the certification requirements.
These controls include establishing clear guidelines for responding to security events and incidents, employee onboarding/off boarding, work-from-home evaluations, mobile device management, office security, penetration testing, secure software development, adding new security technologies to our enterprise, business continuity plans to recover from unplanned events (such as a hurricane, ice storm, loss of power, etc.), ransomware and malware strategies, and tightening existing controls for onsite visits and physical security.
All of the clauses, controls, and a summary of the implementation of Epiphany Healthcare’s Information Security Management System (ISMS) framework is available upon request.