The Customer
They are an independent medical research practice that delivers technology and treatment options for advanced cancer research. The company’s core research studies focus on genomic and molecular characterization of patient disease to develop new therapies to treat some of the most challenging cancers. Their data provides a cutting-edge approach to treating cancer-based on genomic characteristics.
As an industry leader engaged in cutting-edge medical research, securing information of their intellectual property, as well as their patient’s confidential medical data, is of the utmost importance.
Managed IT Provider
The managed IT provider is a global leader in healthcare management and healthcare technology solutions, providing specialty pharmaceutical solutions for biotech and pharmaceutical manufacturers. They provide comprehensive managed infrastructure, application, and development solutions to healthcare businesses.
Validation of Existing Security Controls
The customer has an established managed hosting and security service agreement with a 3rd party managed IT provider responsible for establishing and maintaining the confidentiality, privacy, and availability of their critical data and business operations. As a result, all company data, including resides within a fully managed and outsourced infrastructure.
The managed IT firm’s security compliance attestations provide reasonable assurances of their ongoing ability to properly assess and mitigate IT-related risks within their managed environments, and thus, of their ability to effectively secure the client’s confidential IP and patient medical data.
Night Lion Security was asked to provide independent third-party validation and audit of the managed IT provider’s security controls, as well as to provide an outside look at recommendations for ongoing improvements.
The Solution
Given the size of the managed IT provider’s footprint, Night Lion Security developed a plan based on the NIST Cybersecurity Framework to research and validate the provider-managed security controls. The scope for this assessment was a true audit and validation of the existing frameworks, which lasted several months and included stakeholder meetings, infrastructure reviews, information gathering, and data validation. Following the successful completion of the audit, Night Lion presented all findings to the organization’s board, which included any identified gaps and suggestions to improve an already impressive set of security controls.