Case Study 1: Healthcare Tech SME

Keen market interest in a new service offering motivated a healthcare technology SME to prioritize their Security Risk Analysis (SRA) as a first step in SOC 2 certification prep. A peer referral gained them an essential consulting partner in Apgar & Associates.

When a Boston-based healthcare software and services company decided to formally review and operationalize its approach to a SOC 2 certification, they engaged Julia and Chris to help them navigate the certification preparation process. The first step was the bedrock of data privacy and information security compliance activities: the Security Risk Analysis (SRA).

As a small team, the company felt it was imperative that the resource partner be a cultural fit plus quickly grasp the complex new product. For Chris and Julia, it was impressive that the entire executive team was 100% “in it to win it.” Together, they agreed the comprehensive SRA was the first priority.

Praise from the Director of Client Partnerships sums it up, “Julia and Chris made the Security Risk Analysis and related recommendations appropriate to our organization, and their method made the SRA far less burdensome than expected.”

Apgar & Associates created an all-inclusive assessment and analysis based on NIST and OCR recommended methods. Nothing was left untouched – technical tools, administrative and operational processes, roles, and functions – all were thoroughly examined.

Download the full SRA Case Study.

The main improvement from the SRA? Vendor partnership policies.

“Thanks to our work with Apgar & Associates, we have confidence in our vetting process. The unexpected result was that such a structured process would give us more options, more freedom, not less.”

Knowing how third-party vendor partners handled infosec was imperative when dealing with exchanges of substantial ePHI data transfers. Controls for access monitoring and review, and fully vetted vendors who may touch PHI via data exchange are a must — and in place. At a high level, the firm’s screening of third-party vendors starts with the answers to:

  • Will the vendor encounter potentially sensitive data, such as PHI?
  • Can the potential vendor sign an approved BAA or BASA?
  • Does the vendor have certifications such as SOC 2?
  • Can the vendor successfully complete the client’s new IT questionnaire?

Apgar and Associates continue to partner with the healthcare technology SME as the company grows and evolves. 

Is your organization ready to take the leap into certification? Give Apgar & Associates a call today. Their prep process, aka certification readiness service, has helped many organizations successfully achieve SOC 2, HITRUST, and ISO certifications.

Call (503) 384-2538 or email us at