Case Study by Scott Boyer - Security and Compliance Manager, MedHealth
MedHealth supports thousands of people each year to achieve better work and health outcomes.
With over 2,000 employees, we represent government and insurance organisations operating across Australia. Our programs aim to deliver the best possible health and employment outcomes for people with disability and mental health issues, people who have been injured or become ill in the workplace or due to a motor vehicle accident, Aboriginal and Torres Strait Islander Peoples, and people experiencing long term unemployment.
The data we collect and manage on behalf of the people we support is personal and highly confidential.
MedHealth grew via multiple acquisitions in 2018, bringing together a larger group of businesses. We identified the need to ensure a strategically aligned approach to security.
We wanted to ensure three things:
That MedHealth were aligned when it comes to our approach to security and infrastructure across all divisions
That we were doing everything possible to minimise the risk of a data breach, and
That we would align with industry best practice and maintain and expand our ISO27001 certification.
The Selection Process
We had previously engaged The Missing Link for Penetration Testing which was a great success, so it was a ‘no brainer’ to engage them to conduct a Security Controls Review of our security domains and ensure alignment across MedHealth.
We asked The Missing Link to undertake a comprehensive review of our security infrastructure, including our physical assets, our people and processes, which fell into seven domains:
1. Our security framework
2. Our defensive network
3. Endpoint and application compliance
4. Authentication and access control
5. Event management
6. Data protection
7. Human firewall
The Missing Link’s holistic approach involved analysing the security practices and tools we had in place, quantifying and measuring the value of our investments, and identifying areas needing further investment in time or money to reach a more mature security level.
Their report provided strategies to strengthen our security infrastructure and practical advice on patching and managing the identified areas needing improvement.
Together we’ve been able to review opportunities for data protection, including back-ups, the transfer of data to an off-site facility and contingency plans to ensure the business keeps running in the event of a real-life cyber-attack. We have discussed the importance of Firewalls, automating responses for event management and training our IT team and broader staff so that they are aware of the risks and know how to protect themselves and our company in the event of a cyber-attack.
The Missing Link has also laid out a two-year roadmap that details the tools and processes that need to be implemented to strengthen our security posture. The roadmap includes regular penetration testing and vulnerability management that will identify areas in need of attention, so we always know what we need to prioritise.
The Missing Link is proactive in their approach and genuinely interested in improving our security to ensure our success. As a result of this project, they’ve become a long-term security partner and IT advisor for our business. I appreciate their in-depth industry knowledge, their strategic views on security infrastructure, and the advice they’re able to offer on the pros and cons of procurement - I can also leverage their existing supplier relationships.
I really feel like we’ve developed a partnership that is solid and reliable. From engaging with the sales team and project managers to working closely with the technical team, they’ve provided an end-to-end solution that has been genuinely effective.