How CareStack used Sprinto to streamline compliance and organize multi-framework audit in 3 months
CareStack is an award-winning, all-in-one cloud dental practice management software that addresses the end-to-end needs of dental offices like appointment scheduling, billing, patient engagement, and reporting. Leading dental practitioners and large group practices including Meridian Dental Specialists and Morisson Dental Group have successfully streamlined and scaled their operations with CareStack.
ISO 27001
HIPAA
USA
3 months
Time to achieve ISO 27001:2013 audit and HIPAA attestation readiness
Automation-enabled compliance baseline
Common control mapping to support multiple frameworks
Savings in effort and cost
Ready to get started?
Challenge
From the beginning, CareStack had established a strong foundation for data privacy and security. However, without attestation of compliance with HIPAA and ISO 27001:2013, their ability to expand into new markets and attract interest from bigger institutions and organizations was greatly affected.
With major business expansion plans on the cards, CareStack realized a need to push the pedal on a formal compliance program to procure HIPAA attestation and ISO27001:2013 certification at once and over time pursue compliance with GDPR and PDPA as part of their long-term strategy.
CareStack initially explored the possibility of collaborating with consultants but ultimately shifted its preference toward a GRC automation tool that supports multiple frameworks. This decision was driven by the substantial cost savings, faster turnaround times, and improved scalability offered by such tools. “The conventional approach to compliance management — relying on manual processes and spreadsheets — to manage evidence, enforce policies, carry out training, and monitor controls creates hurdles to scaling,” noted Sriram Subramanian, Consultant Director of IT Compliance at CareStack.
As CareStack wanted to avoid patchwork effort, holistic compliance and streamlined operations were at the center of their requirements. While exploring GRC automation partners, CareStack, among other things, paid special attention to a platform’s ability to drive efficiencies at scale. Since multi-framework compliance was the object of the exercise, the ability to merge actions, like cross-mapping controls, was desirable.
In addition to cost savings, CareStack also evaluated the depth of automation, degree of customizability, and quality of support when making their decision. They opted to exclude other GRC automation vendors due to their conventional approach, lack of integrations, inflexible compliance modules, and inadequate communication practices.
Sprinto offered the flexibility we needed. With Sprinto we could see how we could cross-use controls between frameworks to drive HIPAA and ISO27001:2013 in parallel. And the teams’ prompt response and clear communication sealed the deal!
Solution
CareStack started by migrating its existing policies, procedures, documents, and various other artifacts to Sprinto. Since CareStack already followed security best practices and had baseline policies in place, they only needed to tweak these policies to align with HIPAA and ISO27001:2013 guidelines. Sprinto’s baked-in policy templates expedited this exercise. “We uploaded our own policies, and also used Sprinto templates to save time,” remarks Sriram. Operationalizing policy acknowledgment and security training followed immediately after.
With integrations secured and nested, activating controls was next. Thanks to the fact that control data (and their respective checks) are pre-mapped to frameworks integrated into Sprinto, CareStack was able to expedite its launch and begin monitoring both programs quickly.
To be able to customize controls and rein the level of automation was important to CareStack. “We did not want to automate certain aspects of compliance,” notes Sriram. “With Sprinto it was easy to calibrate automation to fit our preferences. Instead, we worked with the Sprinto team to set up various monitored checks to keep the process on track while retaining control with us,” he adds.
Chiefly, it was by utilizing Sprinto’s advanced common control mapping framework that intuitively aggregates and correlates control data across frameworks, CareStack could sidestep repetitive tasks like multiple control checks and duplicate evidence collection, and focus on remediation and optimizations instead. The crosswalk ensured continuous momentum and helped CareStack achieve audit readiness for both frameworks in record time. “What would have taken 9-12 months was completed in a matter of weeks,” recounts Sriram.
Controls being the same, it only makes sense to tackle multiple frameworks at once. Sprinto made it possible and easy —- for us and our auditor.
Results
CareStack achieved audit readiness for both ISO 27001:2013 and HIPAA in just 3 months. “The velocity at which Sprinto facilitated our audit preparation, even as we opted to exclude certain controls from automation, exceeded our expectations,” Sriram expressed.
CareStack experienced a seamless audit with Sprinto, marked by a low-touch, all-remote evidence review exercise carried out and completed — start-to-finish — on Sprinto’s secure auditor dashboard.
I was delighted by the zero-touch audit enabled by Sprinto and its partner auditors.
Since becoming compliant and receiving their certification, Sriram highlighted a significant decrease in manual workloads and compliance chaos due to automation and centralization of processes like control monitoring, evidence gathering, and check remediation workflows. Supported by a dedicated dashboard for continuous compliance tracking in near real-time, Sriram affirms having a more well-oiled, disciplined compliance practice that empowers CareStack while curbing compliance drift.
CareStack has since found itself with a new, more organized, and agile compliance baseline. Streamlined compliances, continuous control monitoring, and smart alerts enable them to stay on top of compliance requirements day after day. Says Sriram, “We can confidently layer on more compliances now, like GDPR, and others. An organized compliance machinery is in place.”