Yale New Haven Health System Achieves GRC Success with Modulo According to Independent Case Study by GRC 20/20

Share Article

Complementary podcast hosted by securitycurrent explores managing cybersecurity risks in the highly regulated and targeted healthcare industry


Since its successful deployment, Modulo has seen broad reception across YNHHS and has expanded beyond the initial IT GRC focus to include enterprise GRC applications.

Modulo, a leading provider of technology governance, risk and compliance (GRC) solutions, today announced the availability of a [GRC case study published by independent analyst firm GRC 20/20 featuring Yale New Haven Health System (YNHHS). Modulo also announced a podcast Q&A interview, hosted by securitycurrent’s Senior Editor Vic Wheatman and featuring YNHHS’s GRC program leader Steve Bartolotta, exploring how to manage the mounting cybersecurity risks faced by healthcare organizations.

These tools provide insights for CISOs on how to achieve GRC success and cost savings across an enterprise in one of the most highly regulated and targeted industries.

Healthcare organizations struggle to keep pace with and scramble to create effective GRC programs to address a breadth of risks, regulations, liability, and fines. In light of increasing risk and compliance pressures, YNHHS - which historically approached GRC activities manually through different departments - sought to create a sustainable process supported by technology architecture for GRC with the following goals: understanding and managing risk, ensuring compliance with obligations, improving human and financial efficiencies, enhancing transparency, and managing GRC in the context of a dynamic and distributed healthcare environment.

Titled “Utilizing Technology to Enable GRC Across the Organization,” the YNHHS case study outlines how the organization deployed Modulo Risk Manager and achieved GRC with centralized visibility: the tools to monitor across departments and processes; the ability to collaborate across security, compliance and hospital operations; a process for connecting dots between risk and compliance across the organization; and a way to integrate risk-based views to communicate “big picture” GRC.

“It is no small task to manage risk across our network of operations and comply with the many standards and regulations imposed on a healthcare organization. We evaluated the top IT GRC solutions and after a deep analysis into cost and functionality, selected Modulo Risk Manager as our GRC platform. Modulo met the core functionality requirements for IT GRC, privacy, and security compliance projects at one quarter the costs of other leading contenders. We were also impressed with Modulo’s extensive knowledge and experience. Since its successful deployment, Modulo has seen broad reception across YNHHS and has expanded beyond the initial IT GRC focus to include enterprise GRC applications,” commented Steve Bartolotta.

“GRC 20/20 measures the value of GRC engagement around the elements of efficiency, effectiveness and agility. We found that Modulo meets and exceeds value in these three areas: YNHHS has seen increased productivity in which they can complete more assessments in a given time period than they could before; has become more efficient in its use of resources, allowing them to get more assessments done without increasing staff while removing overhead and dependency on external consultants; and has removed overlaps between groups with a consistent information architecture that has enabled them to achieve agility across the organization,” added Michael Rasmussen, principal analyst, GRC 20/20.

The GRC 20/20 case study outlines the following challenges and results for the YNHHS GRC program:

  •     On-premise assessments for over 300 remote sites. Where YNHHS previously performed assessments on 10% of off-site locations per year, they can now assess all 300+ sites. Using the Modulo Risk Manager Questionnaire mobile app streamlined site surveys on privacy and security requirements and gave management the ability to view reports in boardroom meetings presented directly from tablet devices.
  •     Assessments for over 600 IT applications. The YNHHS team will complete all 600 IT application assessments – required to comply with HIPAA and other privacy standards due to sensitive protected health information (PHI) they store - in the course of a single year where previously they could only get through a third of them. The fully automated application security assessment process in Modulo Risk Manager features standardized surveys and forms that are delivered in an intuitive and easy to use interface that has been well accepted by distributed groups across the health system. YNHHS is able to identify and prioritize the most critical application security issues and track them through remediation.
  •     Compliance to multiple standards. YNHHS utilized the extensive knowledge base of regulations and frameworks within the Modulo Risk Manager system - along with the system’s flexibility to add the Health Industry Trust Alliance (HITRUST) Common Security Framework (CSF) and ability to customize questionnaires and surveys for risk assessments across various business units and the enterprise – in order to demonstrate compliance with over 15 healthcare related mandates ranging from HIPAA/ HITECH, JCAHO, Stark, Red Flag Rules and state privacy and security laws to FISMA and PCI DSS.

Further, YNHHS has rapidly expanded its implementation beyond the initial successful IT GRC use cases to include enterprise GRC applications. Modulo Risk Manager’s integrated platform currently manages the following projects for YNHHS’s GRC program: Federal Information Security Management Act (FISMA) compliance and workflow; Payment Card Industry Data Security Standard (PCI DSS) compliance; Security and privacy program using the HITRUST framework; Policy mapping; Vendor and other third-party assessments; Security design reviews; Documentation, approval, and management of policy exceptions; Management and filing of employee and contractor confidentiality requests; Assessments and regulatory compliance activities for fire, facilities, physical security, and health and safety; Integration with security systems, including vulnerability scanners; and Audits around inappropriate access to patient records.

YNHHS continues to expand into new areas, currently including a pilot program to address the needs of the emergency preparedness group and two other GRC programs for the finance and internal control groups.

To download the case study by GRC 20/20 and listen to the podcast interview hosted by securitycurrent visit: http://modulo.com/automated-enterprise-information-security-case/

About Modulo
Modulo is a leading global enterprise provider of technology governance, risk and compliance (GRC) management solutions. Hundreds of organizations around the world leverage the award-winning Modulo Risk Manager™ as a flexible and affordable approach to manage risk, compliance, and business continuity across the enterprise and extended enterprise of third-party relationships. Customers span the financial, healthcare, retail, manufacturing, higher-education, telecom, energy and government sectors and include BASF, BC Hydro, Commercial Bank of Dubai, Microsoft, New York University Medical Center, Synovus Financial, and Schlumberger. Modulo has earned industry recognition as both a 2012 and 2013 Innovator of the Year from SC Magazine, which also gave the company's products “5-Star” review ratings for three consecutive years.

Visit http://www.modulo.com and follow Modulo on Twitter @Modulo_Intl.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Leslie Kesselring
+1 (503) 358-1012
Email >
since: 06/2009
Follow >
Modulo Security - International Headquarters

Visit website