Inside Look at Cybersecurity + Compliance at a Hypergrowth Startup: Webinar

Learn how Omada Health’s small DevSecOps team works with Threat Stack’s Application Infrastructure Protection to coordinate, validate and pass compliance, including SOC 2, HIPAA, HITRUST and more. Watch the webinar below for hints on how your organization can optimize your compliance profile.

How Omada Health + Application Infrastructure Protection = Better Cloud Compliance

In this transcript of part of the webinar (viewable below), Omada Health CISO Bill Dougherty discusses the importance of compliance checklists and partners who know and understand compliance requirements. 

“From a security standpoint, Omada Health is lucky to be in health care because I don’t have the option of whether or not to comply with HIPAA, so that becomes a great forcing function. But generally speaking, compliance certainly is not an event! Compliance is a process. We all have to live with it and it should become part of your daily, weekly, monthly, annual, cycles.

When you have organizational buy-in, part of that is understanding — based on your current business and long-term growth — what are the things you’re going to likely need to comply with. If you’re selling business to consumer, the consumer probably doesn’t know or care what a SOC 2 is, but you’re not able to process credit cards without a PCI cert. If you’re doing business in Europe, you’ve got GDPR. If you’re collecting end-user information in California, you’ve got CCPA. There’s lots of things you’re going to have to comply with.

Compliance Triage: Creating a Checklist

As you do your triage, part of that is understanding: What are the things you’re likely going to need to comply with?  And then creating a checklist, and making sure, as you do something new, especially, don’t do something that you know is going to violate one of those things you know you’re going to have to comply with down the road. So even if you aren’t compliant today, don’t make it worse!

So that really requires you to have a good checklist.

Requirements for Compliance Audit Triage Partners

The other thing is if you do the analysis and you know you’re going to need third party attestations; you know you’re going to need a SOC 2, or an ISO, or a HITRUST cert, or PCI; figuring out who your partner is going to be to do those attestations early, and making sure that they are used to dealing with companies with your size, in your industry, that they’ve got knowledge. Setting that relationship early becomes key, because they’ll come in and tell you all the things that you need to fix before you’re ready for the first audit, and they’ll help you triage it.

I brought in a new audit partner. I said “OK, we just failed an audit, take a look, give me your worst.” They gave me a checklist. Now I know all the things I got to go work on. As I’m working on them, I’ve got a sounding board: “Hey, if we address this problem in this way, is that going to work? Or are you going to come in and tell us that that’s not going to work for us?”

Having that third party partner, to me, is critical when it comes to compliance.”

About Omada Health —

Omada Health is a digital health care company. Its mission is to help people who struggle with chronic diseases live better lives.

About Application Infrastructure Protection

Threat Stack’s Application Infrastructure Protection is part of F5’s complete cybersecurity solution. For more information on how we can help your organization with audits and other compliance issues, contact [email protected], or visit our compliance webpage at Cloud Compliance.

---