HBS Helps Software Firm Answer Customers’ Cybersecurity Requirements
This medical software company called on HBS to lead the SOC 2 process their customers were demanding. NewCura wound up with a partner for creating an entire cybersecurity roadmap.
Company: NewCura
Industry: Healthcare Software
Established: 1999
HBS Service: SOC 2®, vCISO, Risk Assessment
SOC 2® Just Became Mandatory
One client call can turn a cybersecurity “nice to have” into a “must-have.” For software development company NewCura—previously Summit Imaging—that call came from a large university medical center that was considering working with NewCura—but only if it had a SOC 2® report. Knowing they needed a push (and expert insight) to formalize processes they had already started, Summit called on HBS for its SOC 2® work—and found a partner for the long haul.
Experts in Medical Imaging
NewCura, a 25-year-old company based near Kansas City, Missouri, offers two software applications for endoscopy clinics and other visible light imaging applications in the medical field.
NewCura’s EndoManager suite covers image capture, physician documentation and reporting, and integration with electronic medical records (EMR) systems such as Cerner, Epic, or Meditech. Their ScopeCycle program helps organizations manage cleaning protocols for equipment (known as reprocessing).
Hundreds of NewCura customers in the United States, Canada, and Australia range from single-physician clinics to large, multisite healthcare systems. Many of the company’s employees serve as software developers and help desk technicians who frequently log into clients’ environments via VPNs to directly work on issues.
The Push for Third-Party Verification
While NewCura hasn’t faced specific HIPAA compliance requirements so far (since personal healthcare information is all stored on clients’ systems), the company trains its technicians to follow HIPAA guidelines while handling tech support issues inside customers’ systems. “We’re handling PHI, so we’re always very cognizant of security across the board,” says Chief Executive Officer Darren Meyer.
Driven by that mindset, NewCura had many solid cybersecurity policies in place but lacked an overarching policy strategy. “From a technical standpoint, they were meeting a lot of the requirements before we started working with them,” HBS virtual CISO Matthew McGill says. “But they had really limited governance and didn’t know how to go about standing up a formal security program.”
“We had started this process loosely ourselves,” Chief Operating Officer Evan Doss says. “But we quickly learned that professional guidance would be required to get us across the finish line.”
Pursuing SOC 2®
When that call came in from the university medical center requiring a SOC 2® report, NewCura decided it was time to call in a pro. The customers’ requirement wasn’t a surprise. “They weren’t the first to ask for a SOC 2® report,” Darren says. “But they were the first to require it.” As NewCura scaled up to serving larger healthcare organizations, they knew they increasingly faced professional risk managers who would require third-party verification of vendors’ security postures.
Like many other companies, NewCura recognized three advantages to hiring a company like HBS to help them prepare for a SOC 2® exam rather than going it alone:
- The process would go faster.
- NewCura wouldn’t have to devote a large share of its internal resources to the process.
- They were almost assured of getting a positive SOC 2® report on the first try with experts guiding their preparation.
Picking a Partner
From the earliest calls, Darren liked HBS’s capabilities and philosophy for the SOC 2® Type 1 process. He appreciated that the consultants NewCura met during the selection process would actually be doing the work. “We’re a small business, and I wanted to work with another small business,” Darren says. “We could’ve gone with some larger companies, but I was looking for that personalized touch.”
HBS won Evan over with a clear vision for NewCura's future.
This is what our clients are saying
Evan Doss
Chief Operating Officer - NewCuraNewCura also puts a high value on HBS’s longstanding partnership with LWBJ, an accounting firm that performs the audit side of the SOC 2® process. “It certainly does make it easier that HBS knows what to expect and knows what to prep us for,” Darren says.
SOC 2® and Beyond
NewCura’s SOC 2® Type 1 report provided quick payback in multiple areas, including saving staff time. The security questionnaires that many health systems send their vendors cover 200-300 questions and take most of a week to fill out. “Now we can eliminate a lot of that by sending them our SOC 2® report,” Evan says.
The SOC 2® report has also helped Summit Imaging with its cyber insurance carrier by checking multiple boxes required to renew the cyber insurance policy.
NewCura’s other work with HBS has included a limited risk assessment and a tabletop exercise to test their incident response plan. In late 2020, they signed up for HBS’s vCISO service, driven again by customer requests.
“NewCura wasn’t always seeing how they could point to their compensating controls to show why they didn’t need to have a control exactly like the one the client described,” McGill says. “They were implementing a lot of different controls to satisfy a lot of clients.”
Matthew has helped NewCura successfully push back on some client requests that differ only in language from NewCura’s existing policies.
As NewCura grows, they’re counting on HBS to chart their cybersecurity path. In the near future, the team will move beyond basic compliance and perform a full risk assessment of the organization. They will also evaluate new network infrastructure that would increase security and decrease costs.
“HBS is our expert helping us with what we don’t know we don’t know,” Evan says. “It’s not what is required now, but what is going to be required in the future that we don’t know about. We feel like we have someone to call up and consult with on future projects.”
