Evolving from Ad Hoc Compliance Projects to a Cohesive Program

Case Study Highlights  

• Managed cybersecurity and compliance as a series of ad hoc projects  

• Dependent on disjointed spreadsheets and other static documents

• Compliance was tedious and time-consuming

• Could not reliably identify and address all gaps

• With Apptega, Benevis established a unified compliance program  

• Now have constant visibility into compliance status and gaps

• The platform supports business expansion and remediation of new cyber risks

‍

About Benevis  

Founded in 2002, Benevis provides non-clinical support services to dental practices in 17 states, led by its proprietary and award-winning dental practice management system, DentaPro.  

With more than 150 dental offices and more than 3,000 employees within the Benevis network, the company is focused on ensuring its clients always have the best clinical and customer experiences when visiting a Benevis-supported dental practice. That experience is enabled by technologies that facilitate, streamline, and expedite customer engagements.  

But with technological advancements come increased risks — for not only Benevis but also organizations around the globe.  

For a company like Benevis that processes, stores, and transmits both personal health information (PHI) and personally identifiable information (PII), privacy, compliance, and cybersecurity are increasingly critical to operational success.

And while compliance and cybersecurity are different, “there are many synergies,” Will Alexander, Benevis CIO, points out.  

Benevis’ philosophy is centered around compliance — ensuring millions of patient records are safe and accessible. It’s a mission supported by the growing need to ensure effective and scalable cybersecurity that evolves as company and customer needs change.  

That’s why Benevis is making increasing commitments to ensuring both privacy and security for all of its patients.  

“We are focused on compliance from a quality-of-care perspective,” Alexander said, citing increasing requirements through mandates such as the Health Insurance Portability and Accountability (HIPAA) Act. “We’ve got to do everything we can to uphold our commitment to privacy and security.”  

Part of upholding that commitment includes not only meeting and exceeding compliance and regulatory standards but also building a risk-mitigating cybersecurity program that facilitates quality care and provides the foundation needed for organizational growth.  

The team understands that while HIPAA is often at the forefront, a single non-HIPAA-related cybersecurity event could cause significant disruptions and negatively affect reputation and customer experiences, ultimately impacting financial performance and the ability to grow the business.  

For these reasons, Benevis has relied on Apptega to help ensure both compliance and effectiveness of its cybersecurity practices.

‍

From Ad Hoc Projects to a Cohesive Program  

Before adopting Apptega’s cybersecurity management platform, Benevis approached compliance as a series of projects, as many organizations do. Individual projects were set up to address compliance standards, respond to assessments, and prepare for audits.  

Upon completion of a compliance project, the team moved on to the next in succession. This manual approach was tedious and time-consuming ­— further exacerbated by dependence on spreadsheets and other static documents. And because the company built and maintains a proprietary dental management software solution, it couldn’t rely on an outside service provider to tackle HIPAA and other compliance measures. Instead, the company’s small team, with limited resources, manages compliance internally.  

That’s quite a chore considering the software powers everything patient-related from scheduling and charting to billing and beyond. The pre-Apptega approach based on spreadsheets embodied significant overhead and couldn’t reliably identify and address all the gaps. But once the Benevis team made the switch to Apptega, they felt as though they had finally established a true compliance program underpinned by a true cybersecurity management platform.  

“Now we manage cybersecurity effectiveness and compliance as a program, where it’s continuous,” Alexander said. “And we’re able to make constant improvements and easily get the information and visibility we need. At all times, we know exactly where we stand and where we need to go.”

Here are some of the many ways Apptega has helped the Benevis team eliminate its project-based approach to compliance and security and evolve into a program-based practice:  

• Eliminated manual data entry and repetitive tasks  

• Eliminated the need for team members to manually schedule (and remember) compliance and security tasks and responsibilities

• Decreased team workload with automation  

• Expanded the scope of the cybersecurity program without adding manpower or overspending on additional resources  

• Helped the team facilitate internal audits — at any time — to always have insight into where the company meets standards, where it has gaps, and prioritize remediation and improvements  

• Enabled team members to quickly generate customizable reports for a breadth of insight, including framework-specific compliance measures  

• Facilitated crosswalking of multiple compliance frameworks (like HIPAA and PCI DSS) with security frameworks (like NIST or ISO) to eliminate redundancies and minimize overhead  

• Promoted accountability with automated scheduling and task reminders

• Improved visibility, including alerts when issues arise  

• Provided the team with access to policies and other templates to quickly spin up new programs as needed  

• Provided executive leadership and key stakeholders with digestible and actionable visibility in cybersecurity effectiveness and compliance  

• Gave security and compliance team members granular insight into their policies, processes, and programs

• Established document repositories for audits and assessments, ensuring access to current, accurate documentation for all team members  

• Provided the team with insight into which issues pose the greatest risks, so they understand what to prioritize for remediation  

• Decreased chances for human errors and increased data accessibility and reliability

‍

Confidence in Priorities, Plans, and Audits

With Apptega, the Benevis team is more prepared for audits than ever before. Team members can prepare for audits faster by ensuring they have what they need before an audit begins — and quickly provide additional data and documentation on the fly as needed.  

Apptega brings a level of awareness to the forefront that the team didn’t have when they were using spreadsheets. By always having insight into program effectiveness and compliance gaps, they can efficiently conduct internal evaluations before a formal audit. And when they can’t immediately remediate a deficiency, they can make plans and begin processes. So, when the auditor points out an issue during a review, they are already prepared with an action plan.  

Apptega helps Benevis create those action plans with built-in remediation suggestions that help determine what needs attention first. That’s important for a lean Benevis team that needs to prioritize resource expenditures, in terms of people, tasks, and finances.  

“Cybersecurity and compliance are critical in support of our growth objectives, but we don’t have unlimited resources,” Alexander said. “We’ve got to be very selective and make informed decisions as we prioritize the use of those resources. Having Apptega to help us confidently make those informed decisions with full visibility is very helpful.”

‍

Easy-to-Use and Scale  

Benevis team members agree that unlike the tedious spreadsheets the team previously used, Apptega was easy to implement, provides easy-to-understand dashboards, step-by-step guidance, and amazing customer support.  

At the onset, Apptega highlighted everything Benevis needed to address in a digestible manner, enabling a shift from being compliance-project-driven to a culture that embraces continuous compliance and security programs. Benevis is now building on the foundation established with HIPAA and PCI DSS compliance and ready to start working on broader, more far-reaching cybersecurity frameworks such as NIST CSF and ISO 27001 to further mature their program.  

“HIPAA is important,” Alexander explained. “We must abide by those regulations. But it’s also important to take a step back and ask, ‘Outside of HIPAA, what could happen that could put us at risk?’ That’s a cyber event, and it doesn’t necessarily have to be HIPAA-related. Bringing in a more global, over-arching cybersecurity framework is key. Adopting a new framework that guides cybersecurity controls is important to us as we continue to grow our business.”  

With Apptega-fueled insight and compliance framework templates available in the solution, the team can use Apptega Harmony to crosswalk their current and future compliance and security frameworks for insight into which controls they have already implemented and get a clear picture of where they need to go, even before they start the next framework process. And as Benevis implements new frameworks, the company can do so with maximum efficiency and minimal additional workload through Apptega.

Apptega has also helped the Benevis IT team eliminate bottlenecks that can happen with new projects when security sometimes becomes an afterthought. No longer tied up with manual compliance processes, Benevis can now address other technology and security needs as they come up, instead of getting backlogged behind audit and assessment preparation and response.  

“Being nimble to quickly enable value creation for our business is paramount,” Alexander said. “But too many times, I’ve seen cyber events occur in organizations when they forget to maintain standards for processes, visibility, and control. These organizations lacked the foundation needed to assimilate business value creation into their cybersecurity and compliance programs. With Apptega, we’re confident that we have the platform needed to support the needs of the business as well as quickly identify and remediate any new cyber risks as they emerge. When the business needs us, we won’t be a bottleneck or holdup. We’re positioned to move at the pace that supports our strategic objectives.”

‍