When Cathlynn Nigh worked in compliance and internal audit at TransUnion, she probably didn’t realize she was on a path that would lead directly to founding BEYOND LLC, a HITRUST CSF assessor organization that also provides readiness, validation, and remediation services. While on that path, she worked for Blue Cross Blue Shield, where she was on the internal control and evaluation team that handled HITRUST prep as well as testing work for the organization to obtain HITRUST certification. That was when she recognized an untapped business niche.
“I realized that my background provided the perfect skills for working with small- to medium-sized companies that didn’t have the resources of much larger organizations to build their information security programs, identify security risks, or obtain HITRUST certification,” Nigh says. “I could create a company to provide the kind of one-to-one counseling and compliance consulting that no one else was offering.”
Within a year and a half, BEYOND opened offices in Chicago, New York City, Cincinnati, and Orlando, Florida, and has grown to a staff of twelve highly seasoned IT, security, and other specialists. Ironically, its depth of expertise has also enabled the company to land one of the largest payer organizations and one of the top national hospitals as clients—both of which are outside the niche Nigh had envisioned.
“Even with as fast as we’ve grown, we’re still very much a boutique firm,” she says. “But that has much more to do with the unique capabilities we offer than it does with our size.”
The team includes chief information security officer Ray Biondo, a former HITRUST board member and former chief information security officer at a large healthcare payer organization; director of information security and HITRUST services Craig George; vice president of operations Suzanne Dennison, a former brand manager at Sprint; compliance analyst Sean Brennan; and Lynn Elliott, senior technical writer and a former Random House editor.
With that bench strength, BEYOND is different from many competitors in that every team member is accessible to clients to answer questions and address ongoing issues.
“You get the A-team right off the bat,” Nigh says. “That ensures that we directly deal with clients’ priorities and are accountable for focusing on what’s important to them.”
She stresses the importance of companies finding a consultancy with advisors who are the right fit for their organizations. That is because the HITRUST validation process is extremely rigorous and time consuming, with all the required processes and testing executed at the same time that IT departments are maintaining normal day-to-day operations. Preparing for a successful certification can easily take more than a year, so a match of personalities and cultures between the client and the consulting firm is critical.
BEYOND takes a multiphase approach to achieving HITRUST certification. The team first assists with a self-assessment process that compares a client’s existing information security program to the requirements for HITRUST CSF certification. Next, BEYOND makes recommendations on how to strengthen security and prepare for the HITRUST validation process itself. After reviews, testing, validation, and certification is obtained, the team is available to work with the client to maintain, mature, and align their program with HITRUST requirements.
“HITRUST is an ongoing framework, not just a point in time,” Nigh explains. “We can work with clients on a continual basis or step in to help them address any issues that may be identified during interim year reviews.”
Because of its boutique environment, BEYOND frequently identifies additional services that can greatly enhance clients’ information security programs. While working towards HITRUST certification, the team discovered that its first client also needed internal control documentation. They were able to immediately pull the writing team together to address the issue.
In many cases, the company also works with external partners to address specific client needs. BEYOND has become an Armor Channel Partner to offer managed services for monitoring threats and vulnerabilities, and also works with CPA firm IS Partners when accounting services and SOC2 reporting is required.
“Clients come to us when they want to obtain HITRUST certification, but we have the foresight, agility, and existing relationships to recognize and successfully address other areas that impact the integrity of their security operations,” Nigh says.
In addition to enjoying the collaboration that occurs between the company and its clients and partners, Nigh feels a sense of satisfaction as she witnesses changes within the IT community.
“We’re all dealing with the unfortunate reality of data breaches and new forms of risk,” she says, “But those challenges have spurred an evolution as information security takes on a more prominent role within many organizations and overall security awareness increases.”
New technologies have also created opportunities for the company. In one instance, a client became one of the first cloud-based healthcare organizations to obtain HITRUST certification. BEYOND worked with HITRUST to appropriately adjust the processes involved and succeeded in making its client one of the first to be certified for cloud-hosted operations.
For all of BEYOND’s technical skills and accumulated knowledge, Nigh maintains that another reason for its success is the passion of the team. For them, protecting health information goes beyond technical infrastructure and certification requirements. It’s personal.
“There are established methods and protocols to successfully increase security and deal with data breaches,” she says. “But when health information is involved, it means critical devices can malfunction or a patient might be given the wrong medicine. Our work isn’t just about proprietary information—it’s about protecting lives.”