As an analytics start-up serving the healthcare industry, Zephyr Health needed a solid data security plan and program that they could demonstrate to their clients to better develop and maintain their customers’ trust.

The Challenge

Zephyr Health approached us to do a policy review and gap analysis against security certifications. Through our consultation process, we determined that the issue was customer-driven.

Zephyr Health approached us to do a policy review and gap analysis against security certifications. Through our consultation process, we determined that the issue was customer-driven.

Specifically, Zephyr Health’s customers were asking them what they were doing for security, both at a macro (ISO 27001 compliance) and a micro (user authentication) level. We realized they needed to become compliant with a new security standard in order to better develop and maintain their customers’ trust.

Our analysis showed that the appropriate security framework for Zephyr Health would be the Service Organization Controls (SOC2), with emphasis on Security and Confidentiality Trust Principles due to several factors, including:

• Small company size
• No prior certification efforts to set precedence
• SaaS-based data analytics services for customers
• The nature of the data they handle (sensitive to their customers, but not relevant for HIPAA or consumer privacy laws)

Zephyr Health’s concerns were unique, due to the industries they served. They wanted to not only implement a framework of security management and controls, but also provide peace of mind.

Bishop Fox worked in partnership with Zephyr Health, providing expertise in customizing the new policy, process, and technical controls to appropriately mitigate the risks to customers. We also implemented new procedures and a proof of control process to protect Zephyr Health and their clients. And, due to the strong relationship between our teams, the transition process moved very quickly.

The Results

"Zephyr Health passed their SOC2 certification within six months from starts to finish, and with no quality findings by external auditors."

--Rob Ragan, Partner, Bishop Fox

Both teams focused in customizing the new policy, process, and technical controls to appropriately mitigate the risks to customers. They also implemented new procedures and a proof of control process to protect Zephyr Health and their clients' data. And, due to the strong collaboration between our companies, the transition process moved very quickly.

"We continue to enjoy the benefits of the SOC2 implementation; thank you again for your help."

--William King, CEO at Zephyr Health

Customers have reported they feel confident Zephyr Health takes their role as a data custodian seriously, and can have more strategic conversations about solving their customers’ business challenges without security being a cause for concern.

About Zephyr Health

Zephyr Health helps Life Sciences companies organize and visualize health care data to better connect therapies to patients in need. As an analytics start-up serving the healthcare industry, Zephyr Health needed a solid data security plan and program that they could demonstrate to their clients.
Like many new businesses, they wanted to focus on company security in a more methodical way. And, as a small, but growing company, Zephyr Health needed the ability to accurately answer customer inquiries about their security practices.