Case Study

National marrow donor program implements cybersecurity controls to protect sensitive patient data

A national marrow donor program assesses controls within the NIST framework to continue to operate within the HRSA transplant program and address the security and IT needs of clients.
Case Study

National marrow donor program implements cybersecurity controls to protect sensitive patient data

A national marrow donor program assesses controls within the NIST framework to continue to operate within the HRSA transplant program and address the security and IT needs of clients.

Our client's need

A national marrow donor program coordinates the collection of hematopoietic cells used to perform hematopoietic cell transplants. The organization’s registry or cord blood unit are searched worldwide on behalf of patients needing a hematopoietic cell transplant who lack a suitably matched donor in their family. The hematopoietic cells are used to transplant patients with life-threatening disorders such as leukemia, lymphoma, aplastic anemia, as well as certain immune system and metabolic disorders.

The donor program, working in conjunction with an international blood and marrow transplant research partner, both required National Institute of Standards and Technology (NIST) 800-53 assessment and testing services. The organizations working together fulfill requirements of a contract within yet another transplantation program administered by the Health Resources and Services Administration (HRSA).

In providing services to the federal government, the blood and marrow transplant research organization must fulfill the requirements established by the Office of Management and Budget (OMB) Circular A-130 Appendix III, and Title III of the E-Government Act: Federal Information Security Modernization Act (FISMA) to receive renewed authority to operate.

Baker Tilly solution

Baker Tilly's risk, internal audit and cybersecurity consulting practice is contracted for a period of three years to provide NIST 800-53 assessment services to the national marrow donor program and their research partner. Each year, we work with the information security officer to understand the NIST controls defined by HRSA for testing and select additional controls to compromise one third of them within the overall framework. After testing is completed, we discuss unmet controls with the information security officer and information technology leaders to assist them in formulating remediation plans and document their management response prior to report submission to HRSA.

Results achieved

Each year, one third of the controls within the NIST 800-53 moderate impact framework are assessed and tested. The national marrow donor program and its research partner maintain their authority to operate within the larger HRSA transplant program. Further, the organization is able to address the security and technology information needs of all clients with a report of findings, a statement of fact and the documented NIST testing matrix as they deem necessary for business purposes.

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.

Untangling tax reform: individual taxpayers and the applicability of a section 962 election
Next up

Suburban Group sells to a High Street Capital