CASE STUDY

How PierianDx Streamlined Security Operations using JupiterOne...

...and saved 90% of the time needed to collect compliance evidence

Bryce Daines PierianDx

Bryce Daines VP of Product Developmentpieriandx logo

PierianDx is catalyzing global adoption of genomic sequencing in healthcare by empowering physicians in the laboratory and clinic to more effectively diagnose and treat patients with cancer and other complex diseases. Their genomic SaaS solutions, CAP and CLIA accredited laboratory, and shared knowledgebase are used by health systems, cancer centers and commercial laboratories worldwide, driving an integrated approach across the clinical care spectrum.

PierianDx's Story

We were in the cloud, but we weren’t leveraging the dynamic scalability of the cloud for operations.”

It wasn’t that long ago when Bryce Daines, then VP of Engineering at PierianDx, took a look at the organization’s infrastructure and determined significant changes were needed if they wanted to achieve the operational efficiency and scalability necessary to impact more patients’ lives with their clinical genomics platform. On top of that, the petabytes of precious personal and health-related data needed to be properly secured.

Many organizations move their data from traditional servers to the cloud but continue to operate as if ‘on prem’. The vast majority of the value they could get out of the cloud, from leveraging containers and microservices to a dynamic architecture for handling workflow was underutilized with most of their infrastructure needing to be manually configured anytime a change was made.

Scalably Securing the Cloud for Compliance-Bound Organizations

As the operations and infrastructure migrated to fully embrace the cloud, another challenge arose. How does a lean software company in a niche market like genomics effectively and efficiently manage security operations without a dedicated security team, while also facing the market-driven demands of HITRUST CSF compliance? Enter DevSecOps.

compliance_evidence_for_healthcare_organizations

Bryce and his team were already practicing a DevOps approach to software development and understood the value of continuous delivery and continuous integration. So the ins-and-outs of DevSecOps that were discussed with JupiterOne General Manager and LifeOmic CISO Erkang Zheng made logical sense. “Organizations often focus on the technology and tools, rather than the security operations. What ends up happening is companies already strapped for time introduce significant yet unnecessary complexity, making the path to achieving and maintaining compliance treacherous. Detecting and isolating security vulnerabilities quickly becomes almost impossible.” DevSecOps combats this challenge by democratizing security responsibilities, prioritizing automation and simplicity wherever possible and bringing security to the table first, not last.

Bryce and his team are able to use this mindset and JupiterOne to pull all of the information from their cloud infrastructure, SSO and code repo accounts into a centralized location. Then, JupiterOne’s relationship-based data model connects the dots across the sources allowing PierianDx to easily see what changes and vulnerabilities occur in their environment, speeding up the remediation process.

“We had to learn what it meant to scale and secure a cloud application in the healthcare industry. Our customers’ sophistication and expectations for information security became increasingly complex as we moved up market.”

Bryce Daines, VP of Product Development

Success for Now and the Future

Meeting (then Exceeding) Greater Security Expectations

With smaller organizations, there was more flexibility with documentation. However, as PierianDx began conversations with premier institutions and health systems, the market expectation rose. Information security was a priority and HITRUST CSF Certification was becoming a prerequisite. Questionnaires requiring 200-300 responses took hours and days to complete and then were intensely reviewed by robust IT teams. Keeping up with the burden of response and turnaround time was too great.

Bryce and his team were able to leverage JupiterOne’s Security Policy Builder, which graduated PierianDx’s 3 page security document to a complete and detailed Information Security and IT Service Management Policy. This allowed them to easily review their security stance, as well as prepare documentation, evidence and responses to questions from prospective clients in a systematic and repeatable way that better prepared them for IT reviews.

The outcome of the overhauled operations and security policies was a move upstream that stretched beyond simply greasing the sales wheels with larger prospects. PierianDx is now able to partner with large institutions to help thousands of patients with their clinical genomics platform, while also experiencing the security assurance that comes from attaining their first HITRUST CSF Certification with no corrective actions.

Security Assurance and the Future

Bryce and the PierianDx team are looking positively into the future with assurance in their secured infrastructure. They plan to regularly leverage JupiterOne’s Compliance Dashboard, which provides a thousand foot view of compliance as well as the granular details needed for attestation to compliance controls. The compliance dashboard exemplifies the concept of separation of duties while allowing its users to see defense in depth strategies.

One challenge PierianDx will be facing is their impending HITRUST CSF recertification, but they are not concerned. JupiterOne’s relationship based data model, coupled with JupiterOne’s Smart Search that leverages natural-language-like querying allows Bryce to simply search for compliance evidence, as well as vulnerabilities. Coupled with JupiterOne’s Compliance Dashboard, it will be simple for his team to spot issues in their environment that would require corrective action.

Bryce added PierianDx’s first, dedicated security hire this year, but doesn’t anticipate any need to expand beyond that for the foreseeable future. He is confident with their fully leveraged, cloud-based infrastructure, DevSecOps approach and JupiterOne’s Precision Security in hand, PierianDx will be able to comfortably scale their business and quickly navigate the demand of working with larger enterprises while keeping security operations lean.

“Last time around the [compliance] evidence collection was a manual process. With JupiterOne’s querying capabilities and compliance dashboard, I expect the time savings to be 10:1.”

Bryce Daines, VP of Product Development

An empowered security team

“I love JupiterOne’s query and search capability, and the ability to visually see a graph and drill down to explore more. It is so much better than going through a bunch of Visio diagrams that are outdated as soon as something changed.”

Streamlined Onboarding

After only 2 days, Steve Divine had a very clear understanding of PierianDx’s digital infrastructure and environment because of JupiterOne’s graph model. It was easy for Steve to understand who has access to what and use JupiterOne’s search functionality to drill deeper into different changes, resources, devices, etc. Visio diagrams can be useful but they quickly become out of date any time anything changes in your digital environment. JupiterOne overcomes this by allowing an automatically scheduled fetch of the data or a manual request to update in real time.

A Clear Separation of Duties

Another benefit realized by the PierianDx team is a true separation of duties for even greater security. For example, because the data from AWS is pulled into JupiterOne, Steve is able to look at changes in the environment, user and device access, etc. but does not require any direct access to AWS. Its a complete picture of all of the different resources the engineering team leverages, without requiring his access, knowledge or familiarity with them.

Because of this he is able to focus his time analyzing their security posture from a single location, rather than having to bounce from UI to UI and assemble reports.

“Having the visibility of our infrastructure in JupiterOne also means that I don’t really need direct access to our AWS accounts during my day-to-day – this separation of duties is great for security.”

Steve Divine, Senior Security Engineer

Are you ready to take your security operations head on?

Start Your Free Trial