Behind the Scenes
Q&A with BioIQ’s Compliance Officer
BioIQ’s confidential data could not be in safer hands, thanks to Ruth Mwangi. She earned her bachelor’s in science education from Moi University in Kenya before graduating from Kennesaw State in Georgia with a master’s in conflict management. Today, she directs BioIQ’s regulatory procedures and security requirements. Meet Ruth Mwangi, BioIQ’s top-notch compliance expert.
How long have you been with BioIQ and what brought you to the company?
I joined BioIQ in 2015. BioIQ stood out to me because it was younger than most of the companies I had worked with. I was excited for the opportunity to be part of a growing company where everyone’s contribution is really important to the organization. Your contribution is felt, and necessary. I am still excited to see the progress we’ve made. We have not only grown in our organizational maturity but also in the number of lives we’ve touched.
What do you do as a compliance officer and how did you become interested in this field?
As a compliance officer, I work with all teams across the organization to ensure that we maintain regulatory compliance in our daily operations. Here are some quick examples:
- I respond to audits from existing clients to show evidence of our security and compliance posture. When new clients such as health plans want to do business with BioIQ, they require BioIQ to demonstrate their compliance with multiple regulatory requirements. I typically respond to those requests on a regular basis.
- Internally, I am tasked with the development, implementation and maintenance of appropriate privacy and security-related policies and procedures as defined by HIPAA and HITECH. I conduct various risk analyses throughout the year and ensure that gaps are identified and mitigated. When there’s an incident involving PHI (protected health information), I am required to respond to those incidents. The actions taken depend on the severity of each incident.
- I also have to identify all mandated training for employees and preview it to ensure it covers all statutory requirements.
- I work with the tech team to ensure that technical controls are in place for data privacy and any vulnerabilities are resolved in a timely manner.
- On vendor management, I review all contracts under which access to confidential data is given to outside entities such as our vendors. I bring those contracts into compliance with the Privacy Rule, ensuring that confidential data is adequately protected when such access is granted.
- I work with the product team to ensure that initiatives are structured in such a way as to ensure participant privacy and respond to participant concerns about privacy.
My journey into compliance was a natural progression. I started out in conflict management which involves a lot of studies in public policy, ethics and related areas. Along the way, I acquired certifications in information security such as CISA, CISM and Certified HITRUST Practitioner. I went on to audit information systems based on regulatory requirements such as Sarbanes Oxley, HIPAA and HITECH. It was an easy move for me from doing the audit to creating the compliance framework for similar requirements.
How did you end up in Atlanta?
I think it was a chance connection for me. I came to visit a cousin who lived in Atlanta and just loved the weather and the people.
What did you do before coming to BioIQ?
Prior to joining BioIQ in 2015, I had worked for more than eight years in the healthcare industry as an IT Security auditor and Compliance Analyst. I also worked in the retail industry for a short while, helping to implement PCI compliance for a large franchise corporation.
What does it mean to be a certified HITRUST practitioner?
A HITRUST practitioner is an information security practitioner who has deep knowledge of regulatory requirements and standards that drive physical, technical and administrative controls and that organizations must implement. They provide organizations guidance on implementing risk management and compliance frameworks based on the HIPAA Privacy and Security Rules, the HITECH Act, PCI DSS, FTC Red Flags Rules, GDPR and SOX, among others.
Why is earning HITRUST certification important to BioIQ and its clients?
BioIQ and its clients are required to comply with multiple regulatory and third-party requirements. State requirements may vary from one state to the next and may be more stringent than federal regulations.
The HITRUST CSF is a comprehensive and flexible framework that normalizes the security requirements of healthcare organizations from multiple sources (federal, state, third-parties, etc.). It allows organizations to assess the high-risk areas of an IT environment. By certifying with a third-party validated framework, BioIQ demonstrates to clients and prospects the commitment to operate in compliance with federal and state regulations as well as industry leading practices. This validated assessment allows BioIQ to test once and show compliance with multiple requirements.
What IT compliance trends and topics are most relevant for healthcare companies this year?
Protecting ePHI (electronic protected health information) continues to be a big priority in the healthcare space. Electronic PHI provides a large surface for attacks including cyber extortion and identity theft which can lead to significant financial and legal consequences for organizations. These attacks are often facilitated through the exploitation of open vulnerabilities, phishing attacks, weakness in third-party controls, breakdown in change management controls and even insider threats, among others. With the spike in cyber extortion on business and city governments, patch and vulnerability management continue to be a top priority including for third parties who have access to sensitive networks.
What’s up next for BioIQ in the area of compliance?
BioIQ is currently performing an interim HITRUST assessment to certify that the controls continue to be in place, allowing us to keep our certification. We continue to work closely with the tech team to ensure that required technical controls are in place or vulnerabilities have been mitigated.
What do you do when you’re not working?
I love to take long walks while listening to my favorite podcast “Snap Judgement” or an audiobook. I also enjoy spending time with my husband and two grown kids.
What do you miss most about Kenya?
The weather is beautiful! It feels like fall most of the year. I miss hanging out with old friends, family and just seeing nature.
Subscribe to the BioIQ blog to receive weekly updates and new behind-the-scenes interviews with BioIQ’s dynamic leaders.