We are a health IT software company that offers a cloud-based software solution. Our system does collect personally identifiable health information. Our customers are health systems, hospitals and primary care medical groups. In terms of cybersecurity, what do companies like us typically do? We are small and do not have in-house resources to manage security. We have successfully undergone a few security assessments by our customers so we believe our platform is secure. But how do we know if we've been breached? How often do we need to consult vulnerability assessments and code scans? Do we need to hire a 3rd party internet security company to monitor our environment? How much should we expect to pay per month and what should we expect in terms of services?
It feels worth mentioning that there's lots of existing material on handling PII and implementing measures to comply with HIPAA and GDPR. Companies of every size should take handling of PII seriously and there's plenty that even a very early stage startup can do:
External third-party scans and vulnerability assessments can be useful, though, in my experience, unless you're paying for a full penetration test, they're likely just to prod your infra for open ports/services and make note of which HTTP security headers you're not using.
Definitely you need to secure the network database by building robust architecture, you can use third party services to plug loop holes . Let me know , if you want to try our service
In terms of cybersecurity, what do companies like us typically do?
A lot of assessments, code reviews, has their own SOC team or contract some.
But how do we know if we've been breached?
You need to implement some measures and then you need logs, logs everywhere. You need that your system/application warn you when some strange thing happens.
How often do we need to consult vulnerability assessments and code scans?
If you are a small company, try to implement a SDLC in your team that will be some thing huge for your security.
Do we need to hire a 3rd party internet security company to monitor our environment?
If you don't have some specialist then you need.
How much should we expect to pay per month and what should we expect in terms of services?
What country are your company from?