Lockstock Enhanced Cybersecurity Compliance for a State Agency's Healthcare Applications

Healthcare
Written By Chris Williams

Client Overview

A state government health and human services agency needed to enhance its application security, third-party risk management, and compliance posture. The agency relied on multiple external vendors for software development, management, and data processing, which introduced significant risk in handling sensitive health and personal data. The organization was required to maintain compliance with NIST 800-53 Moderate, CMS security requirements, and other state and federal regulations.

Problem Statement

The agency faced several key challenges:

  • Managing application-layer risk – With multiple third-party vendors developing, managing, and storing sensitive data, there were gaps in secure software development, access control, and compliance oversight.

  • Compliance and governance – Ensuring continuous compliance with NIST 800-53 Moderate, CMS security standards, and additional regulatory frameworks was a resource-intensive challenge.

  • Limited internal resources – The agency had to achieve a high level of security and compliance with a constrained budget and limited security staff.

Failure to address these risks could have led to compliance violations, audit failures, and exposure of sensitive citizen data.

Scope of Engagement

Our firm provided ongoing security architecture consulting, focusing on:

  • Standardizing security processes across all verticals to improve consistency and compliance.

  • Developing and automating security controls to maximize efficiency with limited resources.

  • Improving third-party risk management to ensure vendors met security and compliance requirements.

  • Conducting business impact analyses (BIA), risk assessments, and security documentation including System Security Plans (SSP) and Plans of Action and Milestones (POAMs).

Approach & Solution

To address these challenges, we implemented a structured security architecture approach centered on automation, standardization, and governance.

  • Security standardization across all agency verticals – We developed a unified security framework ensuring consistent security measures across all applications and services.

  • Automation of compliance and risk management – We integrated security tools and workflows to automate third-party risk management, continuous monitoring, and vulnerability assessments.

  • Third-party vendor security assessments – We evaluated vendors against NIST 800-53 Moderate and CMS compliance requirements, ensuring all third-party software met security and privacy standards.

  • Risk-based security architecture improvements – We guided the agency in prioritizing high-impact security investments and refining policies to improve resilience against cyber threats.

Results & Impact

  • Achieved and maintained CMS compliance, ensuring the agency met federal and state regulations.

  • Significantly improved third-party risk management by holding vendors accountable for security and compliance.

  • Standardized security processes across all verticals, reducing inefficiencies and improving security oversight.

  • Enhanced security posture through automation, reducing manual workload and allowing internal teams to focus on strategic initiatives.

Client Testimonial

This engagement transformed the way we approach security across all verticals. The expertise and structured approach provided clear guidance, standardization, and automation that allowed us to meet compliance and strengthen our security posture efficiently. Beyond compliance, this partnership helped us shift from reactive to proactive risk management, ensuring that our security strategy is sustainable and scalable. This is why we continue to rely on this team as a trusted advisor.

Lessons Learned & Best Practices

  • Standardization and automation maximize efficiency – Establishing repeatable security processes across all agency verticals reduced compliance risks and improved resource management.

  • Proactive security architecture strengthens compliance – Aligning security strategies with regulatory frameworks like NIST 800-53 and CMS standards ensures that compliance is built into security operations rather than treated as an afterthought.

  • Third-party risk management is essential – Vendor oversight and security assessments play a critical role in protecting sensitive data and application security.

This engagement reinforced the importance of structured, scalable security strategies and continues to guide our approach in helping organizations navigate complex security and compliance landscapes.

Chris Williams https://waynemedia.com/
Previous

Lockstock maintains Compliance for a Software Development Company
Next

Lockstock Develops a Disaster Recovery Plan for an Aluminum Manufacturing Company