CSMA Case Study : How A Healthcare Provider Is Transforming Its Security Posture

Oct 28

About the Customer

The client is a specialized healthcare organization operating multiple rehabilitation centers. Their critical operations and patient data rely on a central Health Information System (HIS) and an ICT infrastructure managed by a third-party service provider.

Client Overview - Luxury Edition
        
                    Category
                    Details
                
                    Industry
                    Healthcare
                
                    Challenge
                    Establishing a formalized, measurable cybersecurity program and embedding risk management into operations and supplier governance.
                
                    Solutions Used
                    Cybersecurity Maturity Assessment (CMA)

The Challenge

The client's leadership needed to move beyond ad-hoc operational security and establish a formal, measurable cybersecurity program. With critical ICT operations outsourced, they lacked centralized visibility into their true risk posture. The key drivers for a comprehensive maturity assessment were:

The absence of a formalized risk register and treatment process, with risk decisions being made reactively.
A lack of a documented procedure for vulnerability remediation, accountability, and timelines, despite the use of scanning tools.
Inconsistent asset management, which relied on manual spreadsheets , and ad-hoc patch management for endpoints.
An absence of a cybersecurity-specific supplier risk assessment process, leaving a gap in third-party governance.
Security awareness efforts that were not guided by a comprehensive or structured annual plan.

The AKATI Sekurity Solution

AKATI Sekurity was engaged to conduct a comprehensive Cybersecurity Maturity Assessment (CMA). This engagement was a high-level strategic review to evaluate existing cybersecurity procedures, documentation, and their implementation status. The assessment provided a clear, quantitative baseline score and a prioritized, actionable roadmap for improvement.

Strategic Gap Analysis & Baseline

The assessment immediately provided leadership with a clear, data-driven view of their security posture, measured against industry best practices. The maturity of the organization's ICT provider was evaluated across five key cybersecurity domains .

Key Results:

Delivered a clear, quantitative baseline of the organization's cyber maturity (Overall Score: 20% - 40% - Level 2, Repeatable).
Pinpointed Risk Management (10% - 20% Maturity) and Supply Chain Management (10% - 20% Maturity) as the highest-priority areas for improvement.
Identified critical gaps in procedural controls for Threat & Vulnerability Management (20% - 40% Maturity).
Provided a detailed, multi-domain roadmap to guide strategic planning and resource allocation.

Process & Governance Transformation

The CMA moved beyond a simple score to provide a clear, actionable plan for governance and process transformation.

Process & Governance Transformation - Luxury Edition
        
                    Phase
                    Description
                
                    Scoping
                    Assessed 5 key cybersecurity domains, including Risk Management, Asset Management, Threat & Vulnerability Management, Supply Chain, and People/Culture.
                
                    Discovery
                    Identified critical gaps in governance, including the absence of a formal risk register, a documented patch management policy, and a formal supplier risk process.
                
                    Prioritization
                    Mapped all findings into a Strategic Cybersecurity Roadmap with clear 'High' and 'Medium' priorities to guide remediation efforts.
                
                    Mobilization
                    Drove strategic alignment by providing actionable, high-priority recommendations, including "Document a Risk Management Policy", "Establish a Formal Change Management Procedure", and "Conduct Annual Vulnerability Assessments and Penetration Testing".

Key Domain Maturity Scores

The following metrics represent the baseline cybersecurity maturity score ranges identified during the assessment. These scores provided the factual basis for the client's new strategic security initiatives.

Key Domain Maturity Scores - Luxury Edition
        
                    Category
                    Maturity Score Range
                
                    Overall Maturity
                    20% - 40% (Level 2)
                
                    D1: Risk Management
                    10% - 20%
                
                    D2: Asset, Change & Config Mgmt
                    40% - 60%
                
                    D3: Threat & Vulnerability Mgmt
                    20% - 40%
                
                    D4: Supply Chain & Ext. Dependencies
                    10% - 20%
                
                    D5: People & Cyber Risk Culture
                    10% - 20%

Conclusion

Gaining visibility into process and governance is the foundation of cyber resilience. AKATI Sekurity's engagement transformed the client's approach from reactive to proactive, empowering them to address systemic gaps with a prioritized, strategic roadmap. By providing this clear path to maturity, the client can now build a resilient and formalized security program to protect critical patient data and secure its operations.

CSMACybersecurity Maturity AssessmentHealthcare