CASE STUDY
ÉTUDE DE CAS

How Coviu streamlines ISO 27001 to fuel growth on a global scale

COMPANY
ENTREPRISE
Coviu
EMPLOYEES
EMPLOYÉS
50-100
LOCATION
EMPLACEMENT
New South Wales, Australia
INDUSTRY
INDUSTRIE
HealthTech
VANTA CUSTOMER SINCE
ANNÉES AVEC VANTA
2022
Demonstrating trust in the global healthcare industry

Coviu leverages Vanta to demonstrate strong security over patient data and electronic protected health information (ePHI) to demonstrate the trust necessary to establish sustainable, long-term relationships in healthcare.

Finding guidance through automation and dedicated support

Through automation and illuminating existing controls with HIPAA, Coviu streamlined its path to ISO 27001, achieving certification in under half the time compared to their other audits.

Fueling growth into the United States and beyond

With ISO 27001 certification, Coviu’s expansion into the United States and beyond is no longer blocked by proof of security and compliance in government agencies and enterprise healthcare deals.

“Vanta has made our lives much easier and significantly improved our company’s compliance. It has made compliance much sexier internally — because instead of it being a chaotic, complex process, it’s a simple platform that we manage.”

Peter Simpson-Young
Key Accounts and Compliance Coordinator
The Company

Elevated telehealth software for healthcare providers

Coviu was founded in 2018 as an Australian government-funded research project to develop telehealth software. They produce solutions for healthcare practitioners that simplify the workflow of clinicians and administrative staff through end-to-end encrypted video and phone consultations, billing and scheduling features that integrate with practice management systems, and an apps marketplace for third-party healthcare applications, such as standardized assessments, integrated customizable forms, and more.

In their early years, Coviu’s customer base consisted primarily of solo practitioners and smaller clinics across many professions, including psychologists, speech therapists, and general physicians. Coviu then steadily expanded in the Australian market and gained traction in New Zealand and the United States. When the COVID-19 pandemic hit in early 2020, Coviu became the sole telehealth provider in Australia that was scalable enough to meet the crisis — enabling 60,000 health practitioners to continue to work through the pandemic, delivering essential healthcare services through 3.75 million telehealth consultations to an estimated 938,000 Australians under strict privacy and security requirements.

As more international customers came knocking, so did demands for HIPAA compliance. Thus, in early 2021, Coviu became HIPAA compliant in order to cater to the new markets they were in. They soon realized that HIPAA alone wasn’t enough to satisfy the stringent security requirements of their international prospects, so in 2022, they decided to pursue ISO 27001 certification.

Coviu realized early on that moving upmarket and closing more enterprise customers would be slowed by regulatory approval and risk management processes. This would become increasingly important as Coviu’s growth goals in 2023 included acquiring more enterprise and State, Local, and Education (SLED) accounts in the United States.

 

The Challenge

Building and demonstrating trust in the healthcare industry, globally

Long-term client relationships in healthcare are built on a foundation of trust, due to the extreme value that bad actors place on healthcare data. A single patient record will fetch three times more money on the dark web as a financial record because it contains private information about an individual’s medical history. To this end, Coviu knew they had to be very careful about how they handle patient data, and in 2021, they hired external consultants to help them achieve HIPAA compliance, the standard for protecting ePHI.

They soon realized that their consultants were not a sustainable way to pursue the future standards that Coviu had in mind. After some due diligence, Coviu’s investors, who had heard about other portfolio companies using Vanta, suggested that they too switch to Vanta. This was all during the height of the COVID-19 pandemic, so time was of the essence. They knew that in order to continue to grow globally, they needed a better solution and decided to sign with Vanta.

The Solution

Finding help through Vanta’s automation and support

Through automation and dedicated support staff, Vanta provided Coviu with the help they needed. Vanta offered a platform that clearly outlined what controls Coviu needed to adhere to, and how their existing HIPAA controls overlapped with what was required for ISO 27001. Furthermore, Vanta’s policy templates and document management allowed Coviu to create, manage, and distribute the documentation that their healthcare customers in the United States required and understood. As they put it, “Vanta’s ISO 27001 solution makes it easy to understand how controls are implemented. They clearly articulate how your security controls should be implemented and even implements them for you.”

Coviu found much-needed help and direction through Vanta’s robust support staff. They leaned on Vanta’s Product Support team, in-house security and audit experts, and dedicated Customer Success Manager to help guide them up until and even after their ISO 27001. “Our Customer Success Manager is like an additional person on the Coviu team. His help and responsiveness have been invaluable.” As a result, in early 2023, Coviu successfully became ISO 27001 compliant in less than half the time it took compared to their other audits.

The Impact

Using Vanta to fuel growth in the United States — and beyond

Coviu estimates that working with Vanta has saved them six months of work. “Preparing for ISO 27001 took half the time and money as our other audits,” they remarked. “Things like managing documents, setting up integrations, and gathering evidence was all very easy.”

Vanta has made compliance simple and significantly improved Coviu’s compliance status — tasks that used to require daily updates have transformed into weekly check-ins. With the newfound time, the Coviu team has refocused efforts on expanding globally and into SLED and enterprise accounts. It has led them to discover the importance of SOC 2 attestation — which they’re currently exploring and will help fuel their growth in the United States. Together with ISO 27001 and HIPAA, the combined standards have helped Coviu prove security and demonstrate trust — ensuring that they can fulfill their mission of acquiring new customers in the United States and beyond.

{{quote-2}}

“Vanta clearly articulates how your security controls should be implemented and even implements them for you.”

Peter Simpson-Young
Key Accounts and Compliance Coordinator
Peter Simpson-Young
Key Accounts and Compliance Coordinator