Codoxo tackles compliance on a tight budget

Faced with compliance requirements and a brand new cybersecurity program, Codoxo Head of Security Witt Cunningham needed to become compliant at a price point suitable to their business size and available resources. Codoxo, formerly Fraudscope, recognized the breadth of JupiterOne and became healthcare compliant, and built their future security program components using the JupiterOne platform.

Codoxo achieved improved security program maturity, cyber asset visibility, and security governance at a fraction of the cost of traditional security tooling. Before using JupiterOne, Codoxo took six months to become SOC 2 compliant. By contrast, they achieved a rigorous healthcare certification in two months using JupiterOne.

Over half of the analysis and evidence required by the healthcare certification were gathered automatically and continuously with the JupiterOne platform. Codoxo has since expanded its overall cyber security program by leveraging the JupiterOne platform. What started as primarily a compliance use case has now expanded into architecture, cloud management, and even developer-centric use cases.

Stopping Healthcare Fraud Cold

Codoxo is an Atlanta, Georgia-based insurance and healthcare startup launched from a Ph.D. project at Georgia Tech. In 2017, Founder and CEO Musheer Ahmed built the AI-based SaaS platform to detect fraud, waste, and abuse within medical claims. Codoxo gives organizations the tools to quickly identify suspicious claims, collect actionable information, and collaborate across the organization to open, investigate, and resolve cases quickly. Since Codoxo sells to insurance and healthcare providers, the head of security, Witt Cunningham, must ensure their customers’ data compliance and privacy. As you might expect, this was not a straightforward task.

Compliance Isn’t Cheap

Witt joined Codoxo in July 2018, just one year after the business was established. Like any freshly hired security leader, Witt needed to build out the Codoxo security program starting from a base of essentially zero. It took Witt and the Codoxo team approximately six months to tackle their first major project, a SOC 2 compliance audit.

The project was expensive, resource-intensive, and difficult to manage, delaying other security requirements because of the lack of resources. Half of security is knowing what’s in your environment and knowing what you have to secure. Witt determined that it’s difficult and expensive to manually audit the security and technology infrastructure continuously for security governance needs. Cyber asset visibility is critical to the success of any security initiative. Understanding the correlations between the cyber assets is what makes it possible to identify real risk. Unfortunately, Witt and the Codoxo team were unable to cover the breadth of knowledge or dedicate the time required to achieve the goals of compliance, security visibility, and governance.

Traditional asset management tools and Governance, Risk, and Compliance (GRC) solutions are expensive and unwieldy. A huge GRC platform would have been overwhelming to the Codoxo organization, both price, and operational overhead. And to top it all off, they needed to tackle an ever-larger certification–healthcare compliance.

Enter JupiterOne

While facing another long and arduous certification process, Witt’s luck turned when he met JupiterOne CEO Erkang Zheng at a conference. The Founder’s pitch and demo impressed Wit enough to give it a shot.

“I couldn’t believe all of the integrations and data pieces that were incorporated into JupiterOne that I previously had to find in a makeshift way. There are tons of separate products to review to get just one healthcare compliance control locked in. Based on JupiterOne’s technical capabilities, I formulated my results based on an easy-to-use query language. I was impressed with how it flowed, how it met our needs, and the fact that it was affordable.”

Today, Witt uses JupiterOne as a modern GRC solution. JupiterOne meets the needs of Codoxo at a price point that is acceptable to the leadership of the early-stage startup. In addition, Witt finds significant value in the policies and procedures components of the JupiterOne solution.

“I’ve done policies and procedures nine times in the last two years, and they always read like a mandated legal form with no real use case. It’s a company policy that has to be in place. What J1 has done is create something that is SaaS-oriented and easy to consume and use.”

The core pieces of the Codoxo security policies and procedures are based upon the JupiterOne suggested policies.

JupiterOne Grows for the Future

With JupiterOne in his corner, Witt fast-tracked healthcare compliance within two months. The key for speed was that over 50 percent of all controls assessments were based on evidence pulled from JupiterOne. Codoxo had over 500 controls in their first pass. The ease of integration for just one infrastructure system (AWS) gave Witt insight into most of the controls needed for healthcare compliance. Witt could quickly query cyber assets, pull graph views, and provide correlations that he could give to his auditing team. Within two months, based mainly on the JupiterOne platform, Codoxo achieved healthcare certification. Without JupiterOne, this process would have taken at least 8-10 months using an enterprise-grade GRC and asset management system that Codoxo could not afford, only to get something usable to submit for complete healthcare compliance.

Security is a never-ending journey. Witt and Codoxo continue to walk that journey as they move the maturity of their cybersecurity program forward. “Simply trying to explain to others in the company how awesome JupiterOne is, is difficult,” says Witt. Most recently, Witt added the ability to have every user in Codoxo log into JupiterOne.

Developers, security engineers, and others can now make queries against the JupiterOne cyber asset governance system. What started as a compliance use case has expanded into architecture, cloud management, and developer-centric use cases.

“This is the first product that I can actually show DevSecOps results. I can go through a DevSecOps launch, see all of the parts to the stack, are they encrypted, have they been vulnerability scanned, do they have patches, who has access to what --all from a centralized point of view. This (JupiterOne) is the best solution to meeting a DevSecOps requirement that I have seen to date.”