PathAI earns ISO 27001 certification to help more patients receive custom, advanced treatment options.

PathAI used Aptible to design a security management program and get ISO 27001 certified months ahead of schedule.

PathAI is a digital pathology company changing the way patients are diagnosed and treated, using machine learning to help pathologists quickly and accurately recommend care. They used Aptible to design a security management program and get ISO 27001 certified months ahead of schedule.

PathAI was founded in 2016 to improve patients’ outcomes through better healthcare technology. The company partners with pathologists, providers, and researchers who use its machine learning models to find easy-to-miss patterns in images of tissue samples that can impact the diagnosis or treatment of diseases like cancer. Joe Adu, Director of IT and Information Security Officer at PathAI, is responsible for the growing startup’s internal systems, security certifications, and instilling trust in a customer base that expects the highest level of privacy and compliance.

“When I first learned about Aptible, I had never been so excited about security work.”

PathAI first partnered with Aptible in 2017. M. Jackson Wilkinson, Senior Vice President of Product, had used Aptible at his previous company, Kinsights, and quickly built out a HIPAA-based security management program on Aptible.

By 2018, Adu joined the team to begin working toward PathAI’s ISO 27001 certification. When he heard about Aptible, he was excited by the prospect of improving the process. Though he had worked to instill a strong culture of security at PathAI, obtaining an ISO 27001 felt daunting. As with any early-stage company, Adu’s resources were limited—he had no dedicated security engineers and a long list of broader technology initiatives to tackle. Working with Aptible would let Adu meet his security goals without slowing down other key projects.

PathAI used two Aptible products to meet their goals. Comply gave them a quicker path to certification, while Deploy provided an audit-ready platform for secure app and database deployment. By using Aptible, the company was able to take a top-down approach to security management, provide valuable leverage to their small security team, and streamline the annual audit process.

From Manual Research to Best-Practice Framework

In past roles, Adu had to do the work that Comply does manually. “I used to have to compare the security policies of the best companies, do months of research and writing, then consult with a lawyer,” he explains. When it comes to ISO 27001, even the most fundamental security policies take months to get right, often using up so much time and research that security teams opt for simpler certifications.

“Comply takes all of the guesswork away and standardizes so much of the process of writing a security policy. My team stays on the same page and saves a lot of work.”

Comply’s out of the box policies and procedures are written with cloud infrastructure in mind, which worked perfectly with PathAI’s modern approach to software development and deployment. Using this platform, Adu and his team moved through each stage in the ISO 27001 certification process without spending months learning about the particulars of the compliance framework or relying on a consultant to draft policies and procedures.

Adu estimates that Comply's unique combination of self-guided software, built-in policy and procedure content, and real-time support from compliance experts cut the time required to achieve certification in half.  As they neared the finish line, they were able to share their progress with prospects and customers.

Building Trust with Future Customers

PathAI needed to fulfill the requirements of several different regions and customers in an industry where privacy is non-negotiable. Once they began using Aptible, the sales team could confidently discuss future ISO 27001 certification with customers in the pipeline. They knew that Comply would give them a fully-baked framework to assess risk, build a compliant environment, and put the workflows in place to get certified by the time certain deals were expected to close.

Throughout the process, PathAI was able to give customers more transparency and show forward momentum with prospects. They were also able to simplify the enterprise sales cycle—most deals required PathAI to complete in-depth Vendor Security Assessments (VSAs), which include hundreds of security-related questions. Comply’s framework made this process easier, eventually promising to nearly eliminate it once PathAI had obtained its ISO 27001 certification.

A Rapid Rollout and Path to Compliance

While Comply helped Adu move forward with a new information security policy, PathAI also used Aptible Deploy to deploy in a compliant environment. Together the two products eliminated months of work from the process and ensured that PathAI’s security policies and procedures met ISO 27001 standards. The company was able to automatically implement security features and controls that fit in with their existing DevOps workflows.

“The speed of implementation was one of the best parts. I was confident that we were doing things right.”

With their new security management program in place, the team at PathAI was able to get their ISO 27001 certification and maintain an easily-auditable stack going forward. Adu is now taking a closer look at GDPR, and planning ahead to meet new standards as they have a growing impact on the industry. “Aptible has really simplified this project for us,” he says. “Now, I can spend more time on the other facets of my job and be ready for the next wave of compliance efforts. It’s just the beginning, but I think PathAI will continue to reap the benefits of its investment in Aptible for a very long time.”