What You Should Know:
– Cybersecurity attacks are on the rise, and healthcare organizations are especially at risk. Security vulnerabilities can lead to financial penalties imposed by OCR, damaged organization reputations, and the increased risk of patient safety and data being compromised.
– A new report by KLAS examines several such firms (and one cross-industry firm) to determine who effectively assists in reducing risk, engages closely with clients, and exceeds expectations.
Using Data-Driven Models to Improve Cybersecurity in 2022
KLAS data and reports are a compilation of research gathered from websites, healthcare industry reports, interviews with healthcare, payer, and employer organization executives and managers, and interviews with vendor and consultant organizations.
In its latest report, KLAS examines cybersecurity trends in 2022. The main findings and the relevant firms are mentioned as follows:
Clearwater: Validated across a wide range of organization sizes, with a background in risk management. It offers a software tool in addition to several services, of which risk assessments are the most commonly used by interviewed clients. Majority of interviewed clients are very satisfied, and many are large organizations. “Clearwater does a great job. We think of them as a partner. Clearwater has done a great job with executive involvement; the firm’s executives have been heavily engaged with us. Even with the transition of people, Clearwater has continued to work with us. They have been wonderful to work with. I don’t know how Clearwater keeps up with all of us. They have always executed everything we have asked for, even when we wanted more and they had to step away to evaluate things. But Clearwater has always come back with a great time frame and a great effort to make our requests happen.” —Manager
CynergisTek: In May 2022, the firm entered into agreement to be acquired by Clearwater. It offers a range of strategic and technical engagements, and almost all interviewed clients report using firm for risk assessments. Clients are mostly midsize organizations. “The executives made themselves available for us. I really was impressed with the people I interacted with. The firm was very knowledgeable, helpful, friendly, and good to work with. They executed very well. The report they gave us was clear enough to show us that we had a risk in a certain area. We needed to make certain changes. There was no ambiguity, so we knew what we needed to do. The firm spoke plain English. They weren’t talking over our heads, and I would recommend the firm for that alone.” —Director
First Health Advisory: The firm offers managed services that are not yet measured by KLAS, of which the most common service used by respondents is IoMT device assessments, followed by security program assessments/development. Clients are mostly midsize organizations. “First Health Advisory Solutions did a tremendous job in helping us determine not only the vulnerabilities but the process to remediate those vulnerabilities, and they were always available for follow-up. Everything that was required for the engagement was met. We did have some instances where we had to reach out outside of the normally scheduled hours, but First Health Advisory Solutions was always quick to respond. They were able to lead and get us to focus on the medical side. They offered a different perspective and experience that we couldn’t just Google. First Health Advisory Solutions has a great understanding of the vulnerabilities and the threats from the IoMT. Being ahead of the game and having that level of expertise with some of the products has definitely helped us a lot.” —Manager
Fortified Health Security: Having been validated for a range of strategic and technical engagements, clients report highest number of penetration tests and social engineering/phishing projects of any other firm in data sample. In 2022, Fortified Health Security was the Best in KLAS winner for security and privacy managed services. “Fortified Health Security has been absolutely awesome to work with. We have round-table discussions with the firm and their other customer partners frequently. We aren’t stepping into a sales meeting; we are all peers in the same industry. We get to sit and talk about things that are wrong in IT, and Fortified Health Security coordinates things for us. Fortified Health Security executives are also involved in the discussions. Our experience with Fortified Health Security is unlike any other experience I have had with a firm.” —Analyst
Guidehouse: Guidehouse is a cross-industry firm with services that go beyond security consulting. The limited number of respondents all report high levels of execution. Some clients say staff is knowledgeable and capable of managing complex projects; a couple say firm can be inflexible. All interviewed clients are payers. “Guidehouse definitely knows their business. All parties involved in the engagement understand what needs to be done, and Guidehouse definitely works with us to try to get everyone what they need. They know what they need to do, and they are very good at it. I have worked with several different firms before, and Guidehouse’s expertise and knowledge make them one of the best firms I have worked with. Occasionally, I would reach out to them out of the blue and just ask for their guidance on something, and they were always very helpful.” —Director
Impact Advisors: Having been awarded the 2022 Best in KLAS winner for security and privacy consulting services, Impact Advisors is a firm most often known for wide range of healthcare consulting services. Clients report consistent satisfaction with security offerings. Firm is most often used by respondents for risk assessments, followed by virtual/interim CISO services and HIPAA privacy assessments. “The key about Impact Advisors is that they are one of the few organizations we have worked with that aren’t constantly trying to upsell services. Impact Advisors comes in and tends to focus on staying within the lane of understanding the culture of the organization and our financial risks. We trust that their executive-level engagements won’t always result in an ongoing laundry list of requests for additional hours like we have experienced with other firms. The level of expertise and confidence that Impact Advisors has makes it so that they don’t have to upsell themselves. Impact Advisors comes across as a partner. I don’t have to be on guard; they are a trusted partner.” —VP
Intraprise Health: Almost all client respondents are midsize organizations. Most commonly used by respondents for risk assessments, and clients report using the firm for fewer types of engagements than most other client bases.“Intraprise Health has in-depth healthcare knowledge that is typically in the hospital provider space. The vendor knows exactly what to check. They have several clients that do the same thing in the same space. The vendor’s visibility and exposure to third-party vendors are very helpful.” —Director
Meditology Services: This one is a long-standing firm in the industry that has been validated for all types of projects measured in this report, with all respondents using firm for risk assessments. Some misses in execution have caused inconsistent client experience. Clients vary widely in size, though most are large organizations.“The group was a professional unit, but they made us feel like family. That was awesome. One of the things I loved the most about Meditology Services was that one of their leaders commanded presence because of their expertise. That is not always easy to do. Across the board, they had a diverse group. Our account manager was just insanely awesome and smart and was a perfect professional. Meditology Services hires experts. In a world where it is hard to find experts in this space, Meditology Services hires them. We are always going to get someone that is good. They partner well. It is important for us to form a relationship, and all of Meditology Services’ consultants figured out a way to fit in well. That is important to me.” —CIO
Tw-Security: The report found that clients are highly likely to recommend this firm to others. Clients are mostly small organizations, and majority of respondents use firm for risk assessments. More than half also use firm for HIPAA privacy assessments and security program assessment/development. “tw-Security is outstanding in what they do. The service is very clear and detailed. tw-Security has become a part of our organization. Tom Walsh and his team do a very thorough job of assessing and also understanding our needs. Tom Walsh knows what to focus on, and that gives us knowledge and security in the practices that we are affiliating with. The tw-Security team explains things at a level that can be understood by office managers that typically don’t have their fingers in IS and IT. tw-Security makes sure that the transfer of information is secure. tw-Security is really good at sending out alerts to us that we can pass on to our practices. We pretty much got things down to a smooth transition of an action plan at the very end.” —Manager