On June 19, the Orem, Utah-based KLAS Research released its report on cybersecurity services firms. The report, authored by Garrett Hall and Dan Czech, was the first of its kind, surveying the levels of satisfaction experienced by patient care organization leaders with external cybersecurity services companies. As KLAS noted in the release of the report on its website, “Since the beginning of 2018, healthcare security breaches have become an almost daily occurrence. While many healthcare organizations have implemented technologies to help combat both internal and external security threats, some are taking additional measures by leveraging the cybersecurity services and expertise of third-party firms. To highlight which firms can best help their clients be successful, KLAS interviewed 129 healthcare organizations about their engagements with cybersecurity firms to find out which services these firms offer and the types of outcomes they were able to achieve. Additionally, respondents were asked about their firm’s healthcare knowledge, ability to cater to customer needs, and strategic expertise.”
Hall and Czech looked at three core types of cybersecurity services: advisory services, technical services, and managed services. According to their categorization, advisory services “[i]ncludes security-program development/assessment, risk assessment, HIPAA compliance, and less frequently used services such as interim CISO services, payment card industry (PCI) testing, and security operations center (SOC) reporting.” With regard to technical services, they note that “Organizations looking for a cybersecurity services firm will need to determine which firms offer the services their organization needs. To that end, KLAS has categorized the cybersecurity firms in this report based on the breadth of their offerings.” That, they said, “Includes penetration testing, design and implementation of security technologies, social engineering/phishing testing, and web application security testing.”
When it comes to managed services, they included “outsourced management of some or all security tools to a third-party firm. Outsourced security tools include those for data loss prevention (DLP), identity and access management (IAM), medical device management (MDM), security information and event management (SIEM), etc.”
The report’s authors also divided the types of firms surveyed into three categories in terms of their size and scope. “Comprehensive firms offer the widest breadth of cybersecurity services. Clients validate that these firms perform work in all three cybersecurity service areas: advisory, technical, and managed services.” Meanwhile, “Broad firms have been validated for work in two of the main cybersecurity service areas.” And “Advisory-focused firms have the narrowest focus, having been validated by clients for performing work only in cybersecurity advisory services.”
Among the results: “CynergisTek has the greatest breadth of security services and most validated engagements for advisory and technical services”; “Advisory-focused firms Clearwater Compliance and tw-Security have some of the most consistently satisfied clients, many of whom praise their firm’s cybersecurity and healthcare industry knowledge”; and “BluePrint Healthcare IT and Meditology Services clients laud their firm’s strategic guidance and tailored services.”
Recently, report co-author Dan Czech, a KLAS analyst who has been with the organization for over 13 years, spoke with Healthcare Informatics Editor-in-Chief Mark Hagland regarding the report’s findings and some of the implications of those findings for the forward evolution of cybersecurity services in the healthcare industry in the next few years. Below are excerpts from that interview.
KLAS analysts will participate in the Health IT Summit in Seattle, to be held October 22-23 at the Grand Hyatt Seattle, to engage in discussions around cybersecurity issues in U.S. healthcare. More details will be made available on the event website in the coming weeks.
What was your overall objective in looking at cybersecurity services?
As with most KLAS reports, we wanted to provide some transparency over which vendors, or in this case, which firms, were providing the highest-level quality to healthcare organizations. In the 2017 broad look at cybersecurity, we asked our audience what some of the technologies and services were most important for them? And interestingly, they said cybersecurity services and managed services. So we asked, who’s leading the industry? And who are some of the up-and-comers who aren’t yet on everybody’s radar screens?
In addition to validating what they were doing and who was performing well, a couple of the things we looked at specifically was the question, which firms demonstrated that they had healthcare knowledge? And so we asked the extent to which healthcare industry-specific knowledge was helpful, versus understanding cybersecurity in financial services or education. And what about servicing different needs, such as a small critical-access hospital versus a large IDN. So we asked, who tailors their services to best meet your needs? And then we asked what their biggest successes or outcomes were.
Were you surprised by anything that you uncovered?
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.