On June 19, the Orem, Utah-based KLAS Research released its report on cybersecurity services firms. The report, authored by Garrett Hall and Dan Czech, was the first of its kind, surveying the levels of satisfaction experienced by patient care organization leaders with external cybersecurity services companies. As KLAS noted in the release of the report on its website, “Since the beginning of 2018, healthcare security breaches have become an almost daily occurrence. While many healthcare organizations have implemented technologies to help combat both internal and external security threats, some are taking additional measures by leveraging the cybersecurity services and expertise of third-party firms. To highlight which firms can best help their clients be successful, KLAS interviewed 129 healthcare organizations about their engagements with cybersecurity firms to find out which services these firms offer and the types of outcomes they were able to achieve. Additionally, respondents were asked about their firm’s healthcare knowledge, ability to cater to customer needs, and strategic expertise.”
Hall and Czech looked at three core types of cybersecurity services: advisory services, technical services, and managed services. According to their categorization, advisory services “[i]ncludes security-program development/assessment, risk assessment, HIPAA compliance, and less frequently used services such as interim CISO services, payment card industry (PCI) testing, and security operations center (SOC) reporting.” With regard to technical services, they note that “Organizations looking for a cybersecurity services firm will need to determine which firms offer the services their organization needs. To that end, KLAS has categorized the cybersecurity firms in this report based on the breadth of their offerings.” That, they said, “Includes penetration testing, design and implementation of security technologies, social engineering/phishing testing, and web application security testing.”
When it comes to managed services, they included “outsourced management of some or all security tools to a third-party firm. Outsourced security tools include those for data loss prevention (DLP), identity and access management (IAM), medical device management (MDM), security information and event management (SIEM), etc.”
The report’s authors also divided the types of firms surveyed into three categories in terms of their size and scope. “Comprehensive firms offer the widest breadth of cybersecurity services. Clients validate that these firms perform work in all three cybersecurity service areas: advisory, technical, and managed services.” Meanwhile, “Broad firms have been validated for work in two of the main cybersecurity service areas.” And “Advisory-focused firms have the narrowest focus, having been validated by clients for performing work only in cybersecurity advisory services.”
Among the results: “CynergisTek has the greatest breadth of security services and most validated engagements for advisory and technical services”; “Advisory-focused firms Clearwater Compliance and tw-Security have some of the most consistently satisfied clients, many of whom praise their firm’s cybersecurity and healthcare industry knowledge”; and “BluePrint Healthcare IT and Meditology Services clients laud their firm’s strategic guidance and tailored services.”
Recently, report co-author Dan Czech, a KLAS analyst who has been with the organization for over 13 years, spoke with Healthcare Informatics Editor-in-Chief Mark Hagland regarding the report’s findings and some of the implications of those findings for the forward evolution of cybersecurity services in the healthcare industry in the next few years. Below are excerpts from that interview.
KLAS analysts will participate in the Health IT Summit in Seattle, to be held October 22-23 at the Grand Hyatt Seattle, to engage in discussions around cybersecurity issues in U.S. healthcare. More details will be made available on the event website in the coming weeks.
What was your overall objective in looking at cybersecurity services?
As with most KLAS reports, we wanted to provide some transparency over which vendors, or in this case, which firms, were providing the highest-level quality to healthcare organizations. In the 2017 broad look at cybersecurity, we asked our audience what some of the technologies and services were most important for them? And interestingly, they said cybersecurity services and managed services. So we asked, who’s leading the industry? And who are some of the up-and-comers who aren’t yet on everybody’s radar screens?
In addition to validating what they were doing and who was performing well, a couple of the things we looked at specifically was the question, which firms demonstrated that they had healthcare knowledge? And so we asked the extent to which healthcare industry-specific knowledge was helpful, versus understanding cybersecurity in financial services or education. And what about servicing different needs, such as a small critical-access hospital versus a large IDN. So we asked, who tailors their services to best meet your needs? And then we asked what their biggest successes or outcomes were.
Were you surprised by anything that you uncovered?
That’s an interesting question. Yes, I was surprised by a couple of things. We didn’t find the direct correlation we had somewhat expected to find, between being healthcare industry-specific, and having greater healthcare knowledge. There were some healthcare-specific firms, including Leidos and Impact, that didn’t demonstrate what people considered a high level of healthcare knowledge; in contrast, a few firms, including PWC, cross-industry firms, did demonstrate deep healthcare industry knowledge. Also, the size and breadth of a firm wasn’t always a key deciding factor for patient care organizations. Some organizations may not need a Deloitte or CynergisTek or Optiv—sometimes they just want training for their folks and risk assessment, and that might be some of the extent of what they want. And there is a high level of satisfaction when that happens. Most of the firms focused around advisory work—all were above 93 on a scale of 100.
Can you comment a bit on your categorization of firms into “comprehensive,” “broad,” and “advisory services-focused”?
We tried to provide a little clarity and transparency for the provider community, to give them an idea—if they’re looking for a one-stop-shop firm that can do advisory work for them and also have a penetration team that can do work onsite, and also will managed services for some of your software, that was how we defined a comprehensive firm. It doesn’t necessarily mean in all cases that provider organizations use them across all three dimensions.
Meanwhile, broad firms will do two of those three areas, or at least we haven’t validated all three. Often, they’ll do risk assessment and advisory type work, and advisory services. So for example, an organization might contract with a firm to do a pen (penetration test), so they’re doing a test with NIST or HITRUST, and they’re presenting to the organization the results of the risk assessment and the result of the pen test, and here’s an advisory report, with tiers of actions you can take.
And then some firms just focus on advisory work, such as security program assessment and development, risk assessments and HIPAA compliance work, and other advisory type work, in some cases, that’s interim or virtual CISO services that firms might offer.
How much does healthcare industry-specific knowledge matter, in your view?
That’s a great question. I think it matters quite a bit, and here’s why: patient care organizations have accepted the fact that the healthcare industry is behind other industries on the security side. In some cases, they will want to leverage cross-industry vendors. But we have challenges some other industries don’t have, such as HIPAA compliance; and also somewhat-opposing needs, to tighten down security, but you’ve also got end-user physicians and clinicians who want to be able to share data readily. And we’re super-sensitive to physician burnout, and we don’t want security burden to increase physician burnout. So firms that are able to leverage what they know about the healthcare industry and some of its unique characteristics, and marry that up with good cybersecurity practices, and can take the right message to the c-suite and board, that is sometimes a real differentiator for firms.
What challenges and pitfalls, face patient care organization leaders, as they scope out potential services providers?
The size of the firms, the amount of work they do across multiple industries, those don’t necessary correlate to a high level of customer experience. Some of the smaller and most targeted firms achieve very high satisfaction. That’s why we asked the question about tailoring services to meet your needs—as a healthcare organization, you want to be very specific about your expected outcomes, what you expect a firm to do and not do, and then hold them accountable around your expectations. That’s where a few firms have had hiccups, where they’re not sure of their expectations upfront and don’t end up holding their services firms fully accountable.
A couple of other things: you need to have a clear strategy around what you’re going to do with the results around advisory work and risk assessments in particular. We’ve seen a couple of different strategies organizations have: they’ll contract year after year with the same services firm. Others will contract yearly but with different firms every year, to get fresh or unique eyes on the situation. Others will contract every few years and will alternate contracted years with doing their own risk assessments and penetration tests. Others feel they can do it all internally.
So you need to know what kind of strategy you’re going to build around. Do you want to build a years-long relationship? Or just have a good single experience? The other piece of guidance I’d give is around expectations of the end product of an advisory engagement, especially a risk assessment. Oftentimes, security firms produce a relatively canned report that they’ll produce that lists out the findings of their risk assessment; in many cases, it will prioritize action items that can be taken. And if you’re in a position where you don’t have the type of board engagement you’d like, there are some firms that are very good at taking the results they’ve come up with, and partnering with the internal healthcare IT security leader, and pairing up with them and presenting to the board to advocate for actions. Boards are often very conservative in terms of spending, but the last thing they want is an OCR investigation or a public outing of a breach in the newspapers, etc.
How do you see this broad area of cybersecurity services evolving over the next few years?
Good question. I think one area that we’re going to see evolving is, I think the industry is starting to coalesce around a few frameworks as far as their annual risk assessment, the predominant one being the NIST framework. A few firms position themselves as HITRUST-qualified assessors. I think the industry will start to coalesce around those two, and some of the other security frameworks, your ISO, etc., might disappear over time. I think the industry will coalesce around the NIST and HITRUST frameworks. My feeling is that we’re going to see more and more managed services engagements going forward. They’re going to engage a managed services firm for a variety of reasons—to outsource their SOC; to manage a certain piece of software, their SIM system, for example. So smaller organizations that may not have the security staff at their organization and can’t afford the resources they need, I think more and more will outsource their needs.
Do you see consolidation among these services providers?
We haven’t seen a lot over the past 12-18 months; there have been a few acquisitions. We’ve seen some on the security software side. For example, CynergisTek was acquired by another, firm but maintained its name. Where I see the potential acquisitions happening is, you may see some of the big firms like a PWC, Deloitte, EY, etc., acquiring some healthcare industry-specific firms.