Security Advisory Services 2016
Which Firms Are Helping Providers Sleep at Night?

In a high-performing market, CynergisTek clients report the highest overall satisfaction. CynergisTek has the most clients who say the firm's work had a significant impact on security preparedness, and many have signed multiyear partnership agreements due to the level of trust and strategic expertise they experience. Strong relationships and executive leadership set CynergisTek apart, as do their healthcare-specific focus, experience setting up security frameworks, and strong action plans. There have been some misses when it comes to effectively communicating their message to customers. CynergisTek has the most validated engagements for security/risk assessment, security-program assessment/development, and HIPAA assessment/program development in this report; many clients report using the firm in all three areas.

In 2014, KLAS validated only a few engagements that involved developing and enhancing security programs; this year, over half of validated engagements included some aspect of this type of work. PwC and CynergisTek have by far the most validated engagements. Clients say PwC understands security frameworks, develops and implements strong strategies, has deep security knowledge and expertise, and provides good communication.

CynergisTek clients say the firm is comparatively inexpensive, consultants have deep knowledge, methodology is flexible to meet clients' needs, and executives are deeply involved. Deloitte is also used often for security-program work and excels at creating urgency and visibility around security issues.

Over three-quarters of the PwC and Deloitte engagements in this research were with health systems over 1,000 beds, which often have more mature, complex security operations. Both firms leverage worldwide, cross-industry security operations for best practices and communicate effectively with hospital executives and boards to ensure buy-in for security initiatives and programs. Thanks to this deep communication, over two-thirds of PwC clients indicate that the firm's work has had a significant impact on their organization's overall sense of security.

Multiple clients feel that the firm is not involved enough in project execution and that consultants should be more engaged in day-to-day work. Deloitte's engagements tend to be larger and can be very progressive. Both firms have capable security experts; however, Deloitte clients have experienced some challenges due to turnover and gaps in specific healthcare knowledge.

Clearwater Compliance and Dell Services have the highest percentage of work with community and midsized hospitals, respectively; such hospitals tend to focus on security assessment and compliance work. Clients say Clearwater’s niche focus on HIPAA assessment, strategy, and software allows consultants to gain deep knowledge and provide consistent methodology. Clearwater clients do report a lower impact, saying the firm is more focused on providing tools and templates than strategic guidance. Dell Services provides one of the largest managed security services in the industry.

Clients praise their tools’ ability to detect and analyze threats. Due to a lack of strategic guidance, only half say Dell had a significant impact on security preparedness; they view Dell as a tactical partner that doesn’t lead out on strategy. CynergisTek also has a large presence in this space, and providers report high satisfaction with engagements. Though feedback is limited, another vendor who serves this type of client, ClearDATA, has the lowest overall performance of all measured firms, mainly due to tool-customization challenges and a lack of client understanding.