Security & Privacy Consulting Services 2022
Who Exceeds Expectations in This High-Performing Market?
Cybersecurity attacks are on the rise, and healthcare organizations are especially at risk. Security vulnerabilities can lead to financial penalties imposed by OCR, damaged organization reputations, and the increased risk of patient safety and data being compromised. To reduce vulnerabilities, organizations often bring in outside consulting firms that specialize in enhancing security and data privacy measures in healthcare. This report examines several such firms (and one cross-industry firm) to determine who effectively assists in reducing risk, engages closely with clients, and exceeds expectations.
Clients of First Health Advisory & Impact Advisors Report Positive Experience Driven by Partnership, Expertise & Risk Reduction
Client respondents of First Health Advisory and Impact Advisors are highly satisfied and likely to recommend their firm to others. First Health Advisory, whose midsize client base is growing, is seen as a responsive and engaged partner with solid healthcare expertise; they not only identify risk but also help clients plan next steps for remediation. Of the firms in this report, First Health Advisory has the highest percentage of client respondents using their services for Internet of Medical Things (IoMT) device security. Impact Advisors is the 2022 Best in KLAS winner for security and privacy consulting services, and all respondents from the firm’s smaller client base say the firm exceeds expectations. Clients consistently report a collaborative relationship with the firm and say the consultants are high quality and well incorporated into the organization.
Clearwater & CynergisTek Improve Executive Involvement; tw-Security Clients Highlight Consistent Executive Involvement
After Clearwater’s founder, Bob Chaput, left the firm in 2018, clients reported a decline in executive involvement. However, since 2020, clients have seen the executive involvement rebound, and they now report an active, engaging partnership with the firm. The staff is seen as highly knowledgeable about healthcare security and OCR requirements. Additionally, some respondents highlight that Clearwater fosters security buy-in among organization executives by providing reports and presentations. Clients of CynergisTek—who has entered into an agreement to be acquired by Clearwater—also reported decreased executive involvement when the founder and CEO, Mac McMillan, retired in 2019. Client satisfaction improved, however, once McMillan returned to the firm in 2021. Multiple client respondents highlight the firm’s healthcare security knowledge. One organization reports dissatisfaction, saying that CynergisTek has become predictable and repetitive, thus diminishing value, and that the risk assessments are inconsistently executed. This dissatisfied organization and an additional organization say the firm doesn’t exceed expectations; they cite various reasons, including delays caused by staff turnover.
Over the past several years, tw-Security clients have reported consistent executive involvement, with some clients specifically praising high involvement from founder Tom Walsh. Most clients in this sample say the firm exceeds expectations and is readily available to offer insights. tw-Security’s client base consists mostly of small organizations. The most dissatisfied respondent—a large organization—feels the firm is better suited for small organizations, though other large organizations express satisfaction.
Intraprise Health & Meditology Don’t Consistently Surpass Client Expectations; Fortified Health Security Improves in Exceeding Expectations
Among firms in this high-performing market, Intraprise Health and Meditology Services receive the lowest overall scores. Half of the Intraprise Health respondents feel the firm does not exceed expectations, often because the assessment staff seemed inexperienced or didn’t offer guidance. Similarly, a few respondents cite staff turnover and limited staff availability. While some clients appreciate Intraprise Health’s healthcare security knowledge, a few are dissatisfied with their overall experience. Respondents report seeing specific, tangible outcomes less frequently than other firms’ clients. The client experience for Meditology Services is inconsistent. Though the sample includes several highly satisfied clients, it also includes two that are highly dissatisfied: one longtime client feels the firm is complacent, while the other points to poor engagement with their organization’s executives. Additionally, there is mixed feedback around the firm’s staff, with some clients highlighting quality partnerships and others saying turnover has forced them to work with inexperienced people. These complaints, in addition to one report of poor executive involvement that resulted in a lower-quality deliverable, are why respondents score Meditology’s ability to exceed expectations below average.
In the last year, the percent of Fortified Health Security clients who report the firm exceeds expectations has increased by about 20 percentage points. The majority of respondents are satisfied, highlighting responsive partnerships and strong healthcare security expertise. Several respondents mention helpful round-table discussions hosted by the firm and additional client outreach. While Fortified Health Security has improved overall in exceeding client expectations, some respondents still say the firm merely meets expectations. A few dissatisfied clients report various challenges, like missed deadlines.
Managed Services
A Look at Managed Services: Clients of Fortified Health Security Report Positive Experience; CynergisTek Client Experience Varies
In addition to consulting services, Fortified Health Security and CynergisTek both offer managed services, where the firm is more directly involved in managing part or all of a client organization’s security program. Most interviewed clients are highly satisfied with Fortified Health Security, the 2022 Best in KLAS winner for security and privacy managed services, and would buy the services again; all agree that the firm avoids nickel-and-diming them. The resources are seen as responsive, skilled, and able to drive outcomes and reduce risk. Most CynergisTek clients report satisfaction, saying the firm is responsive and invests in learning about their organization’s security environment. Two clients are very dissatisfied with their engagements; one says there were additional charges for things they needed, while the other cites delays and says they feel ignored by the firm.
Bottom Lines
Firms ordered alphabetically
Clearwater: Validated across a wide range of organization sizes. Background is in risk management. Offers a software tool in addition to several services, of which risk assessments are the most commonly used by interviewed clients. Majority of interviewed clients are very satisfied, and many are large organizations. Acquired managed services firm TECH LOCK in July 2022.
“Clearwater does a great job. We think of them as a partner. Clearwater has done a great job with executive involvement; the firm’s executives have been heavily engaged with us. Even with the transition of people, Clearwater has continued to work with us. They have been wonderful to work with. I don’t know how Clearwater keeps up with all of us. They have always executed everything we have asked for, even when we wanted more and they had to step away to evaluate things. But Clearwater has always come back with a great time frame and a great effort to make our requests happen.” —Manager
“I think a bit of our disappointment with Clearwater is pretty common for feelings about vendors and firms in general. The services are the most amazing thing when they are being sold, but then after the fact, there is the challenge of whether we can get ahold of somebody. Clearwater isn’t any different than any of their peers; I would say Clearwater is actually better. But, as is common, there are a few challenges, so nothing is out of the norm.” —Manager
CynergisTek: In May 2022, firm entered into agreement to be acquired by Clearwater. Offers a range of strategic and technical engagements, and almost all interviewed clients report using firm for risk assessments. Clients are mostly midsize organizations.
“The executives made themselves available for us. I really was impressed with the people I interacted with. The firm was very knowledgeable, helpful, friendly, and good to work with. They executed very well. The report they gave us was clear enough to show us that we had a risk in a certain area. We needed to make certain changes. There was no ambiguity, so we knew what we needed to do. The firm spoke plain English. They weren’t talking over our heads, and I would recommend the firm for that alone.” —Director
“The firm’s risk assessment is a little rocky. They could execute a little better on that. The line of questioning is inconsistent in the level of detail for the risk assessment. . . . I would like the consultants to take more risks with their answers on their advisory services. Sometimes, the answers are very noncommittal. If the consultants were able to give more specific guidance and not be so risk averse in their recommendations, that would be helpful.” —CIO
First Health Advisory: Offers managed services that are not yet measured by KLAS. Most common service used by respondents is IoMT device assessments, followed by security program assessments/development. Clients are mostly midsize organizations.
“First Health Advisory Solutions did a tremendous job in helping us determine not only the vulnerabilities but the process to remediate those vulnerabilities, and they were always available for follow-up. Everything that was required for the engagement was met. We did have some instances where we had to reach out outside of the normally scheduled hours, but First Health Advisory Solutions was always quick to respond. They were able to lead and get us to focus on the medical side. They offered a different perspective and experience that we couldn’t just Google. First Health Advisory Solutions has a great understanding of the vulnerabilities and the threats from the IoMT. Being ahead of the game and having that level of expertise with some of the products has definitely helped us a lot.” —Manager
“The project took a lot of coordination. It is hard for an organization like First Health Advisory Solutions to come in and provide program management when they don’t know all the players and the politics. The project certainly wasn’t hands off for me and my employed staff. We had to do a fair amount of work to get everybody to the table and actually have a rational conversation about agreeing to medical device standards. Once we did, the firm’s subject matter expert really helped us.” —CIO
Fortified Health Security: Validated for a range of strategic and technical engagements. Clients report highest number of penetration tests and social engineering/phishing projects of any other firm in data sample. 2022 Best in KLAS winner for security and privacy managed services.
“Fortified Health Security has been absolutely awesome to work with. We have round-table discussions with the firm and their other customer partners frequently. We aren’t stepping into a sales meeting; we are all peers in the same industry. We get to sit and talk about things that are wrong in IT, and Fortified Health Security coordinates things for us. Fortified Health Security executives are also involved in the discussions. Our experience with Fortified Health Security is unlike any other experience I have had with a firm.” —Analyst
“There have been a few times when Fortified Health Security has been very slow with their deliverables. A lot of the audits the firm does with us are required by the end of the year. There was an audit that took longer than planned, and that could have gotten us into trouble. The firm is good when we can get them involved and engaged, but there are key dates that they miss.” —Director
Guidehouse (limited data): Cross-industry firm with services that go beyond security consulting. The limited number of respondents all report high levels of execution. Some clients say staff is knowledgeable and capable of managing complex projects; a couple say firm can be inflexible. All interviewed clients are payers.
“Guidehouse definitely knows their business. All parties involved in the engagement understand what needs to be done, and Guidehouse definitely works with us to try to get everyone what they need. They know what they need to do, and they are very good at it. I have worked with several different firms before, and Guidehouse’s expertise and knowledge make them one of the best firms I have worked with. Occasionally, I would reach out to them out of the blue and just ask for their guidance on something, and they were always very helpful.” —Director
“I would like it if Guidehouse were a little more open. They are very black and white, and interpretation is always difficult for the security area. The vendor could also be more collaborative. Guidehouse doesn’t really strategize with us. They just advise us.” —Security officer
Impact Advisors: 2022 Best in KLAS winner for security and privacy consulting services. Outside of security consulting, firm is most often known for wide range of healthcare consulting services. Clients report consistent satisfaction with security offerings. Firm is most often used by respondents for risk assessments, followed by virtual/interim CISO services and HIPAA privacy assessments.
“The key about Impact Advisors is that they are one of the few organizations we have worked with that aren’t constantly trying to upsell services. Impact Advisors comes in and tends to focus on staying within the lane of understanding the culture of the organization and our financial risks. We trust that their executive-level engagements won’t always result in an ongoing laundry list of requests for additional hours like we have experienced with other firms. The level of expertise and confidence that Impact Advisors has makes it so that they don’t have to upsell themselves. Impact Advisors comes across as a partner. I don’t have to be on guard; they are a trusted partner.” —VP
“Impact Advisors provided valuable information, but we asked very specific questions about how we should protect our network and servers. We wanted to understand where we should prioritize our efforts. Impact Advisors didn’t address our questions exactly the way we expected or wanted Impact Advisors to. They were not as spot on as they usually are. In Impact Advisors’ defense, we had a good conversation about the issue, and they offered to adapt and follow up. They did some of that, but we pursued what we wanted elsewhere rather than elongate the engagement with Impact Advisors. I have used them multiple times over the years and have been very satisfied. I think this engagement was a bit of an anomaly rather than a trend. I would use Impact Advisors again. For this engagement, we didn’t communicate as well as we could have on either side.” —VP
Intraprise Health: Almost all client respondents are midsize organizations. Most commonly used by respondents for risk assessments, and clients report using the firm for fewer types of engagements than most other client bases.
“Intraprise Health has in-depth healthcare knowledge that is typically in the hospital provider space. The vendor knows exactly what to check. They have several clients that do the same thing in the same space. The vendor’s visibility and exposure to third-party vendors are very helpful.” —Director
“Some of Intraprise Health’s new people don’t understand some of our operations. I think they are less experienced. For us to keep coming back, Intraprise Health would have to prove to us that they have experienced assessors. When we first chose the firm years ago, we were very impressed with the people that were working on our accounts. We now have an understanding of more aspects of the work we do, but we need people who are working with us and giving us consulting and guidance rather than somebody who is just reading something and checking off the box because they gave an answer.” —VP
Meditology Services: Long-standing firm in the industry. Validated for all types of projects measured in this report, with all respondents using firm for risk assessments. Some misses in execution have caused inconsistent client experience. Clients vary widely in size, though most are large organizations.
“The group was a professional unit, but they made us feel like family. That was awesome. One of the things I loved the most about Meditology Services was that one of their leaders commanded presence because of their expertise. That is not always easy to do. Across the board, they had a diverse group. Our account manager was just insanely awesome and smart and was a perfect professional. Meditology Services hires experts. In a world where it is hard to find experts in this space, Meditology Services hires them. We are always going to get someone that is good. They partner well. It is important for us to form a relationship, and all of Meditology Services’ consultants figured out a way to fit in well. That is important to me.” —CIO
“The main disadvantage of being a long-term client with Meditology Services is that they are complacent. They conduct the assessment and make assumptions that may not be completely accurate, and we must make extra effort to ensure that we get the right information to them, especially if things have changed. At times, the assessment process doesn’t equate to an optimal work product. Meditology Services should come to each year’s assessment fresh and ready to ask the hard questions that need to be asked. The firm also needs to ask follow-up questions to validate answers and evidence requests. The firm doesn’t take the scope and coverage into account for some aspects of the assessment. For example, Meditology Services interviews our IT people and asks whether we have an antivirus installed. If the person says yes, the firm doesn’t follow up and ask about the coverage or whether the antivirus is on every device. The results of the assessment can be misleading.” —Manager
tw-Security: Clients highly likely to recommend firm to others. Clients are mostly small organizations, and majority of respondents use firm for risk assessments. More than half also use firm for HIPAA privacy assessments and security program assessment/development.
“tw-Security is outstanding in what they do. The service is very clear and detailed. tw-Security has become a part of our organization. Tom Walsh and his team do a very thorough job of assessing and also understanding our needs. Tom Walsh knows what to focus on, and that gives us knowledge and security in the practices that we are affiliating with. The tw-Security team explains things at a level that can be understood by office managers that typically don’t have their fingers in IS and IT. tw-Security makes sure that the transfer of information is secure. tw-Security is really good at sending out alerts to us that we can pass on to our practices. We pretty much got things down to a smooth transition of an action plan at the very end.” —Manager
“I would recommend tw-Security if the client were a smaller healthcare organization. The vendor struggles with complex health systems. It is hard for the vendor to fit what they do within a larger organization. tw-Security fits perfectly within small and midsize organizations because what the vendor does is very independent. They have all the tools and answers for smaller institutions that don’t have any answers. tw-Security does very well at writing the whole security program with governance policies. The problem is that when we dug into what was actually happening, the information didn’t match anything. tw-Security did an executive readout, but it didn’t drive outcomes as much as expected. We had to take the assessment and package it in our own way in order to drive results.” —CISO
About This Report
Each year, KLAS interviews thousands of healthcare professionals about the IT solutions and services their organizations use. For this report, interviews were conducted over the last 18 months using KLAS’ standard quantitative evaluation for healthcare services, which is composed of 9 numeric ratings questions and 3 yes/no questions, all weighted equally. Combined, the ratings for these questions make up the overall performance score, which is measured on a 100-point scale. The questions are organized into five customer experience pillars—loyalty, operations, relationship, services, and value.
To expand upon the data gathered with the standard evaluation, KLAS also asked a supplemental question specific to the consulting services market. Respondents were asked how well their firm helps reduce security risks at their organization.
Sample Sizes
Unless otherwise noted, sample sizes displayed throughout this report (e.g., n=16) represent the total number of unique client organizations interviewed for a given firm or service. However, it should be noted that to allow for the representation of differing perspectives within any one client organization, samples may include surveys from different individuals at the same organization. The table below shows the total number of unique organizations interviewed for each firm or service as well as the total number of individual respondents.
Some respondents choose not to answer particular questions, meaning the sample size for any given firm or service can change from question to question. When the number of unique organization responses for a particular question is less than 6, the score for that question is marked with an asterisk (*) or otherwise designated as “limited data.” If the sample size is less than 3, no score is shown. Note that when a firm has a low number of reporting sites, the possibility exists for KLAS scores to change significantly as new surveys are collected.
Writer
Sarah Hanson
Designer
Breanne Hunter
This material is copyrighted. Any organization gaining unauthorized access to this report will be liable to compensate KLAS for the full retail price. Please see the KLAS DATA USE POLICY for information regarding use of this report. © 2024 KLAS Research, LLC. All Rights Reserved. NOTE: Performance scores may change significantly when including newly interviewed provider organizations, especially when added to a smaller sample size like in emerging markets with a small number of live clients. The findings presented are not meant to be conclusive data for an entire client base.