KLAS: Security consulting firms step up as threats rise

KLAS Research highlighted healthcare security consulting firms that are providing key security and privacy services to healthcare organizations in a November 2024 report. The report showed that security and privacy consulting firms are generally receiving high client satisfaction rates as data breaches and cyberattacks continue to trouble healthcare organizations.

KLAS conducted its research by interviewing healthcare professionals about IT solutions and services over the past 18 months. Researchers used KLAS' standard quantitative evaluation to measure overall performance on a 100-point scale.

The report focused largely on six firms -- Tw-Security, Meditology Services, First Health Advisory, Intraprise Health, Fortified Health Security and Clearwater -- that offer a variety of services such as security risk and HIPAA privacy assessments.

Most of the firms analyzed in the report received overall performance scores above 92, showing that respondents were largely satisfied with the services they received from their security and privacy consulting firm of choice.

For example, Tw-Security, which achieved a 97.5 and was a 2024 Best in KLAS winner, received praise from respondents for its ability to explain technical topics to nontechnical staff. Respondents also highlighted Tw-Security's ability to work with clinics and small hospitals. Two-thirds of respondents from small hospitals and clinics said that they saw the firm as a long-term strategic partner rather than a one-time service provider.

Mid-sized and large hospitals reported high satisfaction rates with Meditology Services. Clients said that the firm provides objective insights and offers its services at a reasonable cost. What's more, Meditology services had the most validated HITRUST assessments among the firms studied in this KLAS report.

Most clients reported using the firms identified in the report for security risk assessments and HIPAA privacy assessments, but some respondents also took advantage of other offerings, such as security program development, virtual chief information security officer offerings and medical device security assessments.

For example, First Health Advisory stood out for offering the highest percentage of validated assessments for medical device security. Clients reported high levels of satisfaction with the firm's biomedical device expertise.

Clients of Intraprise Health reported mostly using the firm for security risk and HIPAA privacy assessments and pointed out the firm's expertise in HITRUST assessments.

KLAS identified Fortified Health Security and Clearwater as the two firms that do the broadest work per client and are validated across all security and privacy consulting offerings identified in the report. Fortified Health Security clients were pleased with the ease and convenience of the firm's Central Command platform.

Meanwhile, Clearwater clients appreciated the firm's regulatory compliance guidance and professionalism, as well as its IRM|Analysis tool that identifies internal risks.

Considering the high levels of satisfaction reported across all the firms, two-thirds of organizations currently engaging with these services said that they are likely to expand use of managed services. Specifically, respondents reported looking to outsource third-party risk management and security operations center monitoring.

"The firms that organizations are considering for security managed services vary," KLAS noted. "While current clients of security managed services emphasize the importance of working with a healthcare-focused firm, some prospective clients are considering non-healthcare companies (e.g., CrowdStrike, Mandiant) and the Big 4 firms as their organizations' security needs continue to evolve."

KLAS did not include the "Big 4" firms -- Deloitte, EY, KPMG and PwC -- in its 2024 report due to insufficient client feedback. However, the performance of these firms was validated in a 2021 KLAS report on the same topic.

When it comes to managed services, respondents stressed the importance of obtaining healthcare-specific security expertise.

Overall, respondents reported high satisfaction rates throughout their engagements with top security and privacy consulting firms as organizations work to bolster their security programs during a period of increased cyber threat activity.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.