Their Claim to Fame – So-Called HIPAA-Compliance Experts and Tools

Andrew Hicks, Managing Principal, Coalfire

Have you noticed how many vendors and software solutions are out there claiming they can make you HIPAA-compliant?  Well, at the end of the day that’s simply not possible because only you can make your organization HIPAA-compliant.  I came up with a list of “red flags” that I typically see from vendors, contractors and the like.

1. They don't spell HIPAA right…I see HIPPA and HIPPO, and even worse.

2. They don't perform testing to ensure that controls are operating effectively.

3. They use the Security Rule as a checklist instead of interpreting the implementation specification to determine what controls should be in place. For instance, many "checklist" HIPAA assessors won't look at firewall rules because HIPAA doesn't mention firewalls.

4. They say they will "certify" your environment or use "bona fide" methodologies, when in fact, there is no such thing.

5. Pricing does matter. Assessors that low-ball on price are probably just doing a gap assessment (no detailed testing) or don't know what they’re doing and those that high-ball on price (e.g., CPA firms) are taking you for a ride.

6. They use QSAs or IT security generalists with no healthcare or HIPAA experience. Look for the credentials HCISPP, certified HITRUST assessor, CIPP, etc.

7. They say that a SOC assessments is equivalent to a HIPAA assessment. This is completely untrue.

8. They think a risk assessment and a compliance assessment are the same thing. They aren't.

9. They can't explain their methodology for performing a HIPAA assessment. Back to #3, they should be able to walk you through their methodology and identify exactly how they will test against every standard and implementation specification.

10. They should come across as well versed on the differences between HIPAA, HITECH, and the Omnibus Rule. if they don't, they won't be offering you a customized assessment approach for your organization, hence the term, "checklist" auditor.

Lesson learned?  Take the time to conduct your due diligence before you engage with a vendor or a contractor because you get what you pay for.

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS