Cyber Security Risk Assessments in the Healthcare Field

Jack B. Quick

Hey guys. I had a quick question for other CyberSecurity consultants.

I'm trying to do some research related to the costs of CyberSecurity Risk Assessments for small medical practices, roughly the size of one to two doctors. Has anyone performed such risk assessments, or offered cyber security consulting in general, to small healthcare offices or clinics? Naturally there's a lot of variables that will change pricing, but I've been observing that common prices for security audits for small businesses range between $3000-$10,000. The healthcare field tend to vary from other industries, and I can't really find any solid research pertaining to common consultant fees there.

So again, does anyone have experience in with this? What would you say a small medical office would be expected to pay a consulting firm for a general security audit of their environment?

Cyberscum

tbh small business is a difficult sell. I stick to med size business after wasting a lot of my time with small business.

What I have found is that most small businesses are so out of touch with the cost of IT security that you will be working for pennies.

Last small business consult I did was for an engineering company. I had the initial contact and of course they were far from compliant with standards that should have been implemented years ago. They needed to be up to par in less than two month to keep contracts with the gov. Without divulging to much they were storing important things in Dropbox for their storage solution. Let's just say they needed immediate help. Long story short I send them the pricing and they respond back.....we pay our current IT employee 14.50 an hour and are willing to pay you that for your help........my response.......have him do it then.

I lost precious time dealing with small business.

My advice is sit down with them and gauge what they are willing to pay. If they understand that IT security does not equate to desktop support pay then you might have a winner.

Good luck

Jack B. Quick

Cyberscum wrote: »

tbh small business is a difficult sell. I stick to med size business after wasting a lot of my time with small business.

What I have found is that most small businesses are so out of touch with the cost of IT security that you will be working for pennies.

Last small business consult I did was for an engineering company. I had the initial contact and of course they were far from compliant with standards that should have been implemented years ago. They needed to be up to par in less than two month to keep contracts with the gov. Without divulging to much they were storing important things in Dropbox for their storage solution. Let's just say they needed immediate help. Long story short I send them the pricing and they respond back.....we pay our current IT employee 14.50 an hour and are willing to pay you that for your help........my response.......have him do it then.

I lost precious time dealing with small business.

My advice is sit down with them and gauge what they are willing to pay. If they understand that IT security does not equate to desktop support pay then you might have a winner.

Good luck

Interesting. Would you say, in your experience, you've had success selling package deals, such as assessments and policy drafts, as opposed to simply working by the hour? Because I think to really make serious gains for a small health clinic, I'd have to assess their environment first, in order to understand what I'm working with. I'd like to avoid simply consulting for a few hours for a smaller company or clinic that doesn't really even know what it is they don't know.

Jack B. Quick

Interesting. Do you happen to have experience selling packaged consulting deals, as in selling risk assessments or InfoSec policy drafts, as opposed to simply working by the hour? Because it seems to me that if I'm marketing to small medical practices, I'm not going to want to waste my time talking to them for only three or four hours, when they don't even know what they don't know.

paul78

Generally a waste of time to try to sell to practices that small. The value isn't really there to them. And the way that a lot of practices work - most cyber liability isn't carried with them so they have little incentive for cyber security services. I pitched a practice that does about 2500 patients a month with about 10 doctors because a friend had referred us. But it was a waste of time. I did do a gratis 1 day network assessment because I liked the owner of the practice and I was curious about how they were setup but we didn't charge anything for it.

Jack B. Quick

So my theory is that many of them are starting to understand the seriousness of cyber security risks, but either don't have the resources to deal with it, or otherwise don't care enough. But still, most in the healthcare field are being constantly barraged with news about data breaches and HIPAA threats; doctors that I've talked to tell me that they know its a big deal, but since they don't know anything about it, they simply try not to think about it. Selling them small assessments and InfoSec policies drafted specifically for them would allow them to check that mental box of security and compliance. If it can be done for a fee considered nominal when compared to big consulting firms, I think there's some opportunity.

When you say it was a waste of time, was the value not there for them, or for you?

paul78

Jack B. Quick wrote: »

When you say it was a waste of time, was the value not there for them, or for you?

Both... They would not have been good customers over the long haul. And I don't think I could have extracted more than a couple thousand in services. True that there are HIPAA and HITECH concerns. But the liability concern and the risk isn't really with the practices. First - these are mostly closed systems - so the cyber threat isn't really there. Most would have EHR's which handle the data protection. Insurance companies have oversight. And payment and billing systems are outsourced to more technically competent entities.

And if the practice or business manager is competent, they would ideally manage the third-parties adequately and have processes to reduce any social engineered threats.

Also - from a criminal point of view - the records at a single practice may not be worth the effort - the number of records that could be breached are likely too low.

Jack B. Quick

Huh, ok...thanks for input. If I could ping you on one last thing, would you still consider it worth it for me if all I was looking to pull out of each client was roughly 1-2k? My overhead is essentially nothing, and I've got another full time position to keep me afloat. My estimates are 1-2k per assessment; again, this would allow them to check their mental box for compliance, and all at a fee which would be nominal when compared to a bigger firm.

Cyberscum

Couple of things.

1. The only reason to do small business is to get some assessments under your belt/reputation or if you need the money badly. My exp is its not worth the ass pain.

2. Yes I sell both package compliance tools and policy work

3. You are right that small business is getting worried but from what I have found is that most downright are ignoring the problem. You would be better off starting in small law firms because they know the repercussions. Small anything else know they are not compliant and don't care. I know of a few companies working directly with the gov that know they are not doing things right but are just waiting it out.....we will see....

Cyberscum

How good are you with policy work?

I'm actually looking for a good policy guy with templates for different sectors for a business prop

Jack B. Quick

1. Right; this is honestly a part time gig for me, with experience gain and slowly regulated company growth my main concerns. But again, because of the lack of real overhead, I don't really need to land big clients. My main goal to have a steady stream of small clients, and to obtain them with something tangible I can sell to them.

3. And ya, law firms are another key market I plan to grow into. My experience right now though is in the healthcare industry, and so I was going to start there. Still, an attorney I know has recently told me that Law firms would be a great sell; the 10+ lawyer sized firms are realizing that model doesn't work quite as well, and so they're starting to break off into 2-3 lawyer offices. He said its these offices that would have a lot of need for what I'm offering.

Jack B. Quick

At the moment I've worked a lot with internal policies for employers, but I don't have a lot I've built on my own. However, the goal here is to be creating pretty sizable amounts of documentation over the next month or two, so I can start putting packages together. Do you have specific industries you're looking to get into?

paul78

If it's just part-time and you can actually close the sale. Sure - by all means - go for it. You never really know until you try. And the market in your area could be entirely different. If your overhead is really just your time and effort - only you can tell if it's worth it

Cyberscum

Are you doing only policy work or offering compliance solutions?

You might want to offer both and use someone like N-able to cover their asses with out putting yours on the line.

All in all, make sure you have strong MOA's and SOW's to protect you in case they get in trouble. Last thing you want is to be on the hook for a small biz that you only made 1k on.

Jack B. Quick

My work is essentially going to be a packaged deal of a Security Assessment, followed by an InfoSec policy tailored for their organization. Deliverables will be the assessment and the policy, along with free consultations for any questions they had with specifics of the findings and policies. My goal is definitely to be a risk identifier for them, not a risk accepter.

Ha, and ya, liability is something I've thought a lot about. Do you tend to rely on insurance to cover you in case of crisis, or do MOA's and SOW's do the trick for you?

mnashe

sorry to interrupt but very interesting thread

Jack B. Quick

mnashe wrote: »

sorry to interrupt but very interesting thread

We aim to please here.

mnashe

Jack B. Quick wrote: »

We aim to please here.

Seems like a really good side business idea. I guess all of you are doing this type of work full-time at your companies.

paul78

Jack B. Quick wrote: »

My goal is definitely to be a risk identifier for them, not a risk accepter.

LOL - your client can't transfer their risks and you are not an insurance company. As long as your SOW's are clear, you should be fine.

Jack B. Quick wrote: »

Do you tend to rely on insurance to cover you in case of crisis, or do MOA's and SOW's do the trick for you?

Not sure about @Cyberscum but I have a corporate umbrella and it's normal for my clients to expect that we have the normal business liability insurance. We carry both E&O and general liability insurance. And the usual worker's comp stuff.

UnixGuy

What sort of policy tools do you guys sell?

I'm getting slowly into policy / compliance / privacy work. I can see the ridiculous amount of money spent on this sort of work so the potential for cash is high! The guys who do this work don't seem to be that experienced to be honest...easy to fool so far. Most of them came from the big 4 (PwC, Deloitte, EY, KPMG) and some smaller consultancies.

The biggest tool that I've seen so far is Nessus..run the scan and send the PDF

yoba222

Cyberscum wrote: »

. . . Long story short I send them the pricing and they respond back.....we pay our current IT employee 14.50 an hour and are willing to pay you that for your help........my response.......have him do it then. . .

Wow! What cheap bastards.

Jack B. Quick

UnixGuy wrote: »

What sort of policy tools do you guys sell?

I'm getting slowly into policy / compliance / privacy work. I can see the ridiculous amount of money spent on this sort of work so the potential for cash is high! The guys who do this work don't seem to be that experienced to be honest...easy to fool so far. Most of them came from the big 4 (PwC, Deloitte, EY, KPMG) and some smaller consultancies.

The biggest tool that I've seen so far is Nessus..run the scan and send the PDF

Ha, well if you're using Nessus for policy creation, you're definitely taking someone for a ride...building an organizational InfoSec Policy based off of some Nessus scans is like someone paying you to secure their building physically, and then having you test the strength of their front door lock and calling it a day.

But what I'm talking about is more building an Information Security Policy for small organizations who don't have them, and then charging a pittance that is comparably far smaller than what you'd be charged from more sizable InfoSec firms.

UnixGuy

@Jack:

No I didn't mean using Nessus to build the Security Policy, I was just asking what *tools* Cyberscum meant when he said that he sells tools? So I mentioned Nessus because it's the only I've seen using as PART of an ISMS.

jibtech

UnixGuy wrote: »

What sort of policy tools do you guys sell?

I'm getting slowly into policy / compliance / privacy work. I can see the ridiculous amount of money spent on this sort of work so the potential for cash is high! The guys who do this work don't seem to be that experienced to be honest...easy to fool so far. Most of them came from the big 4 (PwC, Deloitte, EY, KPMG) and some smaller consultancies.

The biggest tool that I've seen so far is Nessus..run the scan and send the PDF

Are those guys doing policy work, or are they the external auditors? The description and the Big 4 reference makes me think the latter.

As for Nessus, it's nice. But, I much prefer Qualys.

Jack B. Quick

UnixGuy wrote: »

@Jack:

No I didn't mean using Nessus to build the Security Policy, I was just asking what *tools* Cyberscum meant when he said that he sells tools? So I mentioned Nessus because it's the only I've seen using as PART of an ISMS.

Oh ok, ha

Cyberscum

Sorry been busy. We use solar winds/N-able and Amazon AWS for a lot of our stuff, but it really depends on the client. I stay away from policy as much as possible and leave it up to their IT as most of them already have in house paperwork.

Jack B. Quick

Cyberscum wrote: »

Sorry been busy. We use solar winds/N-able and Amazon AWS for a lot of our stuff, but it really depends on the client. I stay away from policy as much as possible and leave it up to their IT as most of them already have in house paperwork.

How do you structure that? Do you rely on the monthly managed services for revenue, or do you package it up in some way to sell it all as one unified purchase?

Also, out of curiosity, why are you guys staying away from policy? If you have a client on the line, wouldn't it make sense to at least offer them policy review & creation?

paul78

Jack B. Quick wrote: »

Also, out of curiosity, why are you guys staying away from policy? If you have a client on the line, wouldn't it make sense to at least offer them policy review & creation?

I personally don't avoid policy work - I actually actively pitch it. I meant in my responses that I don't pitch small healthcare providers. But as generally, an entity that doesn't already have some kind of policy is usually either really immature or doesn't care about IT risk management. There is a subset of immature companies that are actively growing that will respond to policy support services but catching them at the right time is challenging from a business development perspective.

Jack B. Quick

paul78 wrote: »

I personally don't avoid policy work - I actually actively pitch it. I meant in my responses that I don't pitch small healthcare providers. But as generally, an entity that doesn't already have some kind of policy is usually either really immature or doesn't care about IT risk management. There is a subset of immature companies that are actively growing that will respond to policy support services but catching them at the right time is challenging from a business development perspective.

That makes sense. I think the trick though is to simply work double to convince them they need a policy, and then ensure you can illustrate the business value added once the policy is created and implemented.

Cyberscum

To clarify, I stay away from only C&A work.

We try and bundle as much as possible as we get the most return from it. All our clients are gov contracts so they are literally forced to compliance if they want to stay in business, so it makes the sell a bit easier.

Cyberscum

Actually, at the moment I make substantially more money selling digital art on Etsy lol.

I'm actually thinking about doing it full time soon.

Who would have thought.