Healthcare Security

NCC Group reduces the burden of HIPAA compliance and privacy protection by providing flexible compliance services that work the way clients want: enhancing existing initiatives, infrastructure and personnel. Our approach allows organizations to make cost-effective decisions that improve their information security posture while moving towards demonstrable compliance. We are a trusted consulting leader in the healthcare industry and have a deep understanding of the entire healthcare value chain.



Our RMG team performs HIPAA assessments based on the Privacy (45 CFR Part 160, and Part 164 subparts A and E) and Security (45 CFR Part 164) Rules described by the regulation. This provides an independent validation of the security controls over ePHI. Additionally, we provide compliance advisory services and audit services that verify the client’s ePHI environment is compliant with the security-related requirements of HIPAA, HITECH, and HIPAA Omnibus Rule of 2013. Our RMG team then reviews and validates the control environment associated with the applications and supporting systems that contain ePHI or affect the security of ePHI.

Our healthcare data security professionals have assisted healthcare facilities, clinics and pharmacies in identifying how they receive, store, process and transmit PHI and ePHI regulated data and the gaps within their respective system architectures, designs, policies, procedures and processes.

HIPAA Compliance Roadmap

Our RMG practice developed the HIPAA/HITECH Data Security and Privacy Road Map to drive reliable, repeatable and accurate business process mapping, gap analysis, remediation planning and ongoing security control assessments.

NCC Group HIPAA/HITECH Data Security and Privacy Road Map

 HIPAA/HITECH Data Security Privacy Road Map


HIPAA Risk Assessment

The NCC Group methodology for performing detailed HIPAA risk assessments is based on established and repeatable assessment frameworks compiled from the National Institute of Standards and Technology (NIST), the Health Information Trust Alliance (HITRUST), and the OCR Audit Protocol. Specifically, NIST SP800-66 serves as the de facto standard for directing organizations on which activities should be considered when pursuing HIPAA compliance as part of an overarching information security program. The “Introductory Resource Guide for Implementing the HIPAA Security Rule,” as well as numerous other NIST special publications, have been supported and referenced by the OCR as other viable interpretations and guidance for achieving HIPAA compliance.



RMG performs HITRUST CSF assurance services to clients according to the requirements and guidance offered by the HITRUST Alliance.  The HITRUST Alliance is a not for profit organization founded in 2007 with the goal to assist the healthcare industry in the protection of their information.  HITRUST Alliance develops, maintains, and provides access to the HITRUST CSF and other frameworks related to assessments and assurance of the healthcare industry.  The HITRUST CSF is an ISO 27000 series based framework, which combines many of the common regulatory, compliance, and best practice requirements imposed on organizations within the healthcare industry. The HITRUST CSF is flexible to support the tailoring of controls based on the regulatory requirements and size of the organization.

Readiness Assessment

Organizations are typically unfamiliar with the requirements of the HITRUST CSF and as a result, seek a gap assessment to gauge their information security posture against the HITRUST CSF.  Upon completion of the assessment, the client is presented with a report that contains a list of gaps tied to the HITRUST CSF Control Specifications.  Recommendations are provided to remediate any gaps identified.

Facilitated Self-Assessment

It is strongly recommended that all clients perform a self-assessment prior to seeking validation. Although a client can perform this self-assessment on their own, many clients prefer to hire an assessor firm to assist them in their self-assessment. Clients may consider this a ‘mock’ validation assessment where RMG assesses the client as if they were being validated. The self-assessment is managed through the HITRUST governance, risk, and compliance tool - MyCSF. The client purchases a self-assessment report that contains a list of ratings/scores tied to the HITRUST CSF requirements. Additional recommendations are provided to strengthen the security posture of the organization.

Validation Assessment

Through the HITRUST CSF Assurance Program, a client can perform a validated assessment utilizing an independent HITRUST Approved Assessor Firm. A Validation Assessment results in either the issuance of a Validation Report or a Validation Report with Certification. A Validation Assessment is a ‘point-in-time’ assessment of the maturity/security posture of a client against the HITRUST CSF.