hipaa hybrid entity assessment

Dallas County

BRIEFING / COURT ORDER Commissioners Court - Jun 02 2020

☐ Resolution ☒ Solicitation/Contract ☐ Executive Session ☐ Addendum

HIPAA Hybrid Entity Assessment

Briefing Date: Jun 2 2020 Funding Source: 195.1090.05590.1003 Originating Department: Information Technology Prepared by: Alice Sweet, Recommended by: Stanley Victrum, Chief Information Officer (CIO) BACKGROUND INFORMATION: Court Order 2020-0084 dated December 17, 2019 was approved by the Commissioners Court for a partnership with Cynergistek to assist the County IT Office and the County HHS Office with corrective actions to satisfy findings noted in the HIPAA Assessment. The funding approved for this initiative in the amount of $119,739.00 is a fixed price to assist Dallas County with revising required documentation, creating privacy procedures, validating the completion of technical HIPAA controls and assisting with the rollout of program County-wide. In order to complete the aforementioned tasks, Dallas County must first make a declaration as being a Covered Entity or a Hybrid Entity as prescribed in HIPAA Privacy Rule.

On April 28, 2020 in the monthly County Compliance Committee Meeting, County IT briefed the Committee on the "pros and cons" of a Covered Entity- versus a Hybrid Entity-designation with a detailed legal interpretation and research by the Civil District Attorney's (DA's) Office. Effectively, a designation of Covered Entity would mean that the Dallas County Departments would potentially be subject to the rules outlined in the HIPAA mandate. Alternatively, a designation of Hybrid Entity would reduce adherence to the Privacy Rule to about eleven (11) Departments. Based on the opinion and research from the Civil DA's Office and per consultation with Cynergistek, we concur that a designation as a Hybrid Entity for Dallas County is the more prudent one, however, before the brief is written for the Court’s consideration, we are seeking approval to perform a Hybrid Entity Assessment. OPERATIONAL IMPACT: The Hybrid Entity Assessment is a two- to four-week initiative. Privacy professionals from Cynergistek will interview key members of the Dallas County Leadership to understand how they use, store or interact with HIPAA information. Interpretation of the Privacy Rule in conjunction with feedback gathered from other entities which have selected the Hybrid Entity-designation will guide the development of a recommendation for Dallas County. Reducing the number of Departments or Teams which are in-scope decreases the risk to Dallas County in the event of an audit by the Office of Civil Rights (OCR) or in the case of financial penalties if a HIPAA data breach occurs. FINANCIAL IMPACT: The total cost of the assessment is $7,562.00 and funding is available in the Major Technology Fund – Other Professional Services Account (195.1090.05590.1003). This is a fixed price for the assessment in its entirety to include an executive summary with the recommendation.

LEGAL IMPACT: The Statement of Work (SOW) has been reviewed and approved as to form by the Civil DA's Office and the County Judge is authorized to sign the SOW if and once approved by the Commissioners Court. ADMINISTRATIVE PLAN COMPLIANCE: This request is consistent the County Administrative Plan Vision #1 – "Dallas County is operationally a model governmental entity" and is also consistent with the County IT FY2020 - 2024 Strategic Plan Emphasis Area Section #3-B. RECOMMENDATION: That the Commissioners Court approve and authorize the County Judge to sign the Statement of Work with Cynergistek to assist the County IT Office and the County Health & Human Services (HHS) Office with conducting a Hybrid Entity Assessment at a total cost of $7,562.00 and with funding from the Major Technology Fund - Other Professional Services Account(195.1090.05590.1003). MOTION: On a motion made by TBD, and seconded by TBD, the following order will be voted on by the Commissioners Court of Dallas County, State of Texas: Be it resolved and ordered that the Dallas County Commissioners Court does hereby approve and authorize the County Judge to sign the Statement of Work with Cynergistek to assist the County IT Office and the County Health & Human Services (HHS) Office with conducting a Hybrid Entity Assessment at a total cost of $7,562.00 and with funding from the Major Technology Fund - Other Professional Services Account (195.1090.05590.1003). CONTRACT DETAILS: Contract Title: Description: Transaction Type: Contract Number: Total Cost: Start Date: Expiration Date: Vendor: ATTACHMENTS: SOW-Dallas County 2020 Hybrid Entity Assessment(clean)-05132020

Texas Office:

Hybrid Entity Assessment - LitePrepared For Dallas County

Point of Contact: Michael Anderson

Email: [email protected]

Phone Number: (214) 653-6547

11940 Jollyville Road, Suite 300-N Austin, TX 78759512.402.8550

[email protected] www.cynergistek.com

Statement of Work to Provide Services

RESTRICTION NOTICE

The material and information contained herein is COMPANY CONFIDENTIAL and SENSITIVE. As such, no information contained herein shall bedistributed outside either entity for any reason without prior written permission, except as may be required by law.

All Contents © 2020 CTEK Security, Inc.

mailto:[email protected]

mailto:[email protected]

http://www.cynergistek.com/

Dallas County – Page 2/165/8/20

Table of Contents1. Executive Summary...........................................................................................................................3

1.1. Company Overview ....................................................................................................................3

2. Scope and Approach.......................................................................................................................4

2.1. Hybrid Entity Assessment ............................................................................................................4

2.1.1. Hybrid Entity Assessment.........................................................................................................4Scope ....................................................................................................................................................................4Approach ...............................................................................................................................................................4

3. Project Management and Logistics ...............................................................................................5

3.1. Project Management Portal........................................................................................................5

3.2. Project Launch Meeting .............................................................................................................5

4. Deliverables......................................................................................................................................6

4.1. Project Management and Logistics ............................................................................................6


5. Client Responsibilities ....................................................................................................................7

6. Compensation and Authorization ..................................................................................................8


6.2. Reimbursable Expenses ............................................................................................................8

6.3. Security ......................................................................................................................................8

6.4. Expiration and Signature............................................................................................................8

Appendix A – Engagement Customizations ............................................................................................................10

Appendix B – CynergisTek Leadership..................................................................................................................12

Appendix C – Assessment Tools and Utilities ......................................................................................................16


This STATEMENT OF WORK (“SOW”) is entered into between CTEK Security, Inc. (“CynergisTek”) and Dallas County (“Client”) and is incorporated into the MASTER SERVICES AGREEMENT (“MSA”) between CynergisTek and Client. The terms and conditions of the MSA shall govern this SOW. In the event of a conflict between this SOW and the MSA, the terms of this SOW shall control. CynergisTek and Client are individually a “Party” and collectively the “Parties.”

1.Executive Summary Together, CynergisTek and Client have determined the Hybrid Entity Assessment is needed to achieve the goal of assessing and evaluating the Client's compliance structure of the health care component of its hybrid entity and provide subject matter expertise to review and make recommendations on an appropriate designation of the hybrid entity structure to supports Client’s HIPAA compliance program and help ensure Client meets regulatory obligations.

CynergisTek will deliver this service as outlined in the Scope and Approach section and for the amount as described in the Compensation and Authorization section.

1.1.Company Overview

Founded in 2004 and based in Austin, Texas, CynergisTek is a top-ranked cybersecurity firm dedicated to serving the information assurance needs of the healthcare industry. CynergisTek offers specialized services and solutions to help organizations achieve privacy, security, and compliance.

Approximately 90% of our consulting is in service to the healthcare industry – providers, payers, disease management companies and software vendors. As such, we understand healthcare operations, we understand the technology movement in healthcare, we understand the data protection mandates, and we understand the paradox of the healthcare mission – the business of care.

A consultancy is measured by the caliber of its people and its service record. The guiding principles of our company is to offer unparalleled subject matter expertise and service ethic to every customer. Our company represents the best the industry has to offer in technical information security services and information security program and regulatory compliance services, led by a management team that brings decades of private and public sector experience, including service to the healthcare industry. We participate in and contribute to HIMSS, AHIMA, HFMA, HCCA, and AHIA and all of our consultants maintain multiple industry certifications including CHC, CHC-F, CCEP-F, CHRC, CHPC, CIPP, CISSP, CISM, CGEIT, CRISC, CISA, CBCP, CCIE, CCNP, CCNA, MCSE, SCSA, SCNA, CIA, ISSMP, and ISSAP.

More information about CynergisTek is available at https://cynergistek.com.


2. Scope and ApproachThe following sub-sections document each of the elements included in this engagement including the scope for each element as well as a brief description of what each component is and our approach for completing each of them.

2.1.Hybrid Entity Assessment

The following is a breakdown of the program elements of the Hybrid Entity Assessment service offering:

2.1.1.Hybrid Entity Assessment

ScopeCynergisTek will assess the client’s designation as a hybrid entity as outlined in the Approach section below.

The Hybrid Entity Assessment will be performed only once during the term of this engagement.

ApproachThe assessment includes a review of documentation, interviews with key stakeholders related to the Client’s hybrid entity designation, and an assessment of the activities of departments and personnel covered by that designation. The documentation review will focus on those policies outlining the structure and criteria for defining the hybrid entity. Interviews will then further clarify details concerning department and personnel activities. The result of the assessment will be a determination concerning the appropriateness of including departments and personnel as part of the health care component of the hybrid entity. The results will be based upon established criteria for hybrid entity designation.


3. Project Management and Logistics

3.1.Project Management Portal

CynergisTek uses a secure, proprietary project management portal. All project stakeholders and participants fromboth sides of the project will be granted access to the project providing participants with 24/7 visibility to allproject communications. All project communications are documented in the portal providing a holistic and real-time view into the project progress.

3.2.Project Launch Meeting

The Project Launch Meeting (PLM) is designed to facilitate mutual understanding for project scope, approach, roles, responsibilities, objectives, project planning, scheduling, and communication. The meeting provides an opportunity for the joint project team to establish a relationship and coordinate the logistics of the project.

While attendance at this meeting is open to all those involved in the project, it is highly recommended that the following attend:

Project Executive/Sponsor (A client-side sponsor of the project on whose direction/authority this project is being executed)

Project Liaison/Manager (A client-side person tasked with day-to-day management of the project and management of the project scheduling/planning)

Technical Liaison (A client-side person tasked with coordinating technical activities within IT/IS)

Information Security Officer/Manager (applicable)

Privacy Officer/Manager (if applicable)

Compliance Officer/Manager (if applicable)

CynergisTek’s Project Coordinator will reach out ahead of the PLM to coordinate and provide further details regarding content and appropriate attendees.


4. DeliverablesConsulting activities and the associated deliverable output outlined in this SOW are neither intended nor offered as legal advice. CynergisTek’s staff, directors, and executives are not practicing attorneys and the relationship between CynergisTek and Client cannot and must not be construed as an attorney-client relationship unless CynergisTek has been engaged specifically through counsel to secure attorney-client privilege for the engagement. As such, our consulting and deliverable output are intended for educational and information purposes only. They are neither legal advice nor legal opinions on a specific matter. Client should neither act nor fail to act on any legal matter based upon either the consulting activities or the deliverable output without first engaging a competent attorney licensed to practice law in the specific jurisdiction in question.

4.1.Project Management and Logistics

As part of our project management activities we include the following in all engagements:

Project Launch Meeting and Slide Deck (once at the start of the engagement)


The following deliverables are intended to be completed under this scope of work:

Hybrid Entity Summary of Findings and Recommendations

o Observations

o Recommendations


5. Client ResponsibilitiesWe would like to specifically call out the following items as being key client responsibilities and critical to the success of the engagement. It should be noted that certain of these responsibilities are specific to certain services or groups of services. If in doubt contact CynergisTek’s Project Coordinator or Client Services Director with any questions:

Timely and effective communication with particular emphasis on the timely exchange of information and scheduling.

A commitment to leverage the project management portal, CynergisTek Community, to its fullest extent.

Assignment of a client-side executive sponsor to endorse and communicate the nature of the project internally.

Assignment of a client-side project liaison to act as a project manager and single point of contact for the project

Coordination with CynergisTek’s program management office to schedule any/all client-side interviews with stakeholders as early as is feasibly possible after confirmation that on-site data collection dates are firm.

A commitment to ensuring the availability of key personnel throughout the duration of the engagement to remain aligned with agreed upon delivery expectations as defined by the statement of work.


6. Compensation and AuthorizationThe following sub-section(s) outline the payment/invoicing and other service specific terms as appropriate. Payment/invoicing terms are presented by service or service bundle.


CynergisTek will complete all tasks in this SOW and provide all listed deliverables (incorporating any/all selected customizations to scope, approach, and pricing listed in Appendix A) for a fixed fee of $7,562.00 plus reimbursable expenses (which must be pre-approved in writing by Client). An initial payment of $3,781.00 is due within thirty (30) days of the date this SOW is signed by both Parties (the “Effective Date”). A final payment of $3,781.00 is due within thirty (30) days of receipt of draft project deliverables and a final invoice.

6.2.Reimbursable Expenses

CynergisTek will invoice reimbursable expenses as incurred and invoices for reimbursable expenses are always due upon receipt. Reimbursable expenses are any reasonable expenses incurred in providing services under this SOW, including, but not limited to, travel expenses, airfare or mileage, lodging, ground transportation, meals and incidental expenses (per diem based on published GSA guidelines), long distance telephone charges, and other customary reimbursable expenses.

6.3.Security

Further, it is agreed between CynergisTek and Client that services performed under this SOW will be performed using reasonable care and skill reflecting the level of knowledge and expertise possessed by those individuals performing the services at time such services are performed. Client understands and agrees that new technology, configuration changes, software upgrades and routine maintenance, among other items, can create new and unknown security exposures. Moreover, computer “hackers” and other third parties continue to employ increasingly sophisticated techniques and tools, resulting in ever-growing challenges to individual computer system security. It is Client’s sole responsibility to maintain the security of its computer systems.

6.4.Expiration and Signature

This SOW and the prices expressed herein are valid through 06-04-2020.

6.5 No Boycott of Israel

Pursuant to Section 2270.002 of the Texas Government Code, CynergisTek verifies that it:

a) Does not boycott Israel; andb) Will not boycott Israel during the term of this contract.

(SIGNATURES APPEAR ON THE FOLLOWING PAGE)


IN WITNESS WHEREOF, the Parties have executed this SOW as of the Effective Date.

Dallas County CTEK Security, Inc.

Signature Signature

Printed Name Printed Name

Title Title

Date Date

Recommended:

By: ___________________________ Stanley Victrum, CIO

APPROVED AS TO FORM*:

JOHN CREUZOTDISTRICT ATTORNEY

__________________________By: Chong Choe

Assistant District Attorney

* BY LAW, THE DALLAS COUNTY DISTRICT ATTORNEY’S OFFICE MAY ONLY ADVISE OR APPROVE CONTRACTS OR LEGAL DOCUMENTS ON BEHALF OF ITS CLIENTS. IT MAY NOT ADVISE OR APPROVE A CONTRACT OR LEGAL DOCUMENT ON BEHALF OF OTHER PARTIES. OUR REVIEW OF THIS DOCUMENT WAS CONDUCTED SOLELY FROM THE LEGAL PERSPECTIVE OF OUR CLIENT. OUR APPROVAL OF THIS DOCUMENT WAS OFFERED SOLELY FOR THE BENEFIT OF OUR CLIENT. OTHER PARTIES SHOULD NOT RELY ON THIS APPROVAL, AND SHOULD SEEK REVIEW AND APPROVAL BY THEIR OWN RESPECTIVE ATTORNEY(S).


Appendix A – Engagement Customizations

Cybersecurity Assessment & Testing Services

‣ Program Assessment

‣ Network Penetration Testing

‣ Vulnerability Assessment

‣ Risk Assessment

‣ Social Engineering & Phishing

‣ Web Application Security Testing

‣ Cyber Resilience Review

‣ Printer Device Security Assessment

Medical Device Security


‣ Technical Assessment

‣ Risk Assessment

Compliance & Privacy ServicesCompliance

‣ Program Effectiveness Assessment

‣ OCR Mock Audit & Breach Support

‣ Promoting Interoperability Security Controls Assessment

‣ Hybrid Entity Assessment

‣ PCI Readiness Assessment

Privacy

‣ Research Assessment


‣ Impact Assessment

Managed Signature Services

‣ Compliance Assist Partner Program

‣ Patient Privacy Monitoring Services

‣ Vendor Security Management

Remediation & Staffing Services

‣ Virtual/Interim CISO

‣ Virtual/Interim Privacy Officer

‣ Cybersecurity Remediation Services

‣ Privacy Remediation Services

‣ Staff Augmentation

Incident Response Services‣ Program Development

‣ Readiness Exercise


‣ Event Service

‣ Recovery Service


Additional information regarding Engagement Customizations is available upon request. Please contact your Client Services Director for scope, approach, deliverables, and pricing for the services listed above.

‣ No signatures are required below at this time.

Dallas County CTEK Security, Inc.

Signature Signature

Printed Name Printed Name

Title Title

Date Date


Appendix B – CynergisTek Leadership

Caleb Barlow — President & Chief Executive OfficerCaleb Barlow is the President and Chief Executive Officer of CynergisTek, a top-ranked information security and privacy consulting firm focused on the healthcare IT industry

Prior to joining CynergisTek, Caleb led the IBM X-Force Threat Intelligence organization. In 2016, he built X- Force Command which is part of a $200M investment in a global incident response services, updated watch floors, the industry’s first immersive cyber range, and an incident command system for responding to major cyber incidents. In 2018, Caleb invented the Cyber Tactical Operations Center which is a first-of-its-kind training, simulation, and security operations center on wheels.

Caleb has a broad background having led technical teams in product development, product management, strategy, marketing, and cloud service delivery. He has also led the integration efforts of on multiple IBM acquisitions.

Caleb is a sought-after speaker on the subject of security. He has appeared on TED stage, TODAY, and regularly appears on national news broadcasts. Caleb’s views have appeared in the Wall Street Journal, Washington Post, USA Today, New York Times, and dozens of other publications. He testified before U.S. Congress and the United Nations by invitation of the President of the U.N. General Assembly.

External to IBM, Caleb has been in leadership roles at two successful startups, including Syncra Systems, which is now part of Oracle, and Ascendant Technology, which was acquired by Avent. Caleb also holds multiple patents in the field of Unified Communication.

David Finn, CISA, CISM, CRISC — EVP, Corporate StrategyDavid Finn’s 30+ years in risk management and control objectives of technology (including audit, security, and privacy) equip him with a deep knowledge of healthcare from both the provider and vendor perspectives. He has demonstrated leadership skills in planning, management, and control of enterprise-wide, mission-critical information technology and business processes as a member of executive leadership teams at various organizations. He has a special knack for creatively engaging all types of audiences and conveying messages that even change-resistant users listen to and remember. He is focused on creating and maintaining trust in and value from information and information systems.

His dedicated service to HIMSS includes serving on the HIMSS Board of Directors, chairing the HIMSS Finance Committee, and serving as a member of the HIMSS Privacy and Security Committee. He has broad experience presenting at HIMSS Annual Conferences and at both regional and local events for chapters of HIMSS. In addition, he authored Chapter 10: "The Future of Information Security in Healthcare: The Journey Never Ends: Technology’s Role in Perfecting Health Care Outcomes. "

David holds a Bachelor of Arts degree from the University of North Dakota and a Master of Arts from Angelo State University. He currently serves on the CHIME Board of Trustees. In 2014, he worked closely with CHIME management to create and initiate the Association for Executives in Healthcare Information Security (AEHIS). In March 2016, David was named to the Health Care Industry Cybersecurity Task Force. This HHS task force was a requirement of Cybersecurity Information Sharing Act of 2015 (CISA). In 2017, David joined the 405(d) Working Group under the auspices of the Office of the CIO at HHS.


He currently serves as Executive Vice President of Corporate Strategy at CynergisTek and as an HHS 405(d) Working Group Member. Previously he served as HIT Officer, Symantec; President and CIO/Privacy and Information Security Officer, Texas Children’s Hospital, and Integrated Delivery System; and Executive Vice President, Healthlink (formerly IMG). His board experience also includes: ISACA Professional Influence and Advocacy Committee member; Healthcare for the Homeless - Houston; and the Patient Care Intervention Center. Most recently he has been invited by Health Management Technology to be their newest member of the publication’s Editorial Advisory Board.

Ben Denkers - SVP, Cybersecurity & Privacy ServicesBen Denkers is Senior Vice President of Cybersecurity and Privacy services at CynergisTek where he is responsible for supporting growth and achieving the highest levels of client and employee satisfaction for CynergisTek’s security, privacy and compliance services. Denkers has nearly 20 years of experience information security and consulting from a variety of industries and has been recognized as a frontline leader. Denkers has built an extensive track record of success delivering the vision, key leadership, and strategies to take business performance and IT security to new levels of performance. Prior to CynergisTek, he was the VP of North America Consulting at Cylance.

Tony Douglas — SVP, SalesTony Douglas is the Senior Vice President of Sales at CynergisTek and is responsible for building and leading business development and sales strategy. In his role, Douglas leads all efforts around client retention, new client acquisition, and positioning CynergisTek as a market leader serving the needs of healthcare and other security- aware industries. With nearly twenty years of experience in healthcare IT, Douglas has a solid track record of achievement in IT privacy/security and clinical transformation.

Douglas entered the healthcare technology field in 2001 inspired by a passion for the evolving role IT plays in improving the quality of patient care and overall operations of a health system. Prior to CynergisTek, Douglas held several roles with Symantec and most recently served as Vice President of Healthcare Sales, where he played an integral role in year-over-year growth. Prior to Symantec Corporation, Douglas held technical, project management, and commercial roles at organizations including McKesson Provider Technologies and Carestream Health. Douglas currently resides in Richmond, Virginia and holds a bachelor’s degree in Computer Science from Alfred University.

Jeremy Molnar, CISSP, HCISPP — SVP, Solution DevelopmentJeremy Molnar is the Senior Vice President of Solution Development for CynergisTek. He is considered a subject matter expert in information security, including architecture and enterprise security assessments, network security, host-based security, intrusion detection/prevention, log monitoring and management, risk and vulnerability assessments, penetration testing, data loss prevention, and disaster recovery/business continuity planning, with extensive practical knowledge of compliance standards including HIPAA/HITECH, NIST, ISO, and PCI. Jeremy has over 19 years of experience dedicated to information security having worked in finance, energy, retail, and 14 years have been focused in healthcare IT. Jeremy leads several company-wide initiatives to develop methodologies for CynergisTek’s security and privacy services, and he leads the team to support continuous improvement initiatives. He has participated in hundreds of assessments and remediation plans with CynergisTek’s clients to help them build comprehensive information security programs and works with numerous clients to develop and implement security strategies. Jeremy graduated cum laude from Excelsior College with a


Bachelor of Science in Management Information Systems, and his certifications include CISSP, HCISPP, and MCSE.

Marti Arvin, JD, CHPC, CHC-F — Executive AdvisorMarti Arvin brings more than three decades of operational and executive leadership experience in the fields of compliance and regulatory oversight in academic medical and traditional hospital care settings to her position in CynergisTek. She has worked most of her career in academic medical centers and understands the unique challenges of that environment given the varied structures and affiliations that can exist in an AMC.

Marti leads strategic business development around compliance services and utilizes her industry-recognized expertise in health care compliance. privacy, information security, and research to inform the development of services to meet the underserved needs of the healthcare community. She has supported organizations in the development of complex data governance programs to help ensure that data can be shared among stakeholders in a compliant, efficient and effective manner. She is a nationally recognized speaker and contributor to the thought leadership around healthcare compliance, privacy, information security, and research, and she contributes to CynergisTek’s industry outreach and educational programs. Marti has extensive experience in building and managing compliance, privacy, information security, and research programs. Marti also has a legal background from obtaining her J.D. and holds CHC-F, CCEP-F, CHRC, and the CHPC certifications. She is recognized as an expert on compliance, privacy, and research issues from her published articles, lectures, and presentations at national conferences. She was a board member to the Health Care Compliance Association between 2008 and 2011 and was on the Compliance Certification Advisory Board for over eight years. She also served on the certification committee for the CHC, CHC-F, CCEP, CCEP-F, CHRC, and CHPC.

David S. Holtzman, J.D., CIPP — Executive AdvisorDavid Holtzman is an Executive Advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security, and Breach Notification Rules and was named by Health Data Management as one of the top 50 Healthcare IT experts of 2015.David has nearly 15 years of experience in developing, implementing, and evaluating health information privacy and security compliance programs from both government and private sector positions. He is Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance.

Prior to CynergisTek, David served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he served as the senior advisor for health information technology and the HIPAA Security Rule. He led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule by establishing workflows for processing, identifying, and investigating alleged violations of the rule. Prior to joining HHS, David was the privacy & security officer for Kaiser Permanente’s Mid-Atlantic Region, where he was responsible for implementing and directing the continuing compliance with the HIPAA Privacy and Security rules.

David is a graduate of the Western New England College of Law and the Brockport College of the State University of New York. He is admitted to the practice of law in New York and Illinois.

Nathaniel Xavier, HCISPP — VP, Program Management OfficeNathaniel (Nate) Xavier, HCISPP, fills the role of Vice President, Program Management Office. In this capacity, he is responsible for all day-to-day project management processes, quality, and tools across client projects as well as


supporting various internal programs and processes. He works closely with the delivery organization and clients to ensure that engagement processes meet client’s needs and allow for efficient and effective operations. Nate has been with CynergisTek for over seven years in various project management and operations focused roles. Prior to CynergisTek, Nate served four and a half years in the United States Marine Corps as a Logistics Manager. He graduated cum laude from Texas State University with a Bachelor of Arts in History and holds the HCISPP certification.

David Bailey, CISSP— Director, Security ServicesDavid as Director of Security Services leads the execution of enterprise risk assessments and offensive security engagements and is considered a subject matter expert in risk management, security incident response, NIST Cybersecurity Framework, and HIPAA. Prior to his role at CynergisTek, David served as the Director of Technology and Security at Mary Washington Healthcare, where he was responsible for technology and security leadership, and served as the organization’s HIPAA Security Officer. David received his Bachelor of Science degree in Computer Science from Wilkes University and is a Certified Information Systems Security Professional (CISSP). David has 10 years of healthcare cybersecurity experience plus 12 years of cybersecurity experience as a federal contractor, business owner, and Communications and Information Officer in the United States Air Force. He started his career in 1993 with assignments at the Pentagon, Langley Air Force Base, Eskan Village Saudi Arabia, and Peterson Air Force Base.

Carrie Whysall – Director, Managed Security ServicesCarrie Whysall is the Director of Managed Security Services, reporting to the Vice President of Security Services. She is responsible for Vendor Security Management (VSM), Managed Security Service (MSS) and Medical Device Security. A healthcare veteran with over 20 years of experience in IT leadership, 12 of which have been specifically in security, she will also work closely with the company’s executives to meet client expectations and ensure timely and efficient service delivery to support company goals and enhance employee and customer satisfaction.

Prior to joining CynergisTek, Carrie served as Senior Director of Security for Ascension Information Services, During her time there, she was part of the leadership team that implemented Ascension’s Security Operations Center (SOC) as well as the company’s eForensics, Security Training & Awareness, Medical Device Management, and Incident Response programs. Carrie was also responsible for the Access & Identity Management program which provided identity and access services for over 200,000 users across the Ascension system.


Appendix C – Assessment Tools and Utilities Not applicable to services being proposed/provided.

hipaa hybrid entity assessment

Documents