Due to the quality of our monitorship work and the significant progress made by our client, one of the largest non-profit health systems in the country, the US Department of Health and Human Services (HHS) agreed to terminate a three-year Corrective Action Plan (CAP) one year earlier than had been originally negotiated.
CRA’s Forensic Services Practice served as the independent third-party compliance monitor as required by the CAP, which had been entered into in response to a series of data breaches.
As part of our scope, we tested a broad range of compliance with information security and privacy policies and procedures, including rigorous remote analysis of computers and servers using sophisticated endpoint detection and response tools. We were also required to contemporaneously assess our client’s response to specific cyber incidents that arose during the engagement, and concurrently report, on an annual basis, to both the client and HHS.
In addition to providing objective findings, we made periodic recommendations to advance our client’s information security posture, thereby leveraging the insights and experience we have gained through our work on thousands of cyber incident response and theft of trade secret engagements each year.
The quality of our work, our unwavering commitment to remaining independent, and the collaborative working relationship we forged with the client, its outside counsel, and its regulator were all key factors to the success of this engagement.
The engagement was led by Kristofer Swanson, CPA/CFF, CAMS, CFE, with assistance from Aniket Bhardwaj, GREM, GCIA, GNFA, GCFA; Cuyler Robinson, CISSP, CIPT, GCFA; Patricia Peláez, CPA/CFF, CAMS, CPC-A, CFE; Frank Visser, GCFE, GCFA, TCO; and Carlo Lakay, ISO27001 Lead Auditor.
