Local Government Medical Agency Case History

WCG tested and implemented security controls as documented in the HIPAA compliance standards to determine the extent to which the controls were being implemented correctly, operating as intended, and producing the desired outcome.


Call Us Today
Local Government Medical Agency Case History

WCG tested and implemented security controls as documented in the HIPAA compliance standards to determine the extent to which the controls were being implemented correctly, operating as intended, and producing the desired outcome.


Call Us Today

SCENARIO: A local government agency responsible for administering Medicaid and other healthcare initiatives needed to ensure compliance with required federal security regulations.

This agency develops eligibility, service coverage, and payment policies for a major city’s healthcare financing programs and ensures that area healthcare programs take full advantage of federal funding for services for the indigent and uninsured. The agency also manages other healthcare services and analyzes existing healthcare financing policies to ensure that they are promoting efficient, effective, and economical care.

Wilson Consulting Group’s (WCG) task was to review, verify, and test the security controls (management, operational, and technical) of the Electronic Protected Health Information (EPHI) system and other related systems in this city. WCG also had to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Remediation/Compliance Program.

WCG's Strategy: To help the agency achieve the required HIPAA security compliance posture, WCG conducted comprehensive system tests in accordance with federal and local health department security requirements. WCG tested and implemented security controls as documented in the HIPAA compliance standards to determine the extent to which the controls were being implemented correctly, operating as intended, and producing the desired outcome.

In short, we worked to ensure the system security requirements were achieved. To do this WCG employed a variety of information gathering and assessment methods (e.g., interviewing, inspecting, studying, vulnerability assessment and penetration testing).

In conducting vulnerability assessment tests WCG was careful not to affect system availability or alter configuration or data on the tested devices. Penetration tests were conducted through the public Internet. WCG provided the agency with the IP addresses from which the tests were to be conducted and gave sufficient advance notice. All tests were performed in compliance with departmental, federal and international guidelines and coordinated with the agency.

The tests and services performed included:

  • Network analysis

  • Risk assessment and penetration testing

  • Development and review of HIPAA security policies and procedures

  • Development of continuity of operations/business continuity planning, risk management, contingency and disaster recovery plans and procedures

  • Development of security incident response planning and procedures

  • Training personnel on security policies and procedures

  • Development of security configuration management planning and procedures

  • Development of facility security planning and procedures

Based upon prescribed government guidance and industry best practices, WCG recommended alternative approaches to remedy identified deficiencies. Alternatives were presented with respect to projected suitability to the objective, effectiveness, efficiency, initial cost, long-term maintenance and support requirements.

The remediation process and final deliverables were guided by, but not limited to, the following:

  • NIST SP 800-30 “Risk Management Guide for Information Technology Systems”

  • NIST SP 800-34 “Contingency Planning Guide for Information Technology Systems”

  • NIST SP 800-42 “Guide to Network Security Testing”

  • NIST SP 800-16 “Information Technology Security Training Requirements: A Role and Performance Based Model”

  • NIST SP 800-50 “Building an IT Security Awareness & Training Program”

  • ISO 17799 “International Standard for Information Security Management”

  • ISO 27001 “International Standard for Information Security”

WCG used its own manuals and checklists, as well as commercial and open source tools to verify that only a minimal number of necessary services were installed on the agency’s devices, that no default settings, including default account names (such as “administrator”) were used, password and username rules were followed, and that the software patches, especially security related ones, were current.

WCG confirmed the:

  • Suitability of technical security controls, such as firewalls, strong authentication and intrusion detection systems.

  • Audit processes to detect unauthorized actions by internal and external users, to capture evidence of successful and unsuccessful attempts of tampering, to perform forensics, and to implement incident response procedures.

  • Known vulnerabilities (such as sample code that comes with software packages, buffer overflow-type weaknesses, etc.)

  • Virus detection and protection mechanisms

WCG RESULTS: WCG successfully examined, evaluated, documented, and prepared security remediation/compliance tests, procedures, and approvals for complex multi-tiered records management applications within the agency’s environment. WCG provided deliverables on time, on budget, and to the HIPAA specifications, thus enabling the agency to achieve the required HIPAA security compliance posture.

WCG Results

WCG successfully examined, evaluated, documented, and prepared security remediation/compliance tests, procedures, and approvals for complex multi-tiered records management applications within the agency’s environment.


WCG provided deliverables on time, on budget, and to the HIPAA specifications, thus enabling the agency to achieve the required HIPAA security compliance posture.


Get Started Now
Other Track Records Services You May be Interested In:

WCG developed a budget to support the system improvements and implementation.

WCG exceeded all of the ministry’s requirements for improving the security of its IT system.

WCG can help your company meet these security challenges and regulatory hurdles.

WCG provided deliverables on time, on budget, and to the HIPAA specifications, thus enabling the agency to achieve the required HIPAA security compliance posture

WCG effectively assisted government agenciesand businesses in Sub-Saharan Africa to overcome their technological challenges and achieve their goals.

WCG successfully prepared certification, procedures and approvals for the complex multi-tiered records management applications within the agency’s environment.

WCG helped the organization rectify all risks based on the findings of the vulnerability assessment and gap analysis.

WCG Reviewed, updated, and developed information security guidelines.

As GDPR was fast approaching, the company needed to see if their processes were aligned with regulations.

A private research university needed to create its GLBA program.

Cyber-attacks damage an institution’s reputation, disrupt the operation of a business, and cost time and money to remediate the impact of an attack.
Blog : Industry Perspectives