Meditology Services provides security and privacy risk assessment services
specifically tailored to the unique needs of healthcare organizations.

Depending on the needs of your organization, Meditology can conduct security risk assessments using either the HITRUST Common Security Framework (CSF) or the NIST Cybersecurity Framework (NIST CsF). Both frameworks provide a comprehensive approach to both regulatory compliance and risk management.

Meditology conducts privacy risk assessments using the HIPAA Privacy Rule, OCR Audit Protocol, HITRUST privacy controls, NIST 800-53 privacy controls, and applicable state laws. Our pragmatic approach is based on what is considered “reasonable practice” required to satisfy privacy compliance requirements in a practical and cost-effective manner.

Meditology can also assist you in certifying your EHR systems if you participate in Meaningful Use and or MACRA.

Meditology risk assessments can support the needs of multiple audiences:

  • Regulatory bodies such as HIPAA and OCR
  • Executives and their boards
  • Managers responsible for security and compliance
  • Staff responsible for implementing remediation measures

Meditology has extensive experience conducting hundreds of information security and privacy risk assessments for healthcare organizations of all sizes. We have a proven track record for completing security risk assessments that meet regulators’ expectations, including OCR and CMS.

Meditology serves as OCR’s HIPAA expert witness firm and is intimately familiar with the OCR’s audit, investigation, and enforcement processes.

Each member of Meditology’s leadership has at least 15 to 20 years of directly relevant healthcare IT security and privacy consulting and operational experience.

Meditology’s team has relevant security certifications including CISSP, CEH, CISA, HCISPP, CIPP, OSCP, PCIP, CPHIMS, CPISM, GSEC, CCNA and HITRUST.

Our seasoned team is strengthened by leaders who have health system operational experience as well as industry security leadership. Our team includes consultants who have previously served as Chief Information Security Officers, Chief Privacy Officers, and IT Directors of large healthcare entities.

Meditology specializes in risk assessment and compliance for the healthcare industry. We understand the specific needs and constraints of healthcare organizations, and we are therefore able to develop solutions that are appropriate for each client’s size, complexity, and needs.


  • Ranked #1 Best in KLAS for Cybersecurity Advisory Services in 2019 and 2020
  • HIPAA expert witness firm for OCR
  • Experienced CISOs and Privacy Officers
  • Dedicated to healthcare
  • Hundreds of clients coast to coast
  • Advisors to ONC / HHS
  • Benchmark comparisons to other healthcare organizations of similar size and complexity

We chose Meditology mainly for their demonstrated knowledge and understanding of HIPAA, ARRA/HITECH and established security standards.

They were unfailingly professional throughout the information gathering and data gathering processes, kept to their timeline and verified the results that they found. The reports produced were accurate and easy to understand, with appropriate benchmarking to other health care organizations and the security industry as a whole. Most importantly, they provided concrete and achievable suggestions to help mitigate the risks identified.

Barbara Anson
CISO, Baptist Memorial Health Care Corporation of Memphis, TN

We engaged Meditology to assist us with Security Risk Assessment services on two different occasions.

They were highly knowledgeable and extremely professional throughout the duration of each project, and the quality of the final deliverables they provided was exceptional. Meditology’s healthcare focus and core competency of Information Security and Privacy were indispensable to the engagement. Their deep knowledge of the HIPAA and HITECH regulations, as well as the Common Security Framework and supplemented by industry operational experience of their team members, added huge value to the assessment. Meditology was able to address significant risk areas in a straightforward manner and was able to provide practical examples and insight on how to go about correcting issues. We will definitely call upon Meditology again when the need arises.

Martin Littmann
Chief Technology Officer & CISO, Kelsey-Seybold Clinic

Quote Icon

I was impressed with Meditology's team, the professional manner in which they interacted with our stakeholders, and the comprehensiveness of the final deliverable.

My original experience with Meditology was during a risk assessment at a different healthcare organization. I was impressed with Meditology's team, the professional manner in which they interacted with our stakeholders, and the comprehensiveness of the final deliverable. Upon joining Avanti, I saw the need for a similar, thorough review of our security controls and I immediately thought of Meditology for the job. Meditology's professionals completed the risk assessment with the same professionalism and quality as my first experience. Again, the team met my high expectations throughout the engagement and even went above and beyond the original contracted scope to assist with some last minute requests that provided additional value to me and the organization. I anticipate Meditology will continue to be a trusted adviser for my future security needs.

Jason Cervantes

Chief Information Officer, Avanti Hospitals, LLC

Meditology came to us recommended by our members and is well-respected in its service community.

As a health information exchange (HIE), we are a highly customer-focused organization – and we recognize this same orientation in a consulting partner. Meditology came to us recommended by our members and well-respected in its service community. They were readily able to evaluate our policy and security framework, and identify areas of key focus. We particularly appreciated their knowledge around HIPAA and our statewide HIE. With their help, we created an entire array of organizational policies. Meditology also conducted a security assessment that demonstrated we had appropriate safeguards in place for robust exchange. This has helped assure our member hospital/health systems, healthcare insurers, and ambulatory practices. Naturally, the effort has had an important influence on our service procedures. We look forward to continued work with Meditology for our consulting and ongoing risk-assessment needs.

Daniel Wilt
Senior Director of Information Technology and Chief Information Security Officer, HealthShare Exchange of Southeastern Pennsylvania

Although the project had tight constraints, Meditology exceeded our expectations with high-quality deliverables completed on-time and on-budget.

One of NASCO's key controls for security management is the annual revalidation of security access to the primary claims processing system, to ensure appropriateness of access based on role. NASCO engaged Meditology to perform the security revalidation based on our prior, positive experience working with the firm's leadership and we are pleased we did. Although the project had tight constraints, Meditology exceeded our expectations with high-quality deliverables completed on-time and on-budget. Meditology also provided valuable guidance and suggestions for making the annual security access revalidation process more cost-effective and efficient.

Lauret Howard, SMP
Vice President, Strategy, Brand and Risk Management, NASCO

Onsite Health Diagnostics has relied on Meditology Services for HIPAA security risk assessment and penetration testing since 2014.

Meditology’s information security services have provided OHD’s customers and business partners with confidence in the seriousness with which we take the our responsibility to protecting their highly sensitive data. We have been more than pleased with Meditology’s professionalism, diligence and responsiveness, and we look forward to working with them for years to come. Since our founding, OHD has been dedicated to exceptional client service, providing stress-free employee health screenings and workforce health data analytics. Our clients, who include Fortune 500 corporations, hospital systems, financial institutions, state & local governments and small businesses alike, rely on OHD’s commitment to privacy and security when it comes to their employee health data.

Kyle Alexander
CEO, Onsite Health Diagnostics


Meditology worked hand in hand with our existing teams to perform a thorough analysis.

Meditology leads security-related events in the area. After hearing their expertise we decided to utilize their services for one of our annual risk assessments. Meditology worked hand in hand with our existing teams to perform a thorough analysis. I was impressed with their reviews of even our remote locations to not only conduct interviews but to verify what was truly in practice. Meditology conducted regular meetings with the security team to ensure timelines were on schedule and that we had a mutual understanding of the findings and status. I’ve worked with many companies over the years on these assessments and Meditology is not a group that just checks the boxes. Meditology has an intelligent staff that is up to date on the current regulations.

They have deep conversations on what is needed and why. They help you achieve your goals by aligning where you are today with where you want to be in the future and setting a course.

I am glad we decided to work with Meditology and create a partnership that aligns with our interests.

Nicholas Thomas
Director of Technology Services, Harbin Clinic Information Technology Services