Healthcare Cybersecurity and Privacy

With experience and focus in cybersecurity for digital health, life sciences and finance, Quandary Peak is trusted by companies in these industries to analyze software, develop threat models, implement leading standards, and meet changing regulations related to cybersecurity and privacy.

We specialize in implementing and assessing leading standards and practices including: NIST CSF, OWASP, ISO 27001, Zero Trust, supply chain security and others. We cover a range of Health IT specific interoperability scenarios – including privacy, security, authorization, and compliance services for FHIR APIs, HIPAA-compliant systems, medical device security, 21 CFR Part 11 data integrity, supply chain security and more. We stay current on the latest security and privacy regulations from agencies including FDA, ONC, CMS, GSA, state regulatory bodies, and others. We participate actively in standards development and harmonization, and work to stay current on always-evolving threats and technical best practices.

We assist clients in training, code analysis, tool selection, regulatory analysis, audits, pre-audits, reverse engineering, and more. We help companies understand and apply changing regulations and get out in front of fast-changing cybersecurity and privacy law while also protecting their software and digital assets and customers from the real and growing risk of cybersecurity attacks.

What We Do

Training and Education
Gap Assessments and Pre-Audits
Outsourced CISO and regulatory consultation
Compliance Risks and Government Inquiries
Threat Analysis and Assessments
Organizational Certification (HITRUST, ISO 27001) efforts
Prelitigation and litigation technical expertise

Health IT Vertical Expertise

Certified Health IT (ONC) Security and Audit Log requirements.
FHIR Security and Information Blocking Requirements.
HITRUST, Direct Trust, HISP and other Health IT Security and Interoperability certifications.
HIPAA Privacy Regulations
21 CFR Part 11 requirements (pharma and life sciences)

Cross-Vertical Expertise

ISO 27001, NIST 800 53 other security standards
SANS 20 CSC, COSO, SOX, SOC 2,
SOC 1, and COBIT 5
Privacy Regulations (GDPR, CCPA)

We Know Health IT Cybersecurity

Our staff is experienced in a wide range of industry standards and best practices for implementing cybersecurity best practices – with a particular sub-focus in Health IT.

Security Frameworks, Industry Knowledge Sources, Health Security and IOP Standards, Skills Certifications

General Security Subject Matter Expertise

Application Security

OWASP Top Ten, CWE and other code-level security vulnerabilities
Proper use of digital certificates, hashes, salts, obfuscation and other methods.
Cryptography, SSL/TSL security management
Firmware Security
Secure software development framework (SSDF) and code development policies

Policy and Risk Strategies

Data Loss and Ransomware Strategies
Zero-Trust
Threat Modeling

Cloud and SaaS Security

Cloud Security Monitoring tools
Role and Access Configuration Management tools
Zero Trust Policies, Best Practices and Implementation Guidance
API Security
Identity Protocols
Password Management
Oauth, Open ID and other web 2.0 protocols

Supply Chain Risks/Solutions

Vendor Risk Assessments
3rd Party Library Security Management
Medical Device Manufacturing Security

Physical Security

Firmware and Hardware security
Biometric and other Identification mechanisms
FIPS and physical deterrents

Social Engineering

Best Practices and Training

Speak with an Expert Today

Experts & Consultants

William Luk

Regional Director, Northern California Bay Area

William Luk is an entrepreneur, software executive, and developer with over 20 years of experience in network and computer security. William has developed and led product teams to deliver enterprise class firewall, intrusion detection / prevention systems, database security, and data security / privacy solutions at Symantec and several security startups.

LitigationLitigationTestifying & Consulting Expert

Health ITFocus AreaSoftware Engineering & Security

Due DiligenceArea of ExpertiseEmbedded Systems & Security

Gordon MacKay

Principal Software Consultant Austin

Gordon MacKay is a software and systems expert and technical executive with experience in telecom, network security, and SaaS/Cloud platforms. Gordon has led teams in architecting, developing, and deploying a multi‑tenant SaaS-based vulnerability management platform and scanning solution which is being used worldwide by fortune 500 organizations as part of their ongoing cyber defense programs.

LitigationLitigationConsulting Expert

Health ITFocus AreaCloud & App Security

Due DiligenceArea of ExpertiseCybersecurity Analysis

Brad Ulrich

VP of Health IT & Audits Nashville

Brad Ulrich has a diverse career as a computer scientist, software engineer, technology manager, and entrepreneur. His experience spans software design, programming, patent management, healthcare, mobile devices, startups, technology licensing, regulatory compliance, and risk management.

LitigationLitigationSenior Testifying Expert

Health ITFocus AreaSoftware & Standards

Due DiligenceArea of ExpertiseHealth IT & Standards

Andrew Holm-Hansen

Director of Health IT Engineering Nashville

Andrew Holm-Hansen has worked in Health IT for 15 years, and led several development teams during his career. As an Enterprise Architect, he distilled complex information that cut across legal, staffing, and technology boundaries, to provide decision-makers with actionable information.

LitigationLitigationConsulting Expert

Health ITFocus AreaSoftware Architecture & Engineering

Two Accomplished Software Experts Join Quandary Peak Research

February 29, 2024 Written by Quandary Peak Research

Two distinguished software experts have joined our growing team. Rick Watts and Vikas Sharma each bring extensive experience in software litigation to their new roles, further strengthening our capabilities and expertise in critical areas such as enterprise architectures, ERP systems, and software patents, among others.

Technical Due Diligence 4 Min Read

Software Valuation Using Cost of Replication Method

November 22, 2023 Written by Mahdi Eslamimehr

Unlock the complexities of software appraisal with a deep dive into the nuanced connection between economic principles and the true value of software, emphasizing the need for understanding of development and financial modeling. Explore the intricate landscape of valuation, considering factors like architecture, scalability, development efficiency, and technology obsolescence.