Our policies were written for a hospital, not a health information exchange. They assumed we store patient data on our own servers — we don't.
The independent assessment found 73 controls protecting against risks that don't exist at HTX — creating liability without providing protection.
20 overlapping documents with contradictions, references to roles that no longer exist (CISO, CTO), and procedures nobody could follow.
An independent HIPAA assessment in January 2026 identified this as the #1 finding.
Every policy statement is now testable and reflects what we actually do.
Completed in 5 phases · February – March 2026 · Counter Measures Security LLC
Policies match what we actually do. No auditor can point to a gap between stated policy and practice — eliminating the #1 source of regulatory findings.
The Shared Responsibility Matrix documents exactly who owns each security control. If a vendor has a breach, our documentation shows we did our part.
Every control is proportionate to an 18-person organization. No more pretending we have a CISO, a CTO, and an IT department we don't have.
If HTX ever faces an OCR investigation or breach lawsuit, these policies demonstrate that our security program was thoughtful, proportionate, and grounded in actual operations.
These architectural choices shape the entire suite and are consistent across all 33 documents.
| Decision | What It Means |
|---|---|
| BA scope, not provider scope | We're not a hospital. Our policies now reflect our actual role as a data exchange facilitator. |
| All PHI resides with InterSystems | No local PHI means no local PHI controls. We protect the access chain instead. |
| CISO duties delegated to IT Manager | Rather than pretend we have a CISO, we formally delegate those responsibilities with a documented reversion clause. |
| 6 old technical policies → 1 | Endpoint, Network, Wireless, Transmission, Configuration, and Media policies consolidated to eliminate contradictions. |
| Passwords aligned to NIST standards | 12-character minimum, no forced rotation, no complexity rules — current best practice. |
| Vendor accountability via SRM | 61 controls mapped to who owns them: HTX, InterSystems, or Microsoft. Verification methods documented. |
Quarterly reviews will track these metrics. Targets are adjustable annually.
| Metric | Target | Review Frequency |
|---|---|---|
| Training completion | ≥ 95% | Annual |
| Endpoint compliance | ≥ 90% | Quarterly |
| Critical patch latency | ≤ 14 days | Quarterly |
| Access reviews completed | 100% | Semi-annual |
| Log reviews completed | 100% | Per schedule |
| Vendor assurance current | 100% | Annual |
| Overdue corrective actions | 0 | Quarterly |
| Policy reviews current | 100% | Annual |