By Mike Semel
K-12 school district and healthcare assessment projects have
turned out to be the gift that keeps on giving for IT solution providers. Not
only have the assessment projects themselves been profitable, but they have
paid off well with managed services recurring revenue and projects. These are
really easy, because we use the same methodologies as with all our business
assessments, but make sure our reports to management focus on dollars and
regulatory compliance, management’s two big worries. Ninety-five percent of our
assessments are all the same, but our reports map our findings to the financial
needs of the client, and the alphabet soup of regulations—HIPAA (never spell it
with two Ps!) and JCAHO for healthcare, plus FERPA, CIPA, and E-rate for education.
Who is our Customer?
The first thing we had to do when developing an assessment strategy
was to decide who to approach. Should we propose our services to the IT
department or someone else within the school district or healthcare
organization? We decided to go all the way to the top—superintendents, school
boards, medical practice managing partners—because we wanted to position
ourselves as executive level consultants, not just another technical services
provider trying to sell services to an IT Director who feels threatened by
outsourcing and doesn’t want anyone touching “his network.” Our strategy
worked.
What is an Assessment
?
Our assessment includes three sections – Security,
Operations, and Financial. Security is the same as we would do for any
business. Operations looks at the IT department to estimate whether it is
staffed properly, how tickets are managed, and if internal customers are happy
with the IT environment. This is the same process we use to evaluate our own
company, which makes it easy to do for clients. Financial looks at budgets and
funding sources. We make sure our
reports are simple for non-technical executives to understand, and our
recommendations are clear and concise. We also provide a separate document with
the data we used to form our conclusions, with the facts, screen shots, and
logs to validate our findings. This has helped with people who have tried to
argue with us or cover up evidence of problems.
Assessment Framework
We developed a home-grown assessment framework for
healthcare after becoming certified in the HIPAA Security Rule in 2003. Our
Education Assessment is based on our HIPAA Assessment tools for healthcare for
two reasons. First, school districts,
unlike healthcare and financial organizations, have no auditing framework to
follow. Second, two of the districts we evaluated surprisingly did have to meet
the HIPAA guidelines. One district self-insured its employee healthcare, which
made it a Payer in the healthcare system. Another district took advantage of
insurance companies that were willing to pay school nurses to administer
medications to special needs students. Charging for the nurses’ services made
them a Healthcare Provider. Both were surprised when we informed that they were
Covered Entities according to the HIPAA regulations, and they asked their
school district legal counsel to verify our findings. We showed the attorneys
where to look on the federal HIPAA website, and they agreed. Ka-ching—instant
credibility with the top executives and their lawyers! We were no longer just
IT guys, but true business consultants.
Security
We perform the same types of security tests on school
computers as with other businesses. We perform basic penetration testing (after
getting an authorization letter) plus the usual tests—looking for unsecure
access points; verifying Active Directory permissions; and looking in public
folders for confidential information. (We
are still surprised at what we find considering the IT department knows that we
are coming to audit the network.) We have stopped assessments when we
discovered serious security breaches and gotten authorization for some extra
billable hours to fix the problems. Another credibility builder!
Operations
Management is always wondering if they are spending their IT
dollars properly. They rely on the advice of their IT staff, many of whom are
self-taught and have never had to manage a business. We review budgets, open
tickets, staff-to-user ratios, training and certifications, and end-user
satisfaction with the IT department. We
interview district administrators, staff, groups of teachers, and the IT staff.
We base our findings on the same criteria we use to run our own company. Often
the hard part is trying to write a report listing facts without offering criticisms
or opinions as part of our Recommended Actions.
Financial
This part of the assessment required training to understand education
compliance requirements, grant, and the FCC E-rate program, but once we knew what to
look for, we found many mistakes districts made and showed them how to correct
the mistakes and get much more in funding than we charged for our
assessments. One district had earned $27,000 in E-rate discounts and
thought it was doing well. A year after our assessment, based on our
recommendation that the district hire an E-rate consultant rather than allowing
their inexperienced staff to continue managing their funding requests, the
district qualified for over $2 million. We were paid well for the assessment,
and then won over $300,000 in
billable labor for E-rate projects. The gift that keeps on giving!
Free Information
A good tool to use for security assessments is the CompTIA
Security Trustmark Quick Reference guide. This is designed for small businesses
but includes a lot of information that can be used to develop your assessment
checklist.
In addition, here are some websites where you can learn more
about compliance requirements and funding programs. (You can also get a lot
from Wikipedia.)
Education
FERPA - http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
CIPA (a compliance requirement for
E-rate funding) - http://www.fcc.gov/guides/childrens-internet-protection-act
E-Rate - www.fcc.gov/learnnet/
Healthcare
HIPAA Security Rule
HITECH Act
CompTIA Healthcare Quick Start
Guide
HIPAA Certification
Mike Semel is a Resident Expert at The ASCII Group, which
provides consulting and other services to its VAR and IT solution provider
members. Semmel also served as the (outsourced) Director of IT for a hospital
for two years, improving the operation and making it HIPAA compliant.
Commentary 
