Organizations that need ongoing security leadership but cannot justify a full-time CISO hire.
Dedicated fractional CISO (Melissa Thornton, personally — not a junior associate)
Monthly executive security briefings for leadership/board
Ongoing risk management and security roadmap
HIPAA compliance oversight and audit readiness
Vendor and third-party security reviews
Incident response planning and on-call guidance
Security policy development and maintenance
A mature, documented, defensible security program — led by an experienced CISO — at a fraction of the full-time cost.
Starting at $5,000/month | Retainer-based engagement
Organizations preparing for an audit, renewing cybersecurity insurance, or starting from scratch with HIPAA compliance.
Comprehensive HIPAA Security Rule risk assessment
Gap analysis against current safeguards
Remediation roadmap with prioritized action items
Policy and procedure development
Staff security awareness training
Documentation package for audit defense
Full audit readiness, documented compliance evidence, and a clear roadmap to ongoing HIPAA compliance.
Project-based — scoped after discovery call
Health tech companies, digital health startups, and healthcare organizations preparing for HITRUST CSF certification — particularly those seeking enterprise contracts or health system partnerships that require it.
HITRUST CSF readiness assessment against your current security posture
Gap analysis mapped to the HITRUST CSF control categories relevant to your scope
Remediation roadmap with prioritized action items ahead of formal assessment
Policy and procedure development aligned to HITRUST requirements
Documentation preparation and evidence organization for assessor review
Coordination with and preparation for your certified HITRUST CSF Assessor
You enter your formal HITRUST assessment prepared, documented, and confident — with no costly surprises and a clear path to certification.
Project-based — scoped after discovery call
Healthcare organizations and health tech companies adopting AI tools, EHR integrations, or SaaS platforms that touch patient data — and need to know the real risk before they sign.
Inventory and classification of all AI tools, SaaS platforms, and third-party vendors
Risk scoring of each vendor against HIPAA, NIST, and your internal security requirements
AI-specific risk evaluation — data retention policies, PHI exposure in model training, and shadow AI usage
Review of BAAs and data processing agreements
Written findings report with risk ratings, recommended actions, and vendor remediation guidance
A clear, prioritized picture of your vendor and AI risk landscape — so you can adopt new technology confidently without unknowingly exposing patient data.
Project-based — scoped after discovery call
Organizations — especially health tech startups and growing practices — that have no formal security program and need one built properly.
Security program design aligned to NIST CSF or HIPAA Security Rule
Asset inventory and risk identification
Security architecture and control framework
Vendor security management process
Incident response plan
Executive security dashboard and reporting
Handoff documentation for ongoing operations
A fully documented, operational security program your organization actually owns and can execute.
Project-based — scoped after discovery call
Book a free 30-minute call. We'll figure it out together.
Book Your Free Consultation