Note: this text was written with the help of Claude.ai (Claude 3.5 Sonnet).

Opportunity and Growth

On a Saturday afternoon in September 2010, I received a notification from Healthcare IT News that would change the course of my career. The Office of National Coordinator (ONC) had just announced Drummond Group as a new authorized test lab (ATL) and authorized certification body (ACB) for the Meaningful Use certification program. Intrigued, I quickly found the email address of the company’s Chief Scientific Officer, Rik Drummond, through a Google search.

To my surprise, Rik responded within an hour, referring me to the program’s hiring managers. His prompt reply on a weekend afternoon impressed me; I thought, “Senior leadership responding so quickly on a Saturday? This could be a sign of a good company.” As it turned out, my instincts were correct.

Drummond Group engaged me as a contractor in November 2010 and brought me on full-time in February 2011. It was an exciting time in the healthcare industry. The Health Information Technology for Economic and Clinical Health (HITECH) Act had recently injected significant funding into the sector, and Stage 1 of the ONC Meaningful Use program was in full swing. The energy was palpable—I recall the Healthcare Information and Management Systems Society (HIMSS) conference that year was buzzing with activity.

At Drummond Group, our small but mighty four-person Electronic Health Record (EHR) Test Lab, led by Kyle Meadors, worked tirelessly. We conducted tests for clients three to four days a week, quickly winning over small to medium-sized businesses with our efficient and thorough approach. As we progressed through Stages 2 and 3 of the program, we began taking on larger clients, effectively outperforming our competitors to the point where we put many out of business.

I will always be grateful for this period of success at Drummond Group. Over the years, I had the opportunity to work with more than 100 Health IT clients and ran over 400 test events. Throughout it all, I strived to build client relationships based on honesty and integrity—values that I believe contributed significantly to our success.

Looking back, I realize how fortunate I was to be part of such a dynamic and transformative period in healthcare IT. The experience not only shaped my career but also gave me invaluable insights into the industry’s evolution. It’s a testament to how being in the right place at the right time, combined with hard work and a commitment to excellence, can lead to extraordinary opportunities.

Setback and Reflection

As Drummond Group continued to thrive, a significant change occurred in late 2015: Rik and the other two company founders sold the business to an investor. This transition marked a new chapter for the company, as the new owners infused capital with the ambitious goal of expanding our operations and reach.

In 2016, sensing an opportunity for growth, I approached our Director of Business Strategy with an idea that had been percolating in my mind: starting a HITRUST (Health Information Trust Alliance) business unit. To my pleasant surprise, he revealed that he had already been exploring the cybersecurity assessment market in the healthcare industry. We quickly found common ground, agreeing that HITRUST certification services would be an excellent fit to cross-sell to our existing client base from our established EHR (Electronic Health Record) testing business.

The synergy between our current offerings and HITRUST was clear. HITRUST provides a comprehensive framework for managing information security and privacy risks, which is crucial in the healthcare sector. Our EHR clients, already familiar with regulatory compliance through our Meaningful Use certifications, would likely see value in this additional layer of security assurance.

Emboldened by this strategic alignment and armed with the new capital, Drummond Group moved swiftly to actualize our vision. Over the next year, the company strategically acquired three specialized firms to launch a suite of cybersecurity services. These acquisitions brought in valuable expertise and technology in areas such as vulnerability assessment, penetration testing, and security compliance auditing.

Reflecting on this period, I felt a mix of excitement and apprehension. While the company’s growth and diversification were promising, I wondered how these changes would affect our company culture and my role within the organization. Nevertheless, I was proud to have contributed to shaping Drummond Group’s new direction and looked forward to the challenges and opportunities that lay ahead in this expanding field of healthcare cybersecurity.

Despite our initial optimism, the HITRUST business venture unfortunately did not yield the success we had anticipated. While our acquisition strategy proved effective in capturing a significant share of the market, we soon encountered unforeseen challenges that would ultimately lead to the initiative’s downfall.

The crux of the problem lay in the misalignment between our automation processes and HITRUST’s stringent quality expectations. We had underestimated the resource-intensive nature of the HITRUST assessment methodology, both for our assessors and our clients. Our attempts to streamline and automate the process, while well-intentioned, fell short of the meticulous, hands-on approach that HITRUST demanded.

As we struggled to reconcile our efficiency-driven model with HITRUST’s exacting standards, it became clear that the business was draining resources at an unsustainable rate. Reluctantly, Drummond made the difficult decision to shut down the HITRUST business unit within a few years of its launch.

While the closure of the HITRUST division was undoubtedly a setback, it wasn’t without its silver linings. Throughout my involvement in this venture, I gained invaluable experience supporting clients and managing their assessments. This hands-on exposure to the intricacies of cybersecurity in healthcare deepened my understanding of the field and honed my technical skills.

Moreover, this experience proved to be a profound learning opportunity in resilience and dealing with failure. I learned the importance of thorough market research and the dangers of underestimating the complexity of new ventures. It reinforced the value of adaptability and the need to be prepared to pivot when faced with unexpected challenges.

Perhaps most importantly, this experience taught me that failure, while painful, can be an incredible teacher. It pushed me to develop a more nuanced understanding of risk assessment in business strategies and helped me cultivate a more resilient mindset. These lessons have since informed my approach to new projects and challenges, making me a more thoughtful and prepared professional.

In retrospect, while the HITRUST venture didn’t succeed as we had hoped, the knowledge and personal growth I gained from this experience have proven invaluable in my career journey. It serves as a reminder that even in failure, there are opportunities for growth and learning that can shape our future successes.

Research, Innovation, and Development

In 2021, Drummond Group shifted my focus back to Healthcare Compliance Services (HCS), where I joined a newly formed team dedicated to research, innovation, and development. Our mission was to identify, analyze, and launch new business services. In this role, I had the opportunity to spearhead several exciting projects. I created test scripts, ran our pilot project, and tested the first clients for our new Pediatric Health IT certification. Additionally, I supported clients in our new FHIR (Fast Healthcare Interoperability Resources) certification program, which aims to standardize the exchange of healthcare data.

Gary Isaac
Certified Information Systems Auditor (CISA)
M.S. Cybersecurity and Information Assurance