Behind the Firewall ft. Steven Collins
by Morgan Prost / May 21st, 2026
What happens when important services, assumed to be covered, aren’t?
Many companies employ third parties to perform critical IT and security functions. These third parties often maintain high levels of access to an environment and are governed by contracts/MSAs. But what happens when the services assumed to be covered… aren’t?
Lead Practitioner, Steven Collins worked with a healthcare organization that believed their third-party vendor was handling a significant amount of their IT controls – data center hosting, and IT hardware/application management, audits, user access assessments, etc.
However, when Steven compared the contract with the vendor’s actual service list, the gap was clear: many of those critical functions weren’t covered at all.
It is important for organizations to actively ensure that all services to be provided are listed within these contracts and are monitored by the organization to ensure they are being performed.
If this had gone unnoticed, the organization would have faced serious consequences. If asked to prove those controls were in place, they would’ve come up short. They would have been left, exposed to:
-Data Loss
-System Compromise or
-Worse
In a healthcare setting, the worst-case scenario could mean a full environment breach or even disruption to patient care. We helped the organization build a clear inventory of controls, identify gaps, and develop a plan to address them. They also renegotiated the contract to include additional monitoring activities and ensure future alignment.
Without this review, the organization would have continued operating under a false sense of security. A Share Responsibility Matrix could be used to document and clarify the responsibilities of each member within your organization.
