Chapter 5 Β· Gap Analysis

Sofia and the Seven Hospitals

Sofia, a security consultant, must assess a hospital network's security posture across seven locations and build a roadmap from where they are to where they need to be.

Where Are We?

Sofia arrived at the NorthBridge Hospital Network headquarters with a mandate from the board: "Tell us exactly how secure we are." The network spanned seven hospital campuses, 4,000 employees, and decades of patchwork IT infrastructure. No one had ever done a systematic security assessment.

"A gap analysis," Sofia explained to the CIO, "compares where you are to where you need to be. It sounds simple, but it's one of the most complex things I do. We're talking months of work."

πŸ’‘ Gap Analysis DefinedA gap analysis is a study of the current state of security compared to a desired state (baseline). The goal is to identify gaps β€” areas where current security falls short β€” and build a plan to close them.

What Should We Be?

Before Sofia could measure anything, she needed a target. "You can't measure a gap if you don't know what you're measuring against," she told the CIO. She presented three baseline options.

Option one: NIST SP 800-171 Revision 2 β€” "Protecting Controlled Unclassified Information in Nonfederal Systems." Since some of NorthBridge's research data might qualify as controlled unclassified information, this was relevant.

Option two: ISO/IEC 27001 β€” the international information security management system standard, widely used in healthcare.

Option three: a custom baseline built around NorthBridge's specific regulatory requirements (HIPAA) and business needs.

The CIO chose a combination of NIST 800-171 and a custom HIPAA overlay. They had their target.

Who Is Doing Security Work?

Sofia's first interviews were with the IT staff at each campus. She evaluated their formal IT security training, their knowledge of the hospital's security policies, and whether they had any professional certifications. At three locations, the "IT security team" was one part-time sysadmin with no security training. Two locations had no documented security policies at all.

"People matter as much as technology," she noted in her report. "A firewall configured by someone who doesn't understand network security is worse than no firewall."

What Are You Actually Doing?

Next, Sofia reviewed processes: how were user accounts provisioned? How were access rights reviewed? How were vulnerabilities managed? She compared each process against the NIST 800-171 access control requirements.

NIST required, for example, that organizations "limit system access to authorized users." Sofia broke this into individual sub-requirements: user registration procedures, access provisioning workflows, privileged access management, periodic access reviews, and account deactivation processes.

Campus 4 had none of these documented. Campus 1 had all of them. The difference was stark β€” and quantifiable.

The Traffic Light Matrix

After 14 weeks, Sofia compiled her findings into the gap analysis report. The centerpiece was a matrix: seven hospital campuses across the top, major security requirement categories down the side. Each cell was color-coded: green (close to baseline), yellow (partially compliant), or red (significant gaps).

Campuses 3 and 6 were mostly red. Campus 1 was mostly green. "Start with red," Sofia recommended. "These locations have the highest risk and need immediate attention. Then move to yellow. The green locations need maintenance, not overhaul."

The report also included a remediation roadmap: what changes were needed, estimated costs, required change control procedures, and a timeline. "The gap analysis," Sofia concluded, "doesn't just tell you where the holes are. It tells you how to fill them β€” and how much it will cost."

βœ… The Core Lesson Gap analysis = Current State vs. Desired State (baseline). Choose a baseline first (NIST, ISO, custom). Evaluate people AND processes. Document findings in a color-coded matrix. Produce a report with the current state, gaps, and a remediation pathway.