About Churchill & Harriman

Founded in 1986, Churchill & Harriman (C&H) is privileged to have earned the distinction of being a trusted advisor to many of the most significant and forward thinking healthcare organizations, providing end-to-end enterprise risk management solutions for multinational healthcare clients worldwide. We proactively collaborate with the National Health Information Sharing & Analysis Center (NH-ISAC), the Shared Assessments Program, and additional associations for the greater good of industry.

Our Healthcare Experience/Credentials:

Most senior C&H experts have executive-level experience in the healthcare benefits, pharmaceutical, medical device, and consumer healthcare industries. C&H consultants have relevant accreditations in information security, third party risk, and additional fields including CISSP, ISO 27001 Lead Auditor, CTPRP, CIPP, Professional Engineer, and others. C&H has deployed as many as 80 consultants simultaneously to achieve client project objectives. C&H has performed thousands of risk assessments around the world beginning in 1998. C&H is a charter member, Presidential Leadership Team of the SAFE-BioPharma® Association, and consultant to the Pharmaceutical Research and Manufacturers of America (PhRMA) and SAFE founding members.

Our Services

We work closely with our healthcare clients to help them move beyond mere compliance, by establishing enterprise risk management programs that proactively identify and mitigate risks.

Here are some of our service areas:

  • C-level risk management advisory services
  • Global onsite and remote third party risk assessments
  • NIST Special Publication 800-53 assessments
  • NIST Cybersecurity Framework conformance
  • Vendor management program establishment and optimization


Churchill & Harriman provides healthcare industry enterprise risk management guidance and executes third party risk assessments according to the following laws, regulations, standards, and commercial practices:

  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health (HITECH)
  • Food and Drug Administration (FDA) regulations, such as 21 CFR Part 11 on electronic records and electronic signatures
  • Department of Commerce Safe Harbor Program
  • Sarbanes-Oxley Act (SOX)
  • National Institute of Standards and Technology (NIST) security and cryptographic standards and the NIST Cybersecurity Framework
  • E.U. Data Privacy
  • Medicines and Healthcare Products Regulatory Agency (MHRA)
  • International Organization for Standardization (ISO) standards (22301, 22307, 27001)
  • Shared Assessments Program – AUP, SIG, VRMMM
  • Additional International law, regulation and rules, as applicable

Our Clients/Results/Earned Distinctions

The following is a sample of healthcare clients and results supported by C&H:

Fortune 50 multinational healthcare corporation —

Served as “trusted advisor” to the Chief Privacy Officer (CPO) and the CPO’s leadership team; developed and implemented global privacy program strategy; advise on privacy language for contracts with third-party service providers. Served as “trusted advisor” to the Chief Information Security Officer (CISO) and the CISO’s leadership team; collaborate with worldwide information security function and healthcare compliance function to align common processes and reduce compliance costs; contribute to cross-border, country-to-country strategy; satisfy global privacy compliance requirements, including annual Safe Harbor certification for all of its U.S.-based companies and U.S.-Swiss Safe Harbor certification. Performed more than 600 global on-site risk assessments to help meet FDA regulations.

Global Business Process Outsourcing (BPO) enterprise —

Developed third-party risk assessment criteria (security, privacy and compliance), and conducted global onsite third-party risk assessments, enabling this BPO to formally satisfy security and privacy requirements contained in a U.S. $1 billion contract awarded by an FDA regulated customer.

Major healthcare benefits provider –

C&H delivered enterprise Vendor Management Program documentation and tools, including: enterprise policies, due diligence standards, risk-based vendor classification procedures, Vendor-risk assessment procedures and IT-Security related contract provisions.

Japan-based pharmaceutical client -

C&H resolved regulatory findings by the FDA and the MHRA, preventing fines or penalties. Developed, tested, and implemented business continuity and disaster recovery plans.

Major Medical Device Manufacturer -

C&H is delivering privacy guidance and assistance for:
Safe Harbor certification, corporate and website privacy policies, privacy-related training, Data Protection Authority (DPA) registrations, third party contracts privacy language, and website and applications privacy reviews.

Pharmaceutical Research and Manufacturers Association (PhRMA) –

C&H helped launch the SAFE-BioPharma Association™ and received joint formal endorsement from SAFE’s Chair and its President and CEO.