Gary Isaac

gary@aiassuranceauditor.com

Professional Summary

Fourteen years supporting Health IT developers on ONC certification, with five years performing HITRUST validated assessments alongside that work. Credited contributor to the CHAI Responsible AI Guide (Privacy and Cybersecurity Profile). Master of Science in Cybersecurity and Information Assurance.

Skills

  • ONC certification: HTI-1 implementation, quarterly ACB attestations, Real World Testing, Conditions of Certification, USCDI, FHIR R4 conformance
  • HITRUST CSF e1 / i1 / r2 validated assessment work; MyCSF administration; PRISMA scoring; multi-framework crosswalk
  • AI governance: ISO/IEC 42001, NIST AI RMF, ONC HTI-1 § 170.315(b)(11) Predictive DSI
  • Cross-mapping work between AI Verify Testing Framework, ISO/IEC 42001, NIST AI RMF, and ONC HTI-1 DSI
  • Cloud security assessment: AWS, Azure, GCP shared-responsibility and inheritance modeling
  • Python, web application frameworks; .NET 8 + Angular 19 in personal AI tooling work

Strengths

  • Initiates regulatory and growth-strategy work directly with executive leadership
  • Comfortable with nuanced regulatory issues and high-risk client situations
  • Adds rigor to compliance testing for both clients and certification bodies
  • Translates regulatory change into actionable product and compliance roadmaps

Work History

CSET AI Integration — Independent Project

2026 onwards | Built on CISA's open-source CSET platform (MIT License)

Built an AI-powered extension to CISA's Cyber Security Evaluation Tool that accelerates assessor evidence review for compliance frameworks (CMMC, HIPAA, NIST). Cuts CMMC Level 2 evidence review from 60-80 hours to 25-35 hours per assessment.

  • Designed multi-agent prompt architecture (policy / process / implementation analysis) with structured output formats producing MET / NOT MET / PARTIALLY MET determinations, evidence citations, gap analysis, and assessor action items.
  • Integrated Anthropic Claude API in production .NET 8 + Angular 19 application; Microsoft Graph API for OneDrive evidence sync and Azure tenant evidence collection.
  • Cross-mapped Singapore’s AI Verify Testing Framework to ISO/IEC 42001 controls, NIST AI RMF subcategories, and ONC HTI-1 § 170.315(b)(11) source attributes.

Drummond Group

October 2010 to August 2024 | 14 years
Sarasota, Florida (Remote)

Senior Program Engineer — Research, Innovation, and Development
01/2022 to 08/2024

Devised growth strategy and emerging-program research within Drummond's RID team. Researched the regulatory and market drivers behind testing and assurance services for AI in healthcare. Engaged the company in industry working groups, including the Coalition for Health AI and the NIST AI Safety Consortium.

  • Credited contributor to the CHAI Responsible AI Guide (Appendix 3: Privacy and Cybersecurity Profile); author of Appendix 1’s Clinical Operations and Administration Use Case (Prior Authorization with Medical Coding).
  • Built test scripts aligned with implementation guides, standards, and program specifications.
  • Launched three new certification programs through cross-functional collaboration.

Senior Cybersecurity Assessor — HITRUST Services
01/2017 to 12/2021

Drummond Group Impact Award winner as pivotal team member from inception to launch of the HITRUST service line. Three advancements over five years, ending as Senior HITRUST Assessor leading special projects.

  • Scoped HITRUST environments based on covered and confidential data flow.
  • Set shared-responsibility boundaries per the HITRUST Shared Responsibility Matrix; built test plans and population sampling.
  • Inspected client policies and procedures; provided templates and advisory.
  • Examined implementation readiness across diverse client environments; resolved gaps and CAPS prior to validated assessment approval.
  • Scored requirement-statement evaluative elements per the HITRUST Control Maturity Scoring Rubric.
  • Took clients through HITRUST QA procedures and final reporting.

Technical Review Manager — Healthcare Compliance Services
01/2019 to 12/2020

Audited test events performed by the test lab; approved products for certification or returned them for additional testing. Required deep technical knowledge of ONC legislation.

  • Evaluated high volumes of attestations each quarter for additional testing requirements.
  • Designed unique test plans based on client complaints and reportable events to ONC.
  • Coded a new automation process that reduced submission review time by 10 to 15%.

Health IT Test Proctor — Health IT Test Lab
10/2010 to 12/2018

  • Ran functional tests for more than 200 Health IT products to NIST and ONC methods.
  • Demonstrated working knowledge of ONC standards, particularly interoperability and data blocking.
  • Prioritized customer relationships, contributing to the Drummond Test Lab capturing over 80% of the Meaningful Use certification market.

Education

Master of Science in Cybersecurity and Information Assurance

Western Governors University
05/2020

Graduate Diploma in Institutional Administration

Concordia University
08/1995

Bachelor of Arts, History

Concordia University
05/1991

Certifications

HITRUST Certified CSF Practitioner (CCSFP)

HITRUST Alliance
2017 (Recertified 2024)

Certified Information Systems Auditor (CISA)

ISACA
2016