Developing a high-performance security program for a large hospital system
The IT infrastructure required to serve over 20 hospitals and over 300 clinics is necessarily very complex, distributed and large. Over 1000 applications in use and 70,000 network endpoints offers a simple indication of the size of the problem and the difficulty in securing information adequately. In addition, any comprehensive effort to shore up security and its execution would have to consider two fundamental aspects of delivering security to health care providers:
· To never harm patients
· To not interrupt, if possible, any clinical processes
Working from the prior year risk assessment and conducting our own gap analysis, we developed a three-year workplan to address the most serious concerns:
a) Develop a risk-based plan correlated to solution costs and timelines with IT leaders. Such comprehensive planning allows for clear prioritization and subsequently enhances acceptance by senior leadership (CEO and the Board).
b) Immediately shore up some of the largest concerns that regulators typically frown upon. This including items such as ensuring regular patching and Business Associate Agreement (BAA) compliance from all vendors handling hospital information.
c) Create a response program that allows senior leadership to immediately manage a breach with assistance from IT and security leaders. Unprepared management and direction could lead to a spiraling, out-of-control news event.
d) Ensure that security becomes an enabler, not a hindrance, for all IT efforts going forward. This requires foresight and critical analysis to explain the benefits of using security adoption as a cornerstone for all IT efforts, and not as an after-thought bolt on.
e) Fully understand the implications of biomedical devices on the IT infrastructure. With thousands of medical devices now connected to the main network, they pose a substantial new threat.
f) Compare the cybersecurity insurance policy requirements with the current state of the program and gaps. Exclusions written into the cyber-policy can often limit payouts from breaches if provider security negligence has led to a breach.
g) Develop a process to integrate new hospital and clinic acquisitions with minimum friction from IT and IT security.
We developed a plan, that when coupled with vendor management (vendor reduction), not only enhanced security significantly but also ended up saving the system over 2 million dollars annually. Our approach provided a long-term approach for continuous improvement while incorporating budgetary constraints.