Author: Darin Brannan
President, Chief Executive Officer and Co-Founder
Change is constant. In business, companies are bought and sold every day. Processes must be altered, inefficient practices identified and eliminated.
Periods of change are when organizations are most vulnerable to security breaches—especially healthcare entities and the technology vendors that serve them. The addition of new hardware, devices, software, and applications to the larger IT network creates numerous opportunities for mistakes. For instance, it is common for organizations to overlook vendor default passwords on newly-added devices or programs. In many cases, these default passwords can be found easily on the Internet by hackers seeking to steal valuable information such as protected patient data. The unprotected devices are their entry point.
The scary truth is that only a little more than half of organizations apply the necessary change management principles to their IT assets. According to a study of configuration management for cloud-based infrastructures, 80 percent of outages impacting mission-critical services will be caused by people and process issues and 50 percent of those outages will be caused by issues related to handing off the system to new personnel.
During this time, the system is ripe for unplanned and/or unapproved alterations. To put this into perspective, the cost of such downtime is approximately $8,000 per minute for the healthcare provider, not to mention the cost to an IT vendor’s reputation.
Change for the Better
The answer to this problem lies in making sure that the organization’s approach to managing change contains a plan for the integration of all IT services, particularly those that may put valuable patient data at risk. However, many healthcare IT organizations lack the resources to fully address the staffing needs required during organizational change. At these times, it may be smart to enlist the support of an expert managed services company that specializes in healthcare “cloud” security and management. These vendors possess the expertise necessary to help IT vendors and healthcare providers alike recognize and address system vulnerabilities before they become exploited.
They will also offer services tailored specifically to the needs of change management. One such service is configuration management, which assures (among other responsibilities) that vendor-supplied credentials are changed to unique passwords. These managed data service experts can also handle security, monitoring, patch management and other professional services. They can also help to manage a secure transition of valuable data to new systems and aid in the integration of multiple databases. After the initial integration, managed services can include real-time monitoring, intrusion detection and prevention, data encryption and regular scans to detect new compliance risks.
Another useful resource is the IT Process Institute’s Visible Ops Handbook. This comprehensive guide provides direction to IT vendors on many aspects of managing organizational change and translating that to the IT infrastructure. This includes such security measures as reducing access to systems that can be modified, the importance of documenting all information related to IT assets, how to build a RACI, how to create a repeatable build library and making continuous improvement a part of the daily culture.
However it is accomplished, healthcare IT vendors must learn to recognize periods of change are tried and true opportunities for data breaches. Having plans and policies in place for change management is key to thwarting them.