Case Study: SECURITY VENDOR MANAGEMENT AT A HEALTH SYSTEM

PROBLEM

If a “health system” is defined as a provider organization having more than one hospital location, we will inevitably discover that security concerns are far greater than if securing a single facility.

In any “system” the different hospitals will have unique IT environments with different network designs, application profiles, biomedical devices, and unique customer bases.  Security products and services will likely have been purchased on a “best-of-breed” basis over time.  This results in varying approaches to maintain an adequate security posture across the system.

Such varying approaches to security within a hospital system makes it difficult to manage information security across a “system” and can, among other things, lead to:

  • Overspending on products, as each contract is typically negotiated separately; volume discounts and “package deals” will be rare.

  • Redundant security functions. Many features from different vendors’ products overlap.  While an IT shop may “absolutely” need a new set of functions, the new products purchased often duplicate key functions of previously purchased items. 

  • A reactive approach to security. A multitude of security vendors does not lend itself to vendors becoming true partners in managing security.

  • Difficulty in offering senior leadership a seamless view on the overall information security posture. Often, compliance and policy enforcement across many vendors results in errors or omissions when reporting and assessing risk.

  • Implementation complexity, as each security product has its own programming interface and protocols.

 SOLUTION

An innovative solution to this is to rationalize (reduce) the number of security vendors, ideally to one principal supplier and a small and limited number of specialty suppliers.  If done correctly this approach will result in at least three things:  

  • Achieving a heightened security posture

  • Offer opportunities to substantially reduce security products and services purchasing costs

  • Ensure that your primary security vendors will be genuine partners in a compliance intensive health care environment.

IMPACT

The impact from optimizing security spends will result in:

  • Lower costs. (For a sizable system this can mean several million dollars in savings over a period of three to five years).

  • A preferred, leading vendor can typically cover about 70% of security needs, can be held to hard deadlines, and will more promptly respond to a larger client. Vendors will often invest more in a large client, such as piloting advanced products, dedicated or more experienced support personnel, or assisting with migration and integration efforts.

  • A “single pane” view of our security posture, rather than disparate reports that must be cobbled from disparate systems, is a more powerful communicator to executives.

  • A single “policy “engine provided by one vendor can lead to tighter monitoring of policy violations.

Report

Feisal Nanji

A seasoned C-Level Technology Risk expert with over 25 years of experience in developing and executing large information security and product development programs. Feisal brings deep knowledge of regulatory frameworks, technology capabilities and process constraints to consistently deliver quality information risk management programs for large health care institutions. He has served as Interim Chief Security Officer for a 14 Hospital system with over $5 Billion in revenue and conducted multiple security risk assessments for providers of all sizes. At EY he lead a team to review and improve the security of an integrated managed care organization’s electronic medical records (EMR) system with over 8 million members and 3 million health records.