Case Study - Can an enterprise save money and yet be more secure?


Developing a high-performance security program for a large hospital system


The IT infrastructure required to serve over 20 hospitals and over 300 clinics is necessarily very complex, distributed and large. Over 1000 applications in use and 70,000 network endpoints offers a simple indication of the size of the problem and the difficulty in securing information adequately. In addition, any comprehensive effort to shore up security and its execution would have to consider two fundamental aspects of delivering security to health care providers:

·      To never harm patients

·      To not interrupt, if possible, any clinical processes


Working from the prior year risk assessment and conducting our own gap analysis, we developed a three-year workplan to address the most serious concerns:

a)      Develop a risk-based plan correlated to solution costs and timelines with IT leaders. Such comprehensive planning allows for clear prioritization and subsequently enhances acceptance by senior leadership (CEO and the Board).

b)     Immediately shore up some of the largest concerns that regulators typically frown upon.  This including items such as ensuring regular patching and Business Associate Agreement (BAA) compliance from all vendors handling hospital information.

c)      Create a response program that allows senior leadership to immediately manage a breach with assistance from IT and security leaders. Unprepared management and direction could lead to a spiraling, out-of-control news event.

d)     Ensure that security becomes an enabler, not a hindrance, for all IT efforts going forward. This requires foresight and critical analysis to explain the benefits of using security adoption as a cornerstone for all IT efforts, and not as an after-thought bolt on.

e)     Fully understand the implications of biomedical devices on the IT infrastructure. With thousands of medical devices now connected to the main network, they pose a substantial new threat.

f)       Compare the cybersecurity insurance policy requirements with the current state of the program and gaps. Exclusions written into the cyber-policy can often limit payouts from breaches if provider security negligence has led to a breach.

g)      Develop a process to integrate new hospital and clinic acquisitions with minimum friction from IT and IT security.


We developed a plan, that when coupled with vendor management (vendor reduction), not only enhanced security significantly but also ended up saving the system over 2 million dollars annually.  Our approach provided a long-term approach for continuous improvement while incorporating budgetary constraints.

Feisal Nanji

A seasoned C-Level Technology Risk expert with over 25 years of experience in developing and executing large information security and product development programs. Feisal brings deep knowledge of regulatory frameworks, technology capabilities and process constraints to consistently deliver quality information risk management programs for large health care institutions. He has served as Interim Chief Security Officer for a 14 Hospital system with over $5 Billion in revenue and conducted multiple security risk assessments for providers of all sizes. At EY he lead a team to review and improve the security of an integrated managed care organization’s electronic medical records (EMR) system with over 8 million members and 3 million health records.