Making Health IT Infrastructure More Resilient
- As in businesses across the board, healthcare’s transition to digital operations opens up new levels of complexity and threats, and requires a change in approach to managing IT risk and cybersecurity. The upshot is that executives and system architects need to examine “resilience,” an increasingly important attribute of a strong health IT infrastructure.
“Regulatory compliance is insufficient to protect the business and its consumers,” explained David Willis, vice president and distinguished analyst at IT research and advisory firm Gartner. “The emerging standard is resilience, meaning the ability to recover rapidly from unforeseen circumstances.”
Frequent data breaches among healthcare entities underscore the industry’s particular vulnerabilities. Just last week, for example, Horizon Blue Cross Blue Shield of New Jersey began sending out notification letters to an estimated 1,100 customers whose names, dates of birth and member ID numbers were potentially exposed to unauthorized individuals posing as physicians, according to HealthITSecurity.com. In a separate case across the country, a California surgical group reported to the state attorney general that a document-scanning device inadvertently exposed patient health records online.
Meanwhile, the 2015 Gartner CIO Survey reports that CIOs are feeling the impact of digital business. Nearly 90 percent of respondents said that digital business would create new types and levels of risk.
"Inside and out, organizations are architected for agility and convenience, not resilience," said Willis. However, the structures that offer agility and convenience to enterprises and their customers are the same ones that attackers use to gain comprehensive access to enterprise systems once they get a foothold anywhere in the extended value chain.
Gartner recommends that organizations of all types invest in the following areas to increase resilience:
Assessing the foundation. The transformation to full-scale digital business operations calls for applying the principle of resilience to people, processes and technologies. The next decade will bring trade-offs between convenience and resilience, driven in large part by increasing regulation. Organizations will have to prepare at a level much higher than strictly meeting regulatory compliance.
Increasing awareness. Most recent high-profile cyberattacks on organizations began with a psychological manipulation (e.g., phishing) on a single enterprise employee. Only awareness on the part of the employee could have prevented the consequences. As such, personal awareness and responsibility must become priorities for organizations, which should replace once-a-year compliance training with ongoing awareness campaigns, according to Gartner. “In addition, as the lines between personal and business technology are blurring, organizations should consider extending protections to employees at home,” said Willis.
Extending governance. The risks to digital businesses go far beyond the walls of the enterprise, such as in the case of malicious nation states attempting to obtain personal information. Organizations must broaden and deepen internal governance, look to their enterprise ecosystem for additional support and lend influence to the creation of common defenses.
Overall, organizations should be wary of trading security in favor of convenience for employees and customers, said Gartner. They should instead be looking for ways to enhance resilience in both business and IT operations.
“Within a few years, regulation will speed that shift,” predicted Willis. “Organizations should expect the risks of digital business to increase in the meantime, and plan accordingly.”
