Gartner puts worldwide spending on information security products and services in 2016 at $81.6 billion. That’s about $5 billion more than the year before, yet no one is under any illusions that breaches are on the decline.why-security-spending-is-not-enough-banner.png
That’s because spending isn’t enough. You need to be building on a bedrock of best practices to get results. ITIL (formerly the Information Technology Infrastructure Library), for instance, is an excellent place for healthcare IT departments to start. It is, however, just one collection of best practices.
Fundamental to maintaining system integrity, you should be starting from a well-known and secure configuration. Whatever the demands and pressures of the business to implement change quickly, it should only be to another well-known and secure configuration. It’s important that the integrity of a configuration be maintained during any change process.
ITIL defines three closed-loop processes that healthcare IT departments can use as foundational controls. They drive availability but have additional benefits in terms of uptime and a solid security footing.
The processes in question are:
Following these processes closely means knowing your servers are secure and validated with a working configuration. When you have those things, you have a strong incentive to be rigorous when considering (let alone applying) changes like patches, adding new software, or changing hardware.
Managing change well is absolutely fundamental to an organization’s security. The best security policies, procedures, and technologies can be undermined the instant change management goes wrong.
Again, ITIL is not the only choice when looking for a best practice guide. But if you are not following a recognized guide of some stripe—whether it’s ITIL, COBIT, or another—alarm bells should be ringing.
Presently, doctors might separate out behavioural health—such as forming better habits to stay healthy longer—from other medical health issues when delivering care. But the smart use of data offers an opportunity to fix that artificial separation. One golden opportunity for IT is to explore technology that integrates various aspects of healthcare, which would save time and money as well as improve health outcomes.
This is just one example of the sort of area where enterprise IT can do what it does best: getting to the root of the problem and designing technology to fix it, not just implementing technology because it’s “sexy”.
When you’re too focused on point-based technology solutions and not focused enough on following best practices, you can expect to be breached.
A philosophy that gives priority to core control processes will lead to a higher availability rate and fewer breaches. That’s something that is easier to achieve when you don’t see security as a feature that is bolted onto an existing IT framework or system. Bolting on security can’t help you if your underlying environment is insecure.
Look to balance your spending appropriately between impressive new threat intelligence tools and the fundamentals of employing and maintaining controls. If your IT control process is broken, it’s probably a good indicator your security is broken, too.