One of the greatest challenges faced by healthcare providers is adapting to rapid change while also securing patient data. Recently, a large healthcare system partnered with VioPoint to conduct a high-level risk assessment that effectively translated their high-risk areas into a two year actionable plan. The resulting information security roadmap established a detailed set of project-based initiatives that will have a significant impact on reducing any ongoing risks to patient data.
Understanding the most effective approach to reduce risk across a 20,000-user environment is no simple task. As part of the planning process for expanding their patient services, the healthcare system took a proactive stance to identify areas of potential risk and develop a plan to address them. In planning the project, the VioPoint team was focused on addressing the following issues:
- Where should resources be focused?
- Where is the greatest risk?
- How do we prioritize risk mitigation activities?
- What types of resources will we need?
- How do we measure progress?
- How much should they budget for the program?
The goal of the project was to develop a comprehensive information security roadmap with a defined agenda for the next 24 months. In doing so, the team focused on addressing the following requirements:
- Create a practical 24-month roadmap to guide the initiatives for the information security team
- Develop Detailed Project Descriptions
- Prioritize Projects Based on Risk Mitigation
- Define Security Team Organization Chart, Job Descriptions, and Staffing Levels
- Establish Budget Requirements
At the onset of the project the team conducted an ISO-based risk assessment to help quantify and prioritize risk-based gaps in the current security program. VioPoint leveraged Modulo Risk Manager as the foundational tool for evaluating the risk profile at the healthcare system. Modulo Risk Manager is a Governance Risk and Compliance (GRC) software package that provides a defined framework for effectively quantifying and managing risk in the enterprise. By leveraging the built-in controls, automated data collection resources and flexible reporting capabilities of this technology, the team was able to translate risk assessment data into actionable information.
The data from the ISO-based risk assessment was used to identify gaps in the existing program and serve as the foundation for prioritizing initiatives. The prioritized list of initiatives were then built into a two year plan that accounted for resource and funding variables to help ensure the timelines were both reasonable and achievable.
The initial high-level plan was further segmented into discreet projects that went through a series of reviews to refine expectations, timing and impact. Once the final project list was validated, each project was defined at multiple levels of detail to include timing, internal and external staffing requirements, budget and priority. In total, more than 30 information security projects were identified for the two-year plan.
“One of the greatest challenges we see in healthcare is developing and managing to a plan,” commented Rob Cote,Vice President of Sales at VioPoint. “The reactive nature of patient care services requires flexibility. Our plan helped the healthcare system mature its program without sacrificing flexibility.”
The security roadmap project resulted in a defined plan that is helping the healthcare system mature their security program. Since the projects were prioritized to address near term risk with quick wins, the program has moved forward at a rapid pace. The implemented recommendations have reduced organizational risk and established additional safeguards to protect patient data.
Moving forward, the plan has identified program budgets that will align resource investments with business goals. With this holistic risk management program, the healthcare system can balance both agility and security to ensure that the service goals of the organization are met without disrupting the primary focus on patient care.